In the current security environment, nearly every organization should engage in network pen testing, both internal and external. A network penetration test can be budget-friendly and does not take much time to complete. Most of the effort is upfront during the scoping, sizing, and contracting for the engagement. While there may be remediation that needs to take place afterward, it is a low effort/high reward engagement that can provide early indications of control deficiency that could lead to a security breach.
But knowing how much to pay for your pen test can be difficult. There is no standardized pricing, and quotes can vary greatly from one vendor to the next. Determining the appropriate cost requires both a firm understanding of what your pen test needs to include and the due diligence to compare proposals of differing scopes accurately.
This article is a comprehensive and independent guide to how much network penetration testing should cost in 2022, including the main factors that contribute to cost, and our tips for how costs can be managed and reduced. By the end, you should have a clearer picture of how a pen test is likely to cost your firm.
(IMPORTANT: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)
- Scope for Network Penetration Testing
- Network Penetration Test Cost Benchmarks
- How Much do Costs Vary from One Vendor to The Next?
- How Much Does Penetration Testing Cost Vary from One Industry to the Next?
- How Can Penetration Testing Cost Be Reduced?
- Costs of Penetration Testing Services vs Benefits
Scope for Network Penetration Testing
Before breaking down a typical pen test approach for network penetration testing, it is important to understand the types of network penetration testing and the key difference between a vulnerability assessment and a penetration test.
A vulnerability assessment is not the same type of test as a pen test, nor will it have the same results. While a vulnerability assessment can, and often should, be a component of a penetration test, it can also be a standalone service that provides some value to an organization. At the core, the difference between a vulnerability assessment and a penetration test is in the goal or result of the procedure. A penetration test is attempting to identify vulnerabilities that exist and exploit them (either individually or as a group) to demonstrate the impact and validity of those vulnerabilities existing within the environment. In other words, where security gaps exist. This will ultimately show an organization the impact a potential breach can cause. A vulnerability assessment’s goal is to identify all potential vulnerabilities but not to fully exploit or chain them together. Typically, these are no more than an automated scan with the output evaluated with some basic manual validation.
Digging a layer deeper into a pen test the scope or type of test performed can vary. When it comes to a network penetration test, it can be in the form of an external penetration test, which will show what an external malicious party would be able to access. The other common form is an internal pen test, or what a malicious actor can do once inside the network. We will dig deeper into how this will impact the cost of a test in the following section, but both products will produce the same results.
The goal of both test types is to provide concrete evidence of the impact of vulnerabilities being exploited in the environment. When engaging an external firm, an organization can expect to go through a scoping process to identify goals, size, type of test, and overall complexity. Once agreed on, the tester will go through a series of steps during the test before providing a detailed report on results.
(NOTE: To see detailed cost breakdowns of 10 real pen tests in the last year, you can download our new free report with the button below)
The first step in the process is reconnaissance; this is where the tester will take the provided information and further explore what may or may not be in scope. The goal during this phase is to identify anything that may have been missed, understand the organization, and determine areas of interest for the following steps.
After recon is completed, active testing will take place. This, almost always, starts with automated testing to provide coverage and initial identification of vulnerabilities.
After the initial automated scans are completed, validation testing will begin. Testers will conduct manual testing against vulnerabilities to understand the extent to which the vulnerabilities can be exploited and what impact they may have on the organization. During validation, additional manual testing will take place to identify other vulnerabilities that are not always identified during the automated testing.
As the engagement wraps up, reporting will begin. This is where the tester will create a story or narrative around the vulnerabilities and exploits. This step can create some of the biggest value for the organization as this will provide a clear understanding of prioritization of remediation going forward. The report is a written report that will contain executive and detailed information on the findings from the test.
Network Penetration Test Cost Benchmarks
As may be expected, network penetration testing costs vary widely. Every organization is architected and managed differently, which impacts the overall size and effort required for a comprehensive test. With this in mind and understanding that a consultancy providing a network penetration test is selling a process and set of manual skill sets, it becomes evident that there will be a range for the service.
In general, organizations can expect a network penetration test of moderate to low-level complexity to be somewhere between $15,000 and $50,000 per engagement.
While this may seem like a broad range, the reality is this is a narrow range of what network penetration tests can cost. So, what are some of the factors that contribute to the overall cost of a test?
Cost Factor #1: Scope
The scope of a network penetration test is not what IP addresses or systems are selected for testing. This factor relates directly to what type of network penetration testing is desired.
As previously discussed, there are two core types of network penetration testing, external and internal. It is possible to engage in both or just one of these types of network pen tests, in any given engagement.
If engaging for an internal network penetration test, the total size of the environment, type of skills, and manual testing is going to require a large effort, because the attack surface is so much larger. Keep in mind that an internal penetration test will include attacks against active director or domain controllers, network switches, VPN concentrators, and many other services that are not exposed externally or easily accessible externally. Couple that with the goal to show what a malicious actor could do when inside the network, this total effort compared to an external test will be larger.
Cost Factor #2: Complexity
As complexity increases, the overall cost will continue to rise for any given engagement. What adds complexity to a network penetration test? The answer to this question is related to the testing methodology.
There are three types of testing methodology that can be contracted that add or remove complexity for a tester. The first is a white-box penetration test. This is where the organization and tester have open communication and divulge as much information as needed to perform the test. Information can include IP addresses, internal architecture, core systems, and even versions of OS running in the environment. The goal for white box testing is to eliminate the effort or total time of the recon phase and focus on vulnerability identification and exploitation.
The second is black box penetration testing. Simply, this is where the tester is provided as little information as possible, with the goal of understanding what a malicious actor could discover, identify, and exploit, related to the organization. This results in a greater effort in the recon phase and, in some cases, less time spent in vulnerability identification and exploitation.
The last is a red team, or adversarial simulation, penetration test. This scope is usually limited to mature organizations wanting to take full advantage of a network penetration test. Red team testing is a more advanced form of black-box testing, where testers are given little to no information on the organization. The difference in this test is that the consultants are attempting to avoid detection or identification. The end goal for the organization here is less about identifying vulnerabilities and exploits and more about gaining the ability to detect, prevent, and investigate exploits and attacks.
Cost Factor #3: Environment Size
Another factor to consider when discussing penetration testing cost is the network or organization size. Not all penetration tests need to be conducted against the full organization environment. However, the size of the organization’s external presence or internal network will provide the consultancy firm with an idea of the total time needed to conduct testing. The more IP addresses, systems, and assets included in the test, the more time it will require to run automated and manual testing against the environment.
Cost Factor #4: Report Quality
The final factor to consider, when discussing pricing and cost with a consultancy, is reporting. A report will be included in some capacity for any pen test contract, but the kind of report required, requested, or proposed will affect the cost of the engagement.
Does the organization need an attestation letter to provide to clients? Want full exploit steps produced in the report? Need individual reports for asset owners or groups? As more reports or documents are asked to be produced it will add effort and cost to the engagement and often some of this reporting can be accomplished by internal teams working from a single detailed report.
How Much do Costs Vary from One Vendor to The Next?
Before evaluating penetration testing costs, it is important to understand how pricing can differ from one vendor to another. Before digging into vendor penetration testing pricing, it is important to understand common contracting models.
There are three common pricing models in penetration testing, fixed cost, time & material, and credit-based.
- Fixed cost is the most common, and the key benefit as a buyer is that the price agreed, minus any scope changes, is the price paid. It is a low-risk engagement for the organization as the consultancy would be responsible for any overages at a fixed cost.
- A time & material (T&M) contract places the risk of overages on the organization, as these are structured where the organization pays for the hours used, regardless of if the hours are more or less than what was estimated.
- The last pricing model is a credit-based model. This can take many forms, depending on the consultancy company. This can be a fixed cost per test type or a credit model that equates to a level of effort. This model provides the organization the ability to buy capacity upfront without knowing what type of test or when the test will be completed. Often, if bought in bulk, pricing will be heavily discounted to provide incentives.
So, how does a vendor affect the cost of the service? As stated at the beginning of this article, network penetration testing has started to be viewed as a commodity service. Couple this with core requirements in standards like PCI-DSS, and it is possible to find low-budget penetration testing services. Often, these companies are leveraging a more automated testing methodology with limited manual testing to provide the report to their clients to meet regulatory demand.
While this is very common, other companies provide highly technical and manual testing services that will be priced significantly higher than budget firms. Pricing can vary greatly on tests from one vendor to the next in this domain.
One company can offer a penetration test that will take a week for around $10,000, while another will scope and quote effort at 3 weeks and $30,000.
Some other ways that testing can vary from one vendor to the next is when conducting internal penetration testing. This is where cost can quickly increase as not all consultancies offer up a remote-friendly service. In some cases, the company may have the ability to deploy virtual machines in the network to provide access for secure remote testing while other companies still prefer to be onsite for all testing. This is purely a preference for both the contracting organization and the consultancy. Travel can add significant costs, so always ask upfront the preferred method for internal penetration testing.
How Much Does Penetration Testing Cost Vary from One Industry to the Next?
When it comes to industry impact on network penetration testing, there are only two industries that may increase the overall cost of the engagement. Manufacturing or industrial networks will, in most cases, increase the overall effort of testing.
This is for two reasons: one being that there is not a large selection of safe automated tools for industrial networks, and, two, there is seldom a non-production environment to test against. Both create the same result, which is increased manual testing to provide the coverage and depth required. Most consultancies that will provide testing services in this industry will provide a heavily manual approach. This is mainly because these systems tend to be extremely fragile, and often any downtime in an industrial or manufacturing system will result in large revenue loss.
There is one other impact to testing cost, but it is not so much from the industry as an architecture. Cloud services or architectures can increase the cost of penetration testing. While the cloud has been around for a while, it is still new and varies greatly from one organization to the next. Add in that each cloud service provider is unique and has its own underlying technology, and this creates a space that requires highly skilled and technical resources to conduct quality testing.
See our article on AWS penetration testing for more detail on how these services are priced.
How Can Penetration Testing Cost Be Reduced?
Keeping in mind that network penetration testing is contracting for consultants to perform tasks, which creates a direct correlation to cost, then the key to managing the cost of most network penetration tests is to limit the total amount of time devoted to the test.
While it may be tempting to keep the full network perimeter in scope and cut the total time allocated in half to save cost, it is not recommended. The impact of doing this is that total effort is reduced, which means that the depth of testing will suffer, and quality can be impacted.
If the cost is too high initially, consider limiting the scope to the most important systems or a sampling of systems within the environment. This will provide the time for a deep, thorough test, while providing the contracting organization some cost management. A sample approach for a large organization could be very efficient as the results from one OS to another OS of the same version may very well have the same issues.
Finally, if no proposed penetration testing program is fitting the organization’s budget, a downgrade to a vulnerability assessment at a lower cost could be considered.
Costs of Penetration Testing Services vs Benefits
When evaluating whether engaging in network penetration testing is worth the operation cost, consider the evaluation of security standards and regulations.
Beyond some of the core regulations that require network penetration testing, more regulations are focusing on organizations conducting their due diligence when it comes to security. It can be argued that due diligence cannot be proved without some level of understanding of risk exposure on the network level.
It can be justified that any organization must conduct network penetration testing to limit legal exposure. With many regulations carrying hefty fines associated with a lack of compliance and some fines incurred in the millions, it seems logical that the cost of a network penetration test vs. the potential fine is nominal.
While regulation is one aspect to consider when evaluating the need for penetration testing, the final point is the risk associated with not performing testing. The direct correlation between lack of penetration testing and real security breaches has been well researched and reported.
A breach will not only impact the immediate operability of the business, which has a direct revenue correlation, it could also impact reputation, existing customers, insurance, and employee retention.
So, when evaluating the total cost of a network penetration test, run the numbers for your business and evaluate based on the potential revenue lost and the operational cost associated with a recovery from a breach. After this exercise, the cost of a pen test will usually pale in comparison.
(REMEMBER: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)