Penetration Testing, You Get What You Pay For

If you are a small community bank and someone is offering to do network level penetration testing for 1 or 2 firewalls for $1,500, that’s a reasonable bid. If however, you have a load balanced web application running on 3 or 4 front end servers, 4 application servers and a database cluster with multiple user roles, the costs should be much, much higher.

The first thing to remember is that vulnerability scanning is all automated. Don’t let someone sell you a vulnerability scan as a penetration test. Ethical hacking or penetration testing, is largely a manual process. If during your vendor evaluation a vendor says a penetration test is going to take 5 days but only charges $2,000, a red flag should go up. How is that possible? That’s not much more than Geek Squad rates. Nothing against Geek Squad but they are hardly business class IT support, much less information security experts.

If this is truly penetration testing, these costs should be much higher. Ask the vendor to explain their testing process. How much is automated vs manual. Ask what certifications they have that are specific to penetration testing. I’ll be frank with you. I’m a Certified Information Systems Security Professional (CISSP) with 20 years of experience and our team of penetration testers at HBS that have the Certified Ethical Hacker (CEH) or GIAC Penetration Tester (GPEN) certifications can run circles around me in this area of information security.

The last thing you want is to base your assurance of information security on a faulty penetration test. Take some time and ask questions. Compare the answers from multiple vendors. Contact a local ISSA chapter and ask someone there to give the quotes a quick glance for you. There is a lot of confusion in the market place about this topic so make sure to do that extra bit of due diligence to ensure your money is being well spent.