There is a saying that you can get it good, fast, or cheap, but you can only pick one. Well, when it comes to penetration testing, if you choose cheap, it might be fast, or it might be good but it won’t be deep.
There are many reasons why an organization may choose a cheap penetration testing option. It could be that they simply need an external party to stamp their name on a report, because they have a client request. It could be that there is not much budget, or it is not a high-priority asset or application. Whatever the reason for choosing a cheap penetration test, it is important to keep in mind the many pitfalls that may come with selecting price over quality.
How Cheap is Cheap?
Before getting into details on what you may or may not get with a cheap penetration test, let’s define what may be too cheap, and identify some red flags your organization should be watching for.
A penetration test with a total cost of $15,000 may be a high-quality test for consultancy A and a cheap penetration test for consultancy B. How can the same penetration test across two different consultancies be the same price and of different quality?
Factors like hourly rates can vary drastically from one consultancy to another and one region to another. Quite simply, the higher the hourly rate, the lower effort that will be applied to the penetration test. This is something to keep in mind when talking to companies about their cost and reviewing cheap penetration tests. Look for a lower hourly rate, so that your organization can get more time from the tester in conducting the test.
A leading indicator of potential quality for a cheap test is the amount of time the organization devotes to the test. Every penetration test is a time-boxed approach, so the more time devoted the deeper the test will be. It is more important to look at the total effort and what is too small.
In general, anything under 1 business week, or 40 hours of work, will provide limited testing and is too cheap or short.
Anything shorter than this amount of time will indicate that the penetration test is no more than a scan and report test, which is not a penetration test.
What do you Get With a Cheap Penetration Test?
A cheap penetration test should include all the same components and deliverables as a more expensive penetration test with a much smaller time-boxed approach to testing. When reviewing proposals, make sure that all components are included, especially time allocated to exploitation, as that is the key difference between a vulnerability assessment and a penetration test.
What your organization will most likely be getting with a lower-cost penetration test is fewer hours devoted to manual exploitation. In many cases, a company that can offer a lower-cost test will be leveraging more automation and internal tools to help keep the hours lower and cost lower for your organization.
Internal or External?
Internal and external penetration testing services will require very different levels of effort. For example, an internal penetration test will include a vulnerability assessment, in most cases, which will include credentialed scanning. While an external penetration test will just perform scanning to identify vulnerabilities without credentials. Internal vulnerability assessments will often include network switches, firewalls, and administrative consoles, while external penetration testing services only see what is externally visible.
How might the scope difference affect pricing? It is a good rule of thumb to expect internal security testing services to cost more than external testing. No matter your organization, it is likely that you have twice as many systems or assets internally accessible than you do externally, and that is being extremely conservative. It is not uncommon to see the difference be north of 10x more on the internal network than on the external network.
Because of this, a penetration testing service that includes both the internal and external systems will be significantly more expensive. Keep a close eye on the total effort allocated if your organization is contracting for both at the same time, as this will be the indicator of the quality and depth of the testing services.
What Don’t You Get?
As has been hinted at in previous sections, there are many vendors that will offer a cheap penetration test that is not actually a penetration test. In many cases, these companies are only running commercially available automated tools and producing a report.
Beyond conversations with pentest vendors to determine if this is their approach, a way to identify if this is what is happening is to ask for a report. Unfortunately, in many cases, the vendor does not bother to modify the report output from the commercial tool default, and it will be easy to identify.
Beyond the risk of paying for and not getting a penetration test, there are a few other things that your organization should expect when paying for a low-cost penetration test. Essentially, there will not be a lot of bells and whistles included in the testing engagement. Starting with less hand-holding or fewer conversations about scope, report, and findings. These add expense and time to the test, so a vendor providing a cheaper solution will streamline these and will most likely only work via email.
Reports will be a standard output with little to no customization. As for project management, there most likely will not be a report walkthrough or any additional time allocated for questions and answers related to findings. Expect to get testing and a report, and that is about it.
Who is a Cheap Penetration Test Right for?
Quite simply, there is no one size fits all for penetration tests. As was covered earlier in the article, there are good reasons for an organization to engage a vendor for a cheaper penetration test, but there are also organizations that should not.
If an organization has a robust security program that is performing patch and vulnerability management, a lower-cost penetration test would be an ideal solution. Ideally, the organization has internal penetration testing capabilities to make sure that deeper testing is being performed and to augment the external penetration testing.
Further, if the organization has strong internal capabilities to understand the results, saving costs on the report and report walk-through would be acceptable. For an organization that is mature and has a strong internal security team, a cheap penetration test can be used to provide a third-party report to external customers and partners.
There are many organizations that think that they are saving costs and helping the organization better protect itself by engaging in a cheap penetration test. This can be detrimental to organizations that do not have a strong security program or internal resources that can drive improvement in security posture.
Attaining a cheap penetration test that is small in effort, limited in scope, or just poorly run may give a false sense of security to leadership. The organization may likely be more insecure and prone to a breach because the testing indicates that further investment in security may not be needed. Always evaluate internal capabilities and investment, as these tests can provide a false narrative of where the organization should invest.
Where do you Find a Cheap Penetration Test Provider?
There are vendors in the space known for providing lower-cost penetration tests. Some of the terms or marketing material that you can look for to help you identify those companies are testing based on tier or ‘technical’ capability.
This approach to pricing often leads to the ability to pick a tier that better fits your budget. Another term to look for is credit-based testing. Often these vendors provide the ability to purchase a set of credits that can be applied to penetration testing, and these credits are usually inexpensive. More credits equate to more effort.
Beyond the marketing terms, other ways to find cheap penetration testing is to engage independent consultants that have experience and may be working on the side. In this case, you can often find a highly skilled tester for half the hourly rate of a large consultancy. Further, look for small, local firms to work with. This is a great way to support a local company and attain a lower-cost test.
Beyond local, international firms can come in at a lower cost. A pentest vendor utilizing resources located in India or the Philippines may provide a lower-cost solution versus using a domestic vendor.
Can’t You Just Get a Good Pen Test at a Low Cost?
Penetration testing is nuanced and often expensive. Though the value that it can provide to your organization may not be readily obvious, it is a critical component of securing assets and data for any organization. Many pros and cons of cheap penetration testing have been covered in this article. But, when push comes to shove, saving costs is something every organization will strive to achieve.
Below are some additional ways to get creative in how your organization can save costs on penetration testing:
- Utilize your incident response retainer company. This is committed spend and often comes with a lower hourly rate that can be applied to services like penetration testing.
- As previously discussed, engage independent consultants to perform testing.
- Consider hiring an internal penetration tester, if multiple tests are required. The skills required to do penetration testing can provide immense value beyond the penetration testing engagements to your organization.
- Get a client to pay for it. If a client or potential client is asking for it, write the cost or portion of the cost into the contract.