Red Team penetration testing engagements are usually longer in duration than a standard penetration test, and considerably more expensive. For Red Team security engagements, organizations should expect the pricing to start from $10,000.
A low level, standard penetration test might cost a minimum of $5,000. But red team pen tests leverage multiple testers into a single engagement, spanning multiple attack surfaces and attack methods, with multiple intrusion attempts over an extended duration.
Black-box, white-box, and gray-box example engagements are ideal for compliance mandates like PCI-DSS, HIPAA, CCPA, and GDPR average costs between $4,000 to $35,000. These engagements typically are completed within 7 to 10 days.
Red Team penetration testing costs between $10,000 to $85,000 and typically runs for several weeks. In many cases, the red team could be in “stealth” quiet mode for the initial part of the engagement to avoid chances of detection by corporate employees and partners.
This article will break down the main factors that affect the cost of a red team assessment. If your firm is considering one, the article should assist with your due diligence and make selecting a vendor simpler.
(IMPORTANT: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)
- Why Is A Red Team Assessment More Valuable Than A Pen Test?
- Scope For Red Team Assessment
- Cost Benchmarking
- How Much Do Costs Vary From One Vendor To The Next?
- How to Reduce Red Team Penetration Testing Costs
- Costs Of Red Team Penetration Testing Vs Benefits
Why Is A Red Team Assessment More Valuable Than A Pen Test?
First, it is essential to understand that a Red Team assessment is not a penetration test. Red Team assessments take longer, are far more thorough, and as a result, cost more. Red team engagements tend to be more detailed with several layers of rules for engagement.
Red Team testers are assigned sub-groups focusing on separate attack vectors, including social engineering, internal infrastructure security, exploiting lateral movement between VLANs, SaaS applications, and identity management.
Red team penetration testing tends to cross several areas within the organization, and, rather than simply document vulnerabilities and how they were breached, provide insights into the response capabilities of the existing security program.
Scope For Red Team Assessment
Red Team penetration testing methodology covers tactics and techniques to attempt real-time attacks on an organization. Red team penetration testing activities follow the ATT&CK Framework, a popular knowledge base of adversary tactics, techniques, and procedures (TTP) based on real red and blue teams’ actual experiences.
A red team’s cyber kill chain will break down the attack into identifiable stages. This methodology covers the following steps:
- Reconnaissance – Scan several areas of the environment to determine interconnecting vulnerabilities and exposure.
- Payload & Delivery – Ability to deliver a malicious payload of malware, ransomware, and viruses across parts of the environment leveraging email, social media, and web content as a rogue delivery tool.
- Exploitation – Which are the risk areas of the environment most vulnerable to exploitation?
- Installation – The ability to add rogue devices, including WIFI, servers, and Internet of Things devices, without being detected across several parts of the environment.
- Command & Control – Are exploited endpoints and servers receiving rogue communication instructions from hackers’ online command and control services?
- Actions on Objectives – Do the response capabilities and defense mechanisms work as expected across the environment?
- Post Engagement Reporting – Did the post-engagement report provide remediation recommendations, including improvements to existing adaptive control and response capabilities, security measures, and incident response protocols.
As a broad benchmark, Red Team assessments can cost between $10,000 to $85,000 depending on the scale of the project, the timeline, expectations of remediation, and the requirement to retest.
Below we break down each of these cost factors and how they’re likely to affect the cost of your red team engagement.
Cost Factor #1: Time And Scale Of The Engagement
Red Team assessments could span between 14 days to several weeks. The duration of the test – that is, how many hours the vendor commits to the assessment – is the primary factor in the pricing of the engagement.
Red Team assessments typically have several layers within the engagement that require various amounts of effort, time, and personnel. Some of the critical areas of the engagement that impact the time and scope include:
Reconnaissance – This engagement stage could scale up or down depending on the scope and time allocation. This component could take several weeks to complete if the engagement calls for several reconnaissance engagements across the internal and external networks and the cloud presence.
NOTE: See cybersecurity vendors with expertise in cloud security here.
Exploitation – Based on the discoveries of the reconnaissance phase, the scope and time for exploitation could expand into several days and weeks. This part of the assessment is done in a quiet mode without alarming or impacting any production systems or users.
Command & Control – After completing the exploitation stage, the Red Team determines the number of endpoints impacted. This has a huge cost implication. The effort and duration required in subsequent phases of the assessment could increase or decrease based on how many of the endpoints the Red Team was able to hit.
Cost Factor #2: Resources And Availability
Red Team penetration testing assessments require minimal internal resources to fulfill the obligations of the engagement. Several internal resources are critical during the report review phase including business analysts, SecOps, DevOps, and NetOps engineers, scrum leaders, and project managers.
The Red Team assessment will mostly be executed in complete stealth mode. All internal resources will continue to operate as normal.
Some of the critical areas of the engagement will require no internal resources to execute the following attack sequences:
Installation – Deployment of rogue WIFI devices, and Internet of Things devices
Payload And Delivery – Installation of malware on endpoints and servers. This attack sequence will be executed by the 3rd party Red Team assessment group.
Actions On Objectives – All actions including installation of malware, rogue network devices, and social engineering will be clearly defined in the scope of work section prior to the engagement.
Cost Factor #3: Remediation and Retesting
The remediation and retesting stage is critical to the cost of any red team assessment. Different vendors will offer different levels of remediation, from providing assistance to your internal team in remediation to carrying out some of the remediations entirely themselves.
Several questions need raising in defining the post-engagement report, including:
Are the organization’s priority and next steps based on the vulnerability severity level? What risk management framework or compliance mandate should the organization align with?
These considerations impact the organization and the scope of the red team assessment. Should the organization budget for a post-retesting after all remediation is complete? What is the expected timeline for this additional segment?
Or does the organization limit the scope of the post-engagement report to specific areas that have been identified during the assessment?
How Much Do Costs Vary From One Vendor To The Next?
Yes, the cost of a red team assessment will vary depending on the vendor. Not all penetration testers perform red team services and so, being a boutique service, red teaming can come at a cost premium.
These are the aspects of a red teaming firm that most affect what they’ll charge:
- Is the 3rd party testing firm OCSP certified?
- Does the firm perform Red Team assessment and black-box pen testing in the same engagement?
- Do they only employ US-based resources?
- How many years of experience does the 3rd party tester have, and what vertical market do they specialize in?
- What is the background of the firm? Are they headquartered in the United States?
- Are they former US Government and or ex-military cybersecurity experts?
These factors can result in significant cost differences between red teaming vendors, even when the project scope is the same.
How to Reduce Red Team Penetration Testing Costs
Managing costs for any assessment team is feasible under the following considerations:
- Limit the time and scope of the red team, similar to a pen testing engagement
- Red Team engagements could be limited to a single attack vector or attack surface. For example, excluding a cloud environment from the assessment scope.
- Assess only the systems and network devices that must be tested to align with explicit compliance mandates.
- Consider hiring a lower-cost firm with good references with less global experience.
Costs Of Red Team Penetration Testing Vs Benefits
Red team penetration testing is very strategic to the organization. It is extremely valuable to test and validate an organization’s security program to determine the level of exposure, risk, and financial impact in case of a security breach.
Globally regulated organizations, organizations with complex supply chains, and companies that execute business with the federal government will benefit most from a Red Team assessment and quarterly penetration testing.
The results of the quarterly pen tests could help shape the yearly red team assessment engagement criteria. Pen tests could help reduce the Red Team assessment by identifying and prioritizing vulnerability elements within the organization. These quarterly assessments could set which parts of the environment would benefit more significantly from a Red Team engagement. This could help reduce resource time by having facts and data points from pen tests help steer the organization’s decision on the overall scope of any future red team assessments.
Ultimately the decision to invest in Red Team penetration testing comes down to the organization’s overall risk management composite scoring, compliance mandates, and security requirements for data privacy. According to the IBM Cost Per Breach Report for 2019, the average total data breach cost increased from $3.86M in 2018 to $4.24M in 2019. Organizations that had a more mature security posture tended to have lower fees than those that did not.
(REMEMBER: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)