by Ben Brown | 01/31/2023
This is a hard question but I’ll do my best to come up with an answer.
I think the best approach is first to define what a pentest is.
Firstly, Pentest is short for Penetration Test. A pentest is an active assessment of all aspects of a company or organisation's threat surface. That means doing all the things you can think of that might compromise the security of the organisation in any way related to technology. After the testing is completed, a report is produced listing the steps the organisation could/should take to reduce and mitigate the potential for any identified attack to be effectively carried out. This is a fast moving arms race and requires many different approaches and types of assessment in order to be comprehensive. Penetration Testing Costs According to Type Every business is different so to manage the different requirements a pentest is divided up into elements or phases. The trick is to mix and match these elements to make sure that full coverage of every aspect of the organisation is included.
All aspects of the website are tested from a hackers perspective and attempts are made to abuse the code and the logic of the application in order to disclose data or achieve access to the operating system and from there the network. This is what most people think of when they think of a pentest. The more complex the functionality of the website the longer it will take to test effectively.
A simulated attack on the internet accessible interfaces of the organisation. Normally a list of IP addresses for the external routers and cloud based servers owned by the organisation. Internal Infrastructure Assessment An attack that gives initial access to an internal network. Scans of all network segments are aimed at finding insecure software and other mis-configurations that could be abused if an attacker was to enter the network at that point.
Any APIs running mobile or other apps are tested with and without authentication to see if they can be abused to compromise the server or disclose data. Mobile App Assessment The code of iOS and Android apps are tested to see if it’s possible to disclose data or break out of the sandbox i.e access the phone operating system.
An in depth assessment of the configuration of a user workstation or laptop. The report produced will have recommendations for configuration settings and changes that will harden the configuration making it harder to hack and harder to break out of that machine and into the wider network. Windows Server Build Review An assessment of a Servers configuration to identify security vulnerabilities which a hacker could take advantage of if they managed to compromise that server and gain access to its internal workings.
As above but for a machine using the Linux operating system. OSINT Assessment (Open Source Intelligence Gathering) Identifying information which could be of use to an attacker in formulating attacks against members of the organisation. The form this takes might vary greatly depending on the organisation concerned but will likely focus on information shared on social media and documents that might be accessible to the internet when they should not be.
An assessment of the organisations Wi-Fi set up, mainly looking for methods to access the network without the correct credentials, or methods of breaking out of the Wi-Fi network into other network segments which should not be accessible.
In many cases the structure of organisations is such that they don’t really have internal networks as they don’t have premises. When this is the case generally remote workers will have either their own laptops or ones provided by the company. They will rely heavily on cloud based services and may run most or all of their servers on cloud based platforms like AWS and Azure. In these cases their security needs are heavily based on the security settings of these services.
There are lots of security settings within Office 365 which can be used to reduce the potential for the exposure of sensitive data. The most important thing is understanding context.
Microsoft InTune is a MDM or Mobile Device Management solution which allows for the remote configuration and management of remote devices. It can be very useful when you want to standardise the configuration of a large number of devices.
Sharepoint is often where the sensitive data is stored. The more people who can access a particular document the greater the probability that it can be accessed by someone who shouldn’t be able to. Restricting access to the smallest number of people and making sure that only those people who should be able to access it can access it is a critical element of any set up.
Sensitive data often lives on cloud servers. The configuration of these servers is often overlooked as it is imagined that the Cloud provider will handle the security element. This is often not the case and so an outsider's perspective can be invaluable. Getting the right configuration can be hard and the larger the organisation the greater the complexity of the solution required.
A typical pentest quote might look something like this:
Web app – 3 days testing and 1 day report writing
External infrastructure 15 IP addresses – 1 day testing 1 day report writing
API assessment 25 requests – 1 day testing 1 day reporting
Mobile assessment 1 app both flavours – 4 days testing 1 day reporting
Build review 3 hosts – 1 day testing 1 day reporting
Assessment of Windows domain configuration – 2 days testing 1 day reporting
Sharepoint configuration review – 1 day testing 1 day reporting
These are just examples and the reality might vary greatly depending on factors that would be identified and addressed during the scoping process, pre-testing. The important thing if the assessment is to provide value is that it covers all areas that threats could realistically come from. If company A test their website but not the APIs for their mobile app they can say they’ve had a pentest but not that they.ve covered all the bases. The potential for such an outcome is addressed by mixing and matching the different elements of the possible testing types. The list above isn’t exhaustive but gives an idea of the sorts of elements you’d want to include. So the answer to the original question, how much does a pentest cost is, disappointingly, it depends on what elements are required to effectively test your organisation’s exposure. But so that you have a rough idea of what Pentesting costs:
Example penetration testing cost
Website/web apps - £1500-£10,000 Network & network devices (Router, switches, modem, keys, etc) - £100-£1000 Cloud - £600-£800 Mobile apps - £1500-£5000 SaaS - £1500-£3000
The price per day may vary greatly based on a whole host of factors. When choosing a solution there are an ever increasing range of options available, it can be hard to determine where best to focus effort for the best results. Here the analogy with going to the gym is as true as it ever is. Take small steps regularly and make security part of your daily thought process. The process is simplified into: Work out a list of the things you need to include in your total security inventory. (Hardware, software and dependencies)
Start testing the main elements to get a high level overview.
Carry out attacks in a prioritised order starting with the ones most likely to take place. Review the findings, fix them and add in processes to prevent them from reoccurring. Repeat the process in a more targeted and specific manner, documenting all the outcomes. Use the data to create policies to support compliance regimes.
With so many options and variables, it can be difficult to determine what the best option is for your organisation. If you have decided that penetration testing is right for you, we recommend contacting a few vendors who provide this service and ask them what they offer. The more information they can provide on pricing, length of time needed and results achieved, the better prepared you will be when deciding which vendor best fits your needs!
Start scanning your projects for free. You will get a free breakdown of your security status. Start securing your future now.Get started