Cost factor: Duration of the penetration test
In IT security, it is generally the case that the more time an attacker has to achieve a specific goal (for example, finding a critical issue), the more likely it becomes that the goal will be achieved within that time. Conversely, a penetration test that is allowed to last twice as long will deliver more and, above all, more solid results.
More time allows the pentesters to better understand the systems being attacked and thus often discover more subtle vulnerabilities.
Cost factor: Complexity of the target system
A target system can be a simple webapplication with only a few functions. However, it can also be a complex Software-as-a-Service platform that has various interfaces, APIs and user groups. Testing the latter simply takes longer and is more complex.
This statement can be generalized and applied to mobile applications, networks, buildings and other digital or physical systems. The more complex the system is in structure, size and range of functions, as well as existing security measures, the more time is required.
Cost factor: Depth and type of testing
Penetration tests are generally conducted as black box, grey box, or white box tests. The level of knowledge with which a pentest provider enters the project also influences the costs of the test; the time needed to familiarize oneself with, for example, existing source code, documentation, and similar should not be neglected.
In general, there are various nuances between a strictly manual and a fully automated penetration test that influence the costs. A fully automated test is usually cheaper, but also less meaningful.
Cost factor: Report and meetings
It is often overlooked how much time writing a meaningful report can take. Depending on the type of penetration test, the reporting alone can consume up to 15% of the entire budget.
The same applies to meetings during the penetration test as well as after the test. Systems that were not well prepared for a test by the client often require additional avoidable communication with technicians. On-site appointments also cost more than online meetings.
Penetration test costs of example projects
The examples shown here are real examples - it should be noted that in each case the complexity and scope can be smaller or larger. The prices are only meant to provide a guideline and can vary greatly.
CMS with custom components
A classic example of this would be a WordPress/WooCommerce shop with custom plugins and a custom theme. The software quality in this area often leaves much to be desired. Testing the entire CMS doesn't make sense, nor does a black box approach. It would make more sense to go through and examine the source code of the truly relevant components.
Budget: 1000.00 to 3000.00 USD
SaaS platforms with user groups
The case here would be, for example, a Software-as-a-Service platform developed in .NET or Java, which has 2-3 different user groups. Generally, the complexity is in the middle range, there is little data processing. Data is not made available to other services via an API. The client desires a black box approach and provides test accounts for each user group.
Budget: 4000.00 to 8000.00 USD
Multi-tenant SaaS platform with API
A complex platform with various user roles, user rights management, and multi-tenant capability. The platform offers functions for uploading and processing various file types. Login via SSO/MFA. There is a complex API that can be used by third-party providers. The grey box approach is chosen. The source code of the app is not available, but documentation of all functions as well as the API is provided. See SaaS Penetration Testing.
Budget: 7500.00 to 20000.00 USD
Request a free quote to improve your app or your network now!
How can you reduce the costs for a penetration test?
So far, we have been able to find a suitable solution for every budget and every project. However, there are things you as a client can do to reduce the costs of a penetration test or rather to optimize the results.
Proper preparation
We often find that systems are not prepared for a penetration test. There may be no demo/test system available, or it may be empty and lack relevant data to thoroughly and correctly test certain functions. The penetration tester should not have to ensure that all necessary and correct data is available.
Prioritization
Especially when the budget is smaller, it is worth considering which functions might be problematic and to prioritize testing these, thereby focusing on severe and critical vulnerabilities. For projects with large infrastructure, it is also important to know in advance where an attack could cause the most damage.
Report and Meeting
Is a summary for management important? Wouldn't a brief list of all findings—briefly explained and with proof of concept—suffice? The time we spend writing the report could also be spent conducting a more thorough and in-depth penetration test.
Regularity
During the first penetration test, the contractor and client need to get to know each other. We need to familiarize ourselves and get to know all the systems. With regular repetition of penetration tests by the same team, this part can often be skipped, allowing for more efficient and focused work.
FAQ
"Penetration testing cost"
What factors affect pentest costs?
The main factors that influence the costs are the duration of the test, the complexity of the target system, the depth and type of testing and the effort required for reports and meetings.
Does the choice of pentest type influence the costs?
Yes, a black box test requires less specific prior knowledge, whereas grey box and white box tests require a deeper familiarization with documents and source code. They are therefore generally more expensive.
Why is it important to prepare the system to be tested well for a penetration test?
It saves time and money. Make sure that the penetration tester has all the necessary information and access rights to carry out the test. It is a shame if time is wasted gathering relevant information.
Is a meeting necessary after the penetration test and does it affect the costs?
It is not necessary. If the report is clear enough, a meeting can be dispensed with, because of course it takes time and increases the cost of the penetration test.
What role do regular repetitions of penetration tests play in cost optimization?
If a penetration tester already knows the system from the past, he does not have to spend an unnecessary amount of time familiarizing himself with it. He is then faster and can concentrate on new vulnerabilities.
Does the team size influence the cost of a penetration test?
Yes, a pentest that has to be carried out by 5 people in parallel is of course more expensive than a test that is carried out by just one person. However, most pentests get by with 1-2 people.
How exactly is the duration of a penetration test estimated?
Depending on the scope, one possibility is to take the number of targets into account when estimating the pentest costs. Other variables can be: Number of IP addresses, number of services, number of routes from web applications, size of the API, number of parameters in HTTP requests
Can you save on pentest costs if you do without a report?
Yes, if you are only interested in the technical details, we are happy to do without a report and provide all the necessary information, for example via Slack/e-mail as text files or similar.
Can I influence the costs of the penetration test with the depth of the test?
Of course. Penetration tests can be carried out superficially or in depth. The deeper the test, the more time and therefore money is required.
Get a pentest offer