Red Team penetration testing engagements are usually longer in duration than a standard penetration test, and considerably more expensive. For Red Team security engagements, organizations should expect the pricing to start from $10,000.
A low level, standard penetration test might cost a minimum of $5,000. But red team pen tests leverage multiple testers into a single engagement, spanning multiple attack surfaces and attack methods, with multiple intrusion attempts over an extended duration.
Black-box, white-box, and gray-box example engagements are ideal for compliance mandates like PCI-DSS, HIPAA, CCPA, and GDPR average costs between $4,000 to $35,000. These engagements typically are completed within 7 to 10 days.
Red Team penetration testing costs between $10,000 to $85,000 and typically runs for several weeks. In many cases, the red team could be in “stealth” quiet mode for the initial part of the engagement to avoid chances of detection by corporate employees and partners.
This article will break down the main factors that affect the cost of a red team assessment. If your firm is considering one, the article should assist with your due diligence and make selecting a vendor simpler.
(NOTE: If you’re considering a red team pentest, the free tool below matches your organization with top-rated providers that suit your budget and requirements)
- Find the Right Pentest Provider Fast
- Why Is A Red Team Assessment More Valuable Than A Pen Test?
- Scope For Red Team Assessment
- Cost Benchmarking
- Cost Factor #1: Time And Scale Of The Engagement
- Cost Factor #2: Resources And Availability
- Cost Factor #3: Remediation and Retesting
- Indirect Cost #1: Additional Training Expenses
- Indirect Cost #2: Downtime and Business Disruption
- Indirect Cost #3: Post-Assessment Improvements
Why Is A Red Team Assessment More Valuable Than A Pen Test?
First, it is essential to understand that a Red Team assessment is not a penetration test. Red Team assessments take longer, are far more thorough, and as a result, cost more. Red team engagements tend to be more detailed with several layers of rules for engagement.
Red Team testers are assigned sub-groups focusing on separate attack vectors, including social engineering, internal infrastructure security, exploiting lateral movement between VLANs, SaaS applications, and identity management.
Red team penetration testing tends to cross several areas within the organization, and, rather than simply document vulnerabilities and how they were breached, provide insights into the response capabilities of the existing security program.
Scope For Red Team Assessment
Red Team penetration testing methodology covers tactics and techniques to attempt real-time attacks on an organization. Red team penetration testing activities follow the ATT&CK Framework, a popular knowledge base of adversary tactics, techniques, and procedures (TTP) based on real red and blue teams’ actual experiences.
A red team’s cyber kill chain will break down the attack into identifiable stages. This methodology covers the following steps:
- Reconnaissance – Scan several areas of the environment to determine interconnecting vulnerabilities and exposure.
- Payload & Delivery – Ability to deliver a malicious payload of malware, ransomware, and viruses across parts of the environment leveraging email, social media, and web content as a rogue delivery tool.
- Exploitation – Which are the risk areas of the environment most vulnerable to exploitation?
- Installation – The ability to add rogue devices, including WIFI, servers, and Internet of Things devices, without being detected across several parts of the environment.
- Command & Control – Are exploited endpoints and servers receiving rogue communication instructions from hackers’ online command and control services?
- Actions on Objectives – Do the response capabilities and defense mechanisms work as expected across the environment?
- Post Engagement Reporting – Did the post-engagement report provide remediation recommendations, including improvements to existing adaptive control and response capabilities, security measures, and incident response protocols.
As a broad benchmark, Red Team assessments can cost between $10,000 to $85,000 depending on the scale of the project, the timeline, expectations of remediation, and the requirement to retest.
Below we break down each of these cost factors and how they’re likely to affect the cost of your red team engagement.
Cost Factor #1: Time And Scale Of The Engagement
Red Team assessments could span between 14 days to several weeks. The duration of the test – that is, how many hours the vendor commits to the assessment – is the primary factor in the pricing of the engagement.
Red Team assessments typically have several layers within the engagement that require various amounts of effort, time, and personnel. Some of the critical areas of the engagement that impact the time and scope include:
Reconnaissance – This engagement stage could scale up or down depending on the scope and time allocation. This component could take several weeks to complete if the engagement calls for several reconnaissance engagements across the internal and external networks and the cloud presence.
NOTE: See cybersecurity vendors with expertise in cloud security here.
Exploitation – Based on the discoveries of the reconnaissance phase, the scope and time for exploitation could expand into several days and weeks. This part of the assessment is done in a quiet mode without alarming or impacting any production systems or users.
Command & Control – After completing the exploitation stage, the Red Team determines the number of endpoints impacted. This has a huge cost implication. The effort and duration required in subsequent phases of the assessment could increase or decrease based on how many of the endpoints the Red Team was able to hit.
Cost Factor #2: Resources And Availability
Red Team penetration testing assessments require minimal internal resources to fulfill the obligations of the engagement. Several internal resources are critical during the report review phase including business analysts, SecOps, DevOps, and NetOps engineers, scrum leaders, and project managers.
The Red Team assessment will mostly be executed in complete stealth mode. All internal resources will continue to operate as normal.
Some of the critical areas of the engagement will require no internal resources to execute the following attack sequences:
Installation – Deployment of rogue WIFI devices, and Internet of Things devices
Payload And Delivery – Installation of malware on endpoints and servers. This attack sequence will be executed by the 3rd party Red Team assessment group.
Actions On Objectives – All actions including installation of malware, rogue network devices, and social engineering will be clearly defined in the scope of work section prior to the engagement.
Cost Factor #3: Remediation and Retesting
The remediation and retesting stage is critical to the cost of any red team assessment. Different vendors will offer different levels of remediation, from providing assistance to your internal team in remediation to carrying out some of the remediations entirely themselves.
Several questions need raising in defining the post-engagement report, including:
Are the organization’s priority and next steps based on the vulnerability severity level? What risk management framework or compliance mandate should the organization align with?
These considerations impact the organization and the scope of the red team assessment. Should the organization budget for a post-retesting after all remediation is complete? What is the expected timeline for this additional segment?
Or does the organization limit the scope of the post-engagement report to specific areas that have been identified during the assessment?
Are There Indirect Costs with Red Teaming?
On top of the direct costs above, there are longer-term expenses that may end up being incurred as a result of running a red team pentest. Of course, these aren’t reasons to not perform the test. As you’ll see, they are all standard expenses that occur in the cost of improving your security program.
But for budgeting purposes, it can be helpful to factor them in before the engagement. Some of those costs could include:
Indirect Cost #1: Additional Training Expenses
After your firm wraps up a red team pentest, it may encounter additional training costs. These costs can arise from the need to educate staff members on new security measures and protocols introduced by the penetration testing firm.
In cases where extensive new protocols must be implemented, there can even be a temporary drop in productivity, as staff becomes familiar with the new measures. This is an indirect expense. The organization may need to invest in additional programs and resources or hire specialists to facilitate the training process, adding to the overall cost.
Indirect Cost #2: Downtime and Business Disruption
Nowadays, good pentesting firms structure their red team operations to minimize or completely avoid business disruption. Most of the time, their specific mandate is to infiltrate the firm without being noticed at all, let alone disrupt business operations.
But depending on the kind of test structure you select, and the goals you have, there may be a period of time during which some operation in the business is disrupted.
This can incur an indirect expense on the business, and one who’s cost can be hard to calculate. Fortunately, the testing firm will be able to tell you upfront about the prospects of any downtime if indeed it is necessary for the test.
Indirect Cost #3: Post-Assessment Improvements
Of course, the improvement of your security program is the reason to conduct a pentest. It may seem misguided to consider this “a cost” of red teaming but again, to see the whole picture, I think its helpful for these to be in the conversation.
After a red team test, the organization may need to implement changes based on the findings and recommendations provided. This can involve upgrading software or hardware, modifying network infrastructure, or investing in additional security measures.
These post-assessment improvements can generate indirect costs, particularly if they require a substantial investment in new technologies or services. The organization may also need to allocate resources to monitor and maintain the updated systems, further adding to the overall cost.
This also is not a reason to hesitate before a red team test. You will come out of the test with a list of recommendations. Any good red team test report will prioritize the list of improvements and recommendations it makes. You should even be able to request rough guidance on costing if you’re seeking to order the improvements by their potential budget request.
Obviously, it’s not that you will get lumped with the costs of all the improvements recommended in the testing firms’ reports. Instead, you should expect additional, long-term expenses as you enact whichever recommendations from the report that you deem necessary.
How Much Do Costs Vary From One Vendor To The Next?
Yes, the cost of a red team assessment will vary depending on the vendor. Not all penetration testers perform red team services and so, being a boutique service, red teaming can come at a cost premium.
These are the aspects of a red teaming firm that most affect what they’ll charge:
- Is the 3rd party testing firm OCSP certified?
- Does the firm perform Red Team assessment and black-box pen testing in the same engagement?
- Do they only employ US-based resources?
- How many years of experience does the 3rd party tester have, and what vertical market do they specialize in?
- What is the background of the firm? Are they headquartered in the United States?
- Are they former US Government and or ex-military cybersecurity experts?
These factors can result in significant cost differences between red teaming vendors, even when the project scope is the same.
How to Reduce Red Team Penetration Testing Costs
Managing costs for any assessment team is feasible under the following considerations:
- Limit the time and scope of the red team, similar to a pen testing engagement
- Red Team engagements could be limited to a single attack vector or attack surface. For example, excluding a cloud environment from the assessment scope.
- Assess only the systems and network devices that must be tested to align with explicit compliance mandates.
- Consider hiring a lower-cost pentesting firm with good references with less global experience.
Costs Of Red Team Penetration Testing Vs Benefits
Red team penetration testing is very strategic to the organization. It is extremely valuable to test and validate an organization’s security program to determine the level of exposure, risk, and financial impact in case of a security breach.
Globally regulated organizations, organizations with complex supply chains, and companies that execute business with the federal government will benefit most from a Red Team assessment and quarterly penetration testing.
The results of the quarterly pen tests could help shape the yearly red team assessment engagement criteria. Pen tests could help reduce the Red Team assessment by identifying and prioritizing vulnerability elements within the organization. These quarterly assessments could set which parts of the environment would benefit more significantly from a Red Team engagement. This could help reduce resource time by having facts and data points from pen tests help steer the organization’s decision on the overall scope of any future red team assessments.
Ultimately the decision to invest in Red Team penetration testing comes down to the organization’s overall risk management composite scoring, compliance mandates, and security requirements for data privacy. According to the IBM Cost Per Breach Report for 2019, the average total data breach cost increased from $3.86M in 2018 to $4.24M in 2019. Organizations that had a more mature security posture tended to have lower fees than those that did not.