It seems like every day we hear about another security breach that damages a company’s reputation. IT professionals are at the forefront of a constant battleground of new threats, new compliance regulations, and new phishing schemes.
Many companies have turned to penetration testing to make sure they are doing everything they can to protect themselves from attackers. But you may be wondering, what is the cost associated with such an effort?
What is a pen test?
A penetration test, or pen test, represents an objective assessment by an outside company to expose security weaknesses and vulnerabilities. By poking through your systems and infrastructure, a pen test can demonstrate the ways attackers might be able to bypass your security so that you can patch those vulnerabilities before an attacker exploits them.
It’s sometimes called “ethical hacking” because it employs techniques similar to those the bad guys, attackers, would use to break into your systems and do damage. In this case, the good guys, security defense, are working for you to patch any security holes the attackers could find.
How much does a pen test cost?
Honestly, it’s tough to answer this question until you define the scope of your project and what specifically needs to be tested. The cost of a pen test really depends on how big your company is, the breadth of your systems, and what you want to accomplish.
Common Types of Pen Tests
- Application tests, including mobile and website
- Network tests, including routing issues, firewalls, port scanning, FTP, secure sockets
- Wireless tests, including wireless networks and access points
- Physical tests, including brute-force and on-site attacks
- Social engineering tests, including phishing attacks and impersonations
- Cloud tests, including cloud storage and document handling
There are a few factors that determine the cost of your pen test:
- Length of engagement
- Experience of the tester
As you can see, the scope of your system test will help determine the cost. Complex systems with extensive data will take more time to test. The number of connected devices, access points, physical locations, networks, IP addresses, and various security layers will all play a role in determining a fair price.
Cost also depends on whether you want penetration testing to be a one-time thing, an on-going service, or an engagement that re-tests systems after you make the necessary changes to safeguard your operations and your network.
Other factors that determine your cost include the tools required for the pen test and the experience of the tester.
How do I choose a pen test provider?
Like any other vendor, you want to make sure a cybersecurity services vendor can provide references and show you real results from past testing. The most experienced testers will cost more but are better able to quickly diagnose issues and offer suggestions. You will want to evaluate their expertise and determine a fit for your systems and your industry. For example, someone that is well-versed in Windows pen tests may not be the right fit if you’re running MacOS systems.
Make sure the pen tester has the right tools for the job. While there may be added cost in order to use those correct tools, this setup can lead to better overall testing results and shorter testing times. Some testing can be automated, but understanding the results and developing solutions require having an experienced analyst.
Compliance and Certification
If you work in an industry that requires strict adherence to regulations, such as Sarbanes-Oxley, PCI DSS, NIST, FISMA, HIPAA, or GLBA, you will want to make sure the people performing your pen test are qualified to do so and familiar with the laws. Depending on your needs, you may require experts who can also certify your security measures.
So, how much does a pen test really cost?
Smaller operations that need a penetration test may pay a few thousand dollars. Larger, more complex organizations can easily spend six-figures to do a full-scale system test.
The true cost really depends on the depth of the project and the scope of what you need. But generally it’s agreed that pen testing is more dependent on quality as opposed to price.
Want more? Learn pretty much everything you need to know about pen testing or learn about pen testing hidden costs and risks.
Featured Image: iStock.com/Jirapong Manustrong