Especially if you’re contracting one for your organization for the first time, a vulnerability assessment can be difficult to price.
The scope for what you actually get when you pay for a vulnerability assessment can vary significantly from one vendor to the next. Add varying fee structures, tools used, reporting styles, and vendor reputations to the calculation, and the cost picture becomes frustratingly complex.
Knowing whether you’ve been quoted an appropriate cost for your vulnerability assessment can save your organization thousands in upfront costs. This article takes a deep dive into how much vulnerability assessments really cost, and explains the factors you should expect to increase and decrease those costs for your organization.
(IMPORTANT: We compiled this free report showing pricing data from 10 real Vulnerability Assessments so your firm can benchmark VA costs and avoid overpaying.)
- Scope for Vulnerability Assessment
- A Note on Penetration Testing
- Cost Benchmarking for an External Assessment
- Cost Benchmarking for an Internal Assessment
- Cost vs Benefits of DIY Vulnerability Assessment
- How Much do Costs Vary from One Vendor to The Next?
- How Much do VA Costs Vary from One Industry to the Next?
- Vulnerability Assessment Costs Vs Benefits
Scope for Vulnerability Assessment
The scope for a vulnerability assessment can vary widely. Testing can take place against a network environment, applications, databases, or wireless networks. Regardless of the type of vulnerability assessment, a VA should be a fairly simple process with the end goal of identifying and prioritizing vulnerabilities that exist within a given set of assets.
A vulnerability assessment – whatever the cost – should entail scoping, preparation, scanning, limited manual testing, and reporting, including prioritization.
The goal for scoping a security assessment is to understand which type of test is needed, the total size of testing needed, and what is to be tested.
Once this has been defined, the vendor can move to preparation. This might include installing required tools or agents to conduct testing, providing credentials or access, and configuring scan profiles. Knowing what is to be tested and what the environment is using for operating systems will allow for removing tests that are not needed and speeding up the results of the test.
Once everything is configured and access has been provided, the security assessment can begin. This will start with an automated vulnerability scan against the targets identified in the first two steps. This can take anywhere from an hour to several days, depending on the size.
As security vulnerabilities are identified, manual testing may be utilized to validate and identify additional issues within the target. Once the identified vulnerabilities are documented, risk ratings will be applied and a full detailed listing of the found issues will be put together.
Finally, a formal report with an executive overview and detailed information will be put together to allow the organization to prioritize risks and begin remediation.
>>> For a deeper look at the process of a vulnerability assessment, including tools used, duration see our full overview here.
A Note on Penetration Testing
Cybersecurity vendors don’t use consistent terminology when it comes to separating a vulnerability scan and a penetration test. A vulnerability scan is quicker and less expensive than a more detailed, time-consuming, and costly penetration test. For this reason, some vendors misleadingly try to sell the former as the latter.
At the core, a vulnerability assessment is looking to identify and assess risk associated with vulnerabilities using limited manual exploitation.
A penetration test will actively exploit security vulnerabilities that it finds. A penetration test may identify the same risks found in a vulnerability assessment, but it will take the extra step of simulating a real breach, so as to create a narrative about the total possible impact the exploitation of the vulnerability could have.
>>> We’ve written in-depth about the difference between a vulnerability assessment and a penetration test in this article. We’ve also broken down the costs of network penetration testing in more detail.
Cost Benchmarking for an External Assessment
When evaluating working with an external consultancy or vendor to provide vulnerability scanning, there can be a wide range for the total cost of a test.
Depending on the scope and frequency, a single vulnerability assessment can cost from $1,000 to over $10,000, if vulnerability management services are not included.
If vulnerability management services are added on, most vendors will provide this service, along with recurring monthly or quarterly vulnerability scanning, for anywhere from $50,000 to $200,000 per year.
Cost Factor #1: Assessment Scope
When reviewing vulnerability assessment costs, it is important to understand how scope can impact the overall price of the test.
First, start with defining what type of system or asset is in scope for the vulnerability assessment. Is it an application, network, wireless, or database? Second, define the size or effort that may be needed for the vulnerability assessment.
For example, a network or system vulnerability assessment will first be defined as external or internal. If an internal test is being conducted, are host scans a part of this? If so, properly privileged accounts will need to be provided. After understanding what type of network or system testing is taking place, the vendor will need to know the total number of IP addresses or systems in scope for the scan to properly price it.
Whether the contract is an internal vs. an external vulnerability assessment will impact the cost quite drastically. Traditionally the external footprint is smaller than an internal footprint and therefore quicker and simpler to assess.
The total number of network devices or systems tested will be smaller for the same external environment. However, in most cases, conducting an internal vulnerability assessment will include authenticated scans. This does cause the cost to go up a little bit compared to a pure external VA because it’s likely there will be more security flaws per device that will need to be reviewed. This is simply because an authenticated scan of the device will provide a full view of everything running on the device.
Another example is related to application vulnerability assessment. First, is the application deployed to an environment where it can have dynamic application security testing services conducted, or is the vulnerability assessment against the source code or static application security testing? For dynamic testing, the vendor will be most interested in a total number of dynamic pages. Dynamic pages are usually defined as pages that accept input or information. If the test is a source code review, the vendor will be interested in the number of lines of code or byte size of the code.
A dynamic application security test against the same application will typically cost less than a source code analysis. This follows similar reasoning as external vs. internal vulnerability scanning. A source code analysis for the same application will usually result in more vulnerabilities identified. The reason is that a source code analysis will identify coding practices that can lead to exploitation but may not be exploitable in a dynamic state. Simply, source code is like a code quality review but with a security slant.
Cost Factor #2: Frequency
For nearly every type of vulnerability assessment that is offered, the industry best practice is to conduct the assessment on a frequent basis, ranging from monthly to quarterly. A one-time vulnerability assessment will always have a lower contractual cost than a monthly or quarterly one. However, the per-test price for multiple vulnerability scans over the course of the year or contract will be lower.
Most vendors will ask and prefer that an organization contract for multiple vulnerability scans over the course of the contract. This is revenue for them, but the more important piece is that it provides them the ability to schedule the test and have consistent work available for their employees.
Cost Factor #3: Vulnerability Management
While this factor is not related to the testing component of vulnerability scans, it is worth evaluating when engaging in third-party testing. There can be a great deal of vulnerability identified during the assessment, and it may require expertise or understanding to properly remediate or mitigate. Internal teams will often view this work as non-scheduled, as it is difficult to fully understand the total number of vulnerabilities that will be identified and what the work effort will be to remediate those vulnerabilities.
Because of this, most vendors have started to offer an add-on service called vulnerability management. Vulnerability management, or vulnerability remediation, entails having a consultant provide assistance, expertise, and advice in properly remediating and mitigating the identified vulnerabilities from the vulnerability assessment. This will often result in significantly lower work for internal staff and can be conducted quickly, oftentimes within a day or two, of the test being completed.
Cost Benchmarking for an Internal Assessment
An option for a company that wants to have more control over the testing, results, and reporting is to stand up their own internal vulnerability assessment capabilities.
This will entail developing internal testing methodologies, purchasing and standing up tools, and developing internal reporting standards. Some of the biggest factors in the total cost are related to tools and professional services.
In general, tooling can range from free, via open-source, to well over $100,000 per year for the software.
Cost Factor #1: Assessment Tooling
This really may be one of the biggest factors in total cost for bringing this capability in-house. Just like with external vulnerability assessment, the type of testing, or scope, has a large impact on the cost. Unfortunately, some tools have a wealth of high-quality open-source capabilities; while others only offer up closed source options.
For example, when it comes to application vulnerability scans, the cost depends on if dynamic application security testing or source code analysis is being conducted. A dynamic application security testing tool can range from $2500 to $10,000 per application to test.
Most of these tools are quoted by unique domain names and are locked to those domains, which adds to the cost if multiple domains are being conducted. While this is straightforward, source code analysis tools are more complicated to price out, as these tools are based on the number of developers, total lines of code, number of applications, or total byte size of an application.
While it can be complex to determine the cost of application vulnerability assessment tools, network scanners are easier. There are multiple open-source tools available that can be utilized for free, such as OpenVAS. While this tool is capable and a good option, multiple other closed source tools could be considered as well. All these tools are based on a total number of IP addresses or systems that will be set up for scanning. One benefit of using one of the close-sourced tools is that they may offer up an agent that can be installed on all systems to allow for more visibility and near real-time vulnerability assessment capabilities.
Cost Factor #2: Professional Services
When standing up internal capabilities, it is always worth evaluating the potential cost to engage in professional service hours or projects with the vendor of the tool. This can entail assistance in configuring the scanning tool, installing all needed components, or helping with establishing processes and procedures for managing the tool.
These services are typically a one-time cost at the time of the initial contract and will certainly add cost to the overall project, depending on how much time is required to complete the initial setup.
Just like consultancy firms that are now offering vulnerability management services, vendors of tools are now offering this service too. Some of the vendors offer this as a professional service that will provide eyes on the glass to assist with remediation, and others offer up an automated service.
The automated service will simply upgrade or apply available patches to systems once detected, instead of requiring manual updates.
Cost Factor #3: Internal Resources
The final factor for internal vulnerability assessment is related to internal resources. This is often overlooked when deciding on the build vs. buy discussion. Standing up internal capabilities will require internal resource time across security, operations, and infrastructure to get tools and processes in place to conduct the vulnerability assessment.
Additionally, if internal skills do not exist already, there will be an additional required investment in training and time needed to conduct the training to close the internal capabilities gap. The more mature a company is in security and IT, the lower the investment or cost in training and effort to stand up the internal capabilities.
Cost vs Benefits of DIY Vulnerability Assessment
When evaluating standing up the internal capabilities to complete the assessments, requirements, and dependencies are important to know. Some of the requirements to establish this internal capability are as follows:
- Select type of testing to be conducted
- Select tool to assist with testing
- Installation of tool and agents to conduct scanning
- Configuration of scanning profiles within the tool
- Development and establishment of testing procedures and requirements
- Development of testing schedule
- Training of staff on tools and process
- Reporting and tracking requirements
While the list of requirements and dependencies is not short, hiring a seasoned security engineer can assist with moving this along quickly. Another option to quickly stand up the internal capabilities is to engage a tool vendor for professional service solutions. Most vendors will offer up training, deployment, and configuration services to help with the installation and transition to operation mode for tools.
Even when engaging professional services, it will not be possible to stand up overnight. Typically, it takes 6 months to 18 months from contract to full implementation. When looking to build internally, it is a strategic decision that will require a transition plan to continue conducting testing while the deployment is in process. In this case, an organization can expect to need to pay a consultancy to perform testing until the tool and internal capabilities are operational.
Even with the investment in time, contracts, and transition, there is value in bringing testing in-house. With internal testing, ad-hoc testing will be no additional cost. This provides rapid capabilities to validate remediation and mitigation of vulnerabilities. More frequent testing is attainable, because it will be more cost-effective, and, in some cases, testing can be nearly 100% automated, allowing for faster results.
The final reason to consider moving a vulnerability assessment capability internally is the ability to have expertise embedded in the organization to assist with prioritization, tracking, and recommendations related to vulnerabilities.
Working with a vendor to provide the service, you may get this at the time of completion of the test, but you won’t have it on-demand throughout the remediation work.
How Much do Costs Vary from One Vendor to The Next?
Vendor pricing can vary, like any other service, but for the most part, all vendors that offer vulnerability assessments will be close in cost. It is always recommended to shop a few vendors, even including tool vendors, to get a good idea of the pricing range and to allow for better negotiation on testing. However, there should not be a large variation in pricing.
When it comes to location, onsite testing, and onsite meetings, there is not much advantage in selecting a vendor that is close for testing unless a wireless or internal vulnerability scan is required. Most vendors can conduct these remotely through a deployed VM to help keep costs down. Keep in mind that travel can quickly exceed the cost of the test if onsite is required. It is recommended to engage a local firm. Outside of that, meetings may only happen at scoping and project end as a security assessment is usually a quick service (typically under 5 days) compared to a more involved penetration test.
The only other reason to select a vendor that may have a higher cost is if the vendor has integrations or integration capability into the organization’s existing tools for remediation management.
This can save significant time for the organization’s internal team to manage and report on the security vulnerabilities going forward. Having them in a standard format that is in the system of record is certainly worth considering the additional cost for that specific vendor.
How Much do VA Costs Vary from One Industry to the Next?
Vulnerability assessment does not vary from one industry to the next in the per-test cost, except for operational technology (OT) and critical infrastructure.
All industries, with these exceptions, will have the same scoping criteria and level of effort for that scoping. It can get more expensive when it is a technology company, that may want to have multiple applications or a large network environment tested. This, as outlined in the cost factors above, will impact the total effort or cost needed to complete the test.
The only two industries that may have a higher cost associated with testing would be OT and critical infrastructure companies that may be running SCADA systems. The biggest reason for this increased cost is that it requires special tools and manual testing. Often, consultancies may take a manual approach for these environments, due to assets and systems being fragile or prone to disruption from automated tests, and this may result in a tangible impact on revenue or operation.
Due to the requirement of additional tools and increased risk and the likelihood of impacting customers, fewer vendors offer up solutions in this space, which helps to keep the overall cost higher.
Vulnerability Assessment Costs Vs Benefits
Engaging a vendor to conduct or develop an internal capability for vulnerability testing is considered a core requirement for any company.
A company without a vulnerability testing regime faces wide-spanning risks, even beyond the increased likelihood of a breach. The absence of a basic cyber hygiene protocol like VA increases legal exposure and adds senior leadership culpability. With this control not implemented, it would be near impossible for council to argue that the organization performed the required due diligence to prevent a breach or security event.
In short, the relatively modest cost of a vulnerability assessment regime will be far outweighed by the benefits to most organizations, whether performed internally or externally.
DON’T FORGET: We compiled this free report showing pricing data from 10 real Vulnerability Assessments so your firm can benchmark VA costs and avoid overpaying.