Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Reasonable price for penetration testing?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Reasonable price for penetration testing?

Checking some prices and its crazy expensive.. anyone know any reasonable companies out there that can throw up an official looking "passed" document ;)

Comments

  • Gotta ask for a quote.. we're not talking like 10k usd are we?

  • ehabehab Member

    f++k+++ is always expensive.

  • darvil said: Gotta ask for a quote.. we're not talking like 10k usd are we?

    No normally it would be quite a bit more.

  • drserverdrserver Member, Host Rep

    250 usd per hour is what you can expect

  • Security is expensive

    Price will vary on the size of the target and depth you want

    At a certain scale, might be worth it to hire someone, instead of contracting the job

    Really depends on your situation

  • HarambeHarambe Member, Host Rep

    @drserver said:
    250 usd per hour is what you can expect

    Dammit, you stole my line.

  • MicroSerum said: At a certain scale, might be worth it to hire someone, instead of contracting the job

    The idea is to have outside review, with the hope of catching anything your internal team may have missed. If you're a huge organization (e.g. Amazon or Google) with serious internal security engineering, you might not go for outside audits, but even then you can still miss stuff and those companies tend to have bug bounty programs and pay out on them regularly.

  • cpsdcpsd Member

    It would be interesting some LET prices here for our small projects :)

  • FHRFHR Member, Host Rep

    If you want dirt cheap penetration testing, I have a feeling most testers will just run Nessus and call it a day.

    What sort of testing did you have in mind? Whitebox, greybox or blackbox? Do you want a "real" pentest or just someone who runs a tool and then writes a flashy looking report?

    Thanked by 3Daniel15 willK uptime
  • SplitIceSplitIce Member, Host Rep

    @FHR the latter I'd say

    darvil said: throw up an official looking "passed" document

  • williewillie Member
    edited August 2019

    They don't want to do that because if they miss something and you get pwned from it, they look bad. They always want to break your stuff. Among other things that shows you that you did the right thing by hiring them.

  • LeviLevi Member

    Change approach to a problem: pay per bug found. Bounties.

  • It helps if the bounties you pay are more than the value of the exploits, and if you are basically big enough to self-insure like Google. Part of the idea of audits is to give you some backup that your code wasn't crap, in the event that something happens. Bounties don't really do that.

  • LeviLevi Member

    @willie Bounties don't really do that.

    Bounties immitate real world hack attempts more like code audit. But yea, you are correct, at least first there should be source code evaluation.

  • darvil said: throw up an official looking "passed" document

    I can do that for $7. Payment by Bitcoin. Payment first.

  • I won't let myself get penetrated for less than 7 USD. I am classy.

    Thanked by 2pike bikegremlin
  • raindog308raindog308 Administrator, Veteran

    LTniger said: Change approach to a problem: pay per bug found. Bounties.

    Maybe OP is talking about something different...to me, a pen test is "I have a DC or network, you are outside it, try to get in". The company may do no software development but wants someone to test their network, see if they have vulnerable web apps, see if girl friday will double-click on the invoice.exe attachment, etc.

    Thanked by 1marrco
  • Don't forget the USB stick dropped in the parking lot.

    Thanked by 2raindog308 marrco
  • jhjh Member
    edited August 2019

    I only know one company that does it for less than about $10k and they're badly managed and rely somewhat on students. If you don't want to spend that, I would just hire an experienced developer to do a code review.

    Thanked by 1pxhaxor
  • It's okay to charge +-$15k to be done in 2 months time , at least in where i live anyway. Although it will depends heavily on the project's scope and time. Better to ask for a quotation.

Sign In or Register to comment.