There is a saying that you can get it good, fast, or cheap, but you can only pick one. Well, when it comes to penetration testing, if you choose cheap, it might be fast, or it might be good but it won’t be deep.
There are many reasons why an organization may choose a cheap penetration testing option. It could be that they simply need an external party to stamp their name on a report, because they have a client request. It could be that there is not much budget, or it is not a high-priority asset or application. Whatever the reason for choosing a cheap penetration test, it is important to keep in mind the many pitfalls that may come with selecting price over quality.
- How Cheap is Cheap?
- What do you Get With a Cheap Penetration Test?
- Internal or External?
- What Don't You Get?
- The Risks of Cheap Penetration Testing
- Who is a Cheap Penetration Test Right for?
- Where do you Find a Cheap Penetration Test Provider?
- Can’t You Just Get a Good Pen Test at a Low Cost?
NOTE: If you’re looking for a low-cost penetration test, our free tool below matches your firm with a vendor that can meet your needs and budget.
How Cheap is Cheap?
Before getting into details on what you may or may not get with a cheap penetration test, let’s define what may be too cheap, and identify some red flags your organization should be watching for.
A penetration test with a total cost of $15,000 may be a high-quality test for consultancy A and a cheap penetration test for consultancy B. How can the same penetration test across two different consultancies be the same price and of different quality?
Factors like hourly rates can vary drastically from one consultancy to another and one region to another. Quite simply, the higher the hourly rate, the lower effort that will be applied to the penetration test. This is something to keep in mind when talking to companies about their cost and reviewing cheap penetration tests. Look for a lower hourly rate, so that your organization can get more time from the tester in conducting the test.
A leading indicator of potential quality for a cheap test is the amount of time the organization devotes to the test. Every penetration test is a time-boxed approach, so the more time devoted the deeper the test will be. It is more important to look at the total effort and what is too small.
In general, anything under 1 business week, or 40 hours of work, will provide limited testing and is too cheap or short.
Anything shorter than this amount of time will indicate that the penetration test is no more than a scan and report test, which is not a penetration test.
What do you Get With a Cheap Penetration Test?
A cheap penetration test should include all the same components and deliverables as a more expensive penetration test with a much smaller time-boxed approach to testing. When reviewing proposals, make sure that all components are included, especially time allocated to exploitation, as that is the key difference between a vulnerability assessment and a penetration test.
What your organization will most likely be getting with a lower-cost penetration test is fewer hours devoted to manual exploitation. In many cases, a company that can offer a lower-cost test will be leveraging more automation and internal tools to help keep the hours lower and cost lower for your organization.
Internal or External?
Internal and external penetration testing services will require very different levels of effort. For example, an internal penetration test will include a vulnerability assessment, in most cases, which will include credentialed scanning. While an external penetration test will just perform scanning to identify vulnerabilities without credentials. Internal vulnerability assessments will often include network switches, firewalls, and administrative consoles, while external penetration testing services only see what is externally visible.
How might the scope difference affect pricing? It is a good rule of thumb to expect internal security testing services to cost more than external testing. No matter your organization, it is likely that you have twice as many systems or assets internally accessible than you do externally, and that is being extremely conservative. It is not uncommon to see the difference be north of 10x more on the internal network than on the external network.
Because of this, a penetration testing service that includes both the internal and external systems will be significantly more expensive. Keep a close eye on the total effort allocated if your organization is contracting for both at the same time, as this will be the indicator of the quality and depth of the testing services.
What Don’t You Get?
As has been hinted at in previous sections, there are many vendors that will offer a cheap penetration test that is not actually a penetration test. In many cases, these companies are only running commercially available automated tools and producing a report.
Beyond conversations with pentest vendors to determine if this is their approach, a way to identify if this is what is happening is to ask for a report. Unfortunately, in many cases, the vendor does not bother to modify the report output from the commercial tool default, and it will be easy to identify.
Beyond the risk of paying for and not getting a penetration test, there are a few other things that your organization should expect when paying for a low-cost penetration test. Essentially, there will not be a lot of bells and whistles included in the testing engagement. Starting with less hand-holding or fewer conversations about scope, report, and findings. These add expense and time to the test, so a vendor providing a cheaper solution will streamline these and will most likely only work via email.
Reports will be a standard output with little to no customization. As for project management, there most likely will not be a report walkthrough or any additional time allocated for questions and answers related to findings. Expect to get testing and a report, and that is about it.
The Risks of Cheap Penetration Testing
Lowering the budget for your penetration test comes with risks that are worth understanding. In our view, the primary risks of a cheap pentest are:
Risk 1: Inaccurate Results
The main risk of opting for cheap penetration testing services is the possibility of obtaining inaccurate results. Inexperience, insufficient training, or the use of outdated methodologies by low-cost service providers may lead to a superficial analysis of your organization’s security infrastructure. On paper, your pentest will be done, and executives or key stakeholders might believe the organization is ticking this security box, but the assurance you’ve received could be misleading.
Inaccurate results can be particularly damaging as they may give the impression that vulnerabilities have been addressed when, in fact, they still exist. This false sense of security can expose businesses to cyberattacks that result in significant financial and reputational damage. Additionally, such results can distract the organization’s security team from identifying and addressing actual risks, leading to wasted resources.
A lack of comprehensive reporting and proper documentation may also accompany cheap penetration testing services. Limited reporting may impede your organization’s ability to fully understand the discovered vulnerabilities and implement the necessary remediation strategies. This further exacerbates the risk posed by inaccurate results, as it compounds the difficulty of addressing even the limited number of issues that were identified.
Inaccurate results from cheap penetration testing not only undermine the overall effectiveness of your organization’s cybersecurity efforts but also have the potential to lull you into a dangerous sense of complacency. By investing in more reliable and thorough penetration testing services, you can mitigate these risks and provide more meaningful, longer-lasting assurance to stakeholders.
Risk 2: Limited Scope of Testing
Another problem is the limited scope of cheap pentesting. Inadequate resources, time constraints, and insufficient expertise can lead to a narrow focus, potentially overlooking critical security vulnerabilities. This risk leaves companies exposed to threats, as untested or mismanaged aspects of their infrastructure can serve as entry points for attackers.
Another issue that arises from limited-scope testing is the lack of proper validation for discovered vulnerabilities. Limited testing may result in either false positives or false negatives, leading to wasted resources on non-existent issues or missing real vulnerabilities. This can have serious consequences, as businesses may unnecessarily invest in addressing low-risk issues while overlooking high-risk security gaps.
Finally, there is the issue of compliance. Many firms contract a cheap pentest as a tick-the-box exercise to win a new contract or pass a due diligence check. But the same organization 1 year down the line realizes it needs to meet a new compliance requirement and that the cheap pentest it ordered doesn’t meet the standard. Now the organization has to invest (not to mention arrange, perform due diligence and start a contract) for a new, more comprehensive pentest anyway.
Put another way, a cheap pentest can be a short-term saving but a long-term liability.
Who is a Cheap Penetration Test Right for?
Quite simply, there is no one size fits all for penetration tests. As was covered earlier in the article, there are good reasons for an organization to engage a vendor for a cheaper penetration test, but there are also organizations that should not.
If an organization has a robust security program that is performing patch and vulnerability management, a lower-cost penetration test would be an ideal solution. Ideally, the organization has internal penetration testing capabilities to make sure that deeper testing is being performed and to augment the external penetration testing.
Further, if the organization has strong internal capabilities to understand the results, saving costs on the report and report walk-through would be acceptable. For an organization that is mature and has a strong internal security team, a cheap penetration test can be used to provide a third-party report to external customers and partners.
There are many organizations that think that they are saving costs and helping the organization better protect itself by engaging in a cheap penetration test. This can be detrimental to organizations that do not have a strong security program or internal resources that can drive improvement in security posture.
Paradoxically then, the organizations that have the least to gain from a cheap penetration test are those smaller firms with lower budgets and less mature security programs. Unfortunately, these companies are often the ones seeking a low-cost test.
Attaining a cheap penetration test that is small in effort, limited in scope, or just poorly run may give a false sense of security to leadership. The organization may likely be more insecure and prone to a breach because the testing indicates that further investment in security may not be needed. Always evaluate internal capabilities and investment, as these tests can provide a false narrative of where the organization should invest.
Where do you Find a Cheap Penetration Test Provider?
There are vendors in the space known for providing lower-cost penetration tests. Some of the terms or marketing material that you can look for to help you identify those companies are testing based on tier or ‘technical’ capability.
This approach to pricing often leads to the ability to pick a tier that better fits your budget. Another term to look for is credit-based testing. Often these vendors provide the ability to purchase a set of credits that can be applied to penetration testing, and these credits are usually inexpensive. More credits equate to more effort.
Beyond the marketing terms, other ways to find cheap penetration testing is to engage independent consultants that have experience and may be working on the side. In this case, you can often find a highly skilled tester for half the hourly rate of a large consultancy. Further, look for small, local firms to work with. This is a great way to support a local company and attain a lower-cost test.
Beyond local, international firms can come in at a lower cost. A pentest vendor utilizing resources located in India or the Philippines may provide a lower-cost solution versus using a domestic vendor.
Can’t You Just Get a Good Pen Test at a Low Cost?
Penetration testing is nuanced and often expensive. Though the value that it can provide to your organization may not be readily obvious, it is a critical component of securing assets and data for any organization. Many pros and cons of cheap penetration testing have been covered in this article. But, when push comes to shove, saving costs is something every organization will strive to achieve.
Below are some additional ways to get creative in how your organization can save costs on penetration testing:
- Utilize your incident response retainer company. This is committed spend and often comes with a lower hourly rate that can be applied to services like penetration testing.
- As previously discussed, engage independent consultants to perform testing.
- Consider hiring a penetration tester internally, if multiple tests are required. The skills required to do penetration testing can provide immense value beyond the penetration testing engagements to your organization.
- Get a client to pay for it. If a client or potential client is asking for it, write the cost or portion of the cost into the contract.