Penetration testing vs. vulnerability scanning
The question of how much a professionally performed penetration test costs is not so easy to answer. There are many factors that influence the price. However, one thing must be said in advance: even a very expensive penetration test is much cheaper than an undiscovered vulnerability exploited by hackers. The financial damage caused by the failure of critical systems, the loss of company data, claims for damages from customers and the costs of repairing the damage is often considerably higher. Therefore, regular pentests should have their place in the budget of every IT manager.
A penetration test (also called ‘pentest’ in technical jargon) is a comprehensive IT security test in which a certified penetration tester uses the means and methods of a real hacker to find security gaps and vulnerabilities in the client’s systems and applications. A penetration test is more time-consuming and goes beyond an automatic vulnerability scan, as numerous manual steps are necessary to provide high-quality information. Therefore, do not allow a vulnerability scan to be sold to you as a supposedly inexpensive pentest!
The time required and the expertise of the tester determine the price.
In general, the costs of a penetration test depend on the effort and technical expertise required for execution. The time required depends on what type of pentest is carried out, how it is designed in detail, and what individual security needs and special requirements the client has.
The type of pentest and the implementation concept play a major role.
If the test is limited to a single web application (so-called web application pentest), the effort is typically considerably less than if the test covers the complete infrastructure of the client with a large number of systems and users (so-called infrastructure pentest). If cloud systems are integrated into the infrastructure, the complexity increases further. The following applies: the larger and more complex the test object, the more effort the pentester must expend.
In addition to the test object, the client must determine on which information basis the penetration tester should approach the test, how “aggressive” the tester should be and which techniques should be used or excluded. A study by the German Federal Office for Information Security (BSI) provides a good overview of possible implementation concepts. The following applies here: the more in-depth and detailed the testing, the more expensive it becomes.
Every company has individual security needs. The more critical the systems, the more sensitive the company data and the greater the compliance requirements in the client’s industry, the more attack angles should be tackled by the pentester. A good IT security service provider will stand by you and define the test object and the implementation concept together with the client so that the customer can expect an optimal cost-benefit ratio.
If the client has special wishes, such as a detailed on-site presentation of the final report or the implementation outside business hours, this increases the effort and is reflected accordingly in the price.
Daily rate for qualified pentesters
In order to carry out a professional pentest, IT security specialists with high qualifications and many years of experience are required. They have to undergo continuous training in order to keep up with the rapid developments and new attack methods of cybercriminals. The daily rates start at about 1000 Euro. For an extensive pentest which covers an average comprehensive and complex test object, approx. 5 test days are required, which means that you have to expect costs of at least 5000 €.
How you can save costs
In order to keep costs under control, but still obtain high-quality results, I recommend the following to you:
- Find a service provider who will take the time to determine an appropriate scope of testing and depth of testing.
- Ask for a sample report to get a good impression of how well the results are presented.
- Specialized providers of with low fixed costs and a mature concept can pass on cost advantages to you
- Prepare yourself according to the pentester’s instructions and create ideal conditions (adherence to agreed deadlines, availability of an easily accessible contact person, etc.)
- Forget about on-site presentations and instead have the results presented to you via video conference.
Regular penetration testing by external experts is important. The costs for this vary from case to case, depending on what and how is being tested and what special knowledge is required to carry it out. Costs of at least 1000€ per test day are to be expected. In light of the increasing threat situation, however, these are to be seen as a good investment. When choosing a service provider, make sure that they meet your individual requirements.