IT Security Assessments: How much do they cost?
September 25, 2013 9:25 AM   Subscribe

I've been tasked with figuring out what firms charge to perform IT Security tests, penetration tests, etc, for commercial clients? What kind of metrics do they base their charges on? Is there a standard rate for this kind of work? Alternately, do you have any tips for getting this kind of info from the companies that do this kind of stuff?

I'm working for a firm that is considering entering the commercial IT Security assessment market. We aren't really sure how this stuff is priced, and I have been given the job of trying to figure that out.

I've been browsing around the internets for several hours and predictably, the webpages I can find for companies who perform these services don't have pricing information; you need to contact a sales rep to get that.

As I'm not interested in actually buying their services, I haven't done that yet. I guess I could always pass myself off as a customer but I'd prefer to avoid that if at all possible.

Is there anyone out there with experience in this field willing to divulge how this type of work gets priced, and what the average going rate for this kind of testing might be? And if not, does anyone have any suggestions for how to find this kind of information?

posted by tokaidanshi to Work & Money (3 answers total) 1 user marked this as a favorite
You might get something useful from /r/AskNetSec on Reddit. It's much, um, cleaner than what you normally associate with Reddit.
posted by Nonsteroidal Anti-Inflammatory Drug at 10:43 AM on September 25, 2013

Tokaidanshi, just sent you memail.
posted by kovacs at 6:15 PM on September 25, 2013

In my experience, (on the customer side of things) it depends on what the customer is getting assessed. Whats the scope of the engagement, whats the size of the environment? They might say its two ecommerce sites, one remote access portal for staff, and they just want to see what you can get to from the outside. Or they might want an internal assessment as well, so set you up as a typical user in the organisation to see what risks they face from an unhappy employee for example. Or it could be a design risk assessment (they are planning on implementing a new remote access setup, they want risks identified, mitigating factors identified etc).

They might have B2B access portals, VPN tunnels to remote offices, remote desktop/app presentation, electronic fax gateways, cloud dev environment... etc.

The way I would do that is - how long will all this take (in terms of effort)? How much are your expenses? How much margin would you like to make on top of that?

For example: you might say to do a penetration test of a remote access staff portal will take 2 weeks effort (assume 7.5 hours a day, 5 days a week). Your expenses (salary, office lease, power, internet, travel etc) are $220 per hour. You'd like to make 30% margin. You should charge ~$21500... ok lets round it up to $25000.

That seems on the low side on my experience, so I've probably underestimated all of the factors there but that's one way to work it out.

You'll need to make sure your statement of work is locked down so that the scope of work can't creep without you being recompensed accordingly (we'll do x, y and z, we'll provide a b and c, customer will provide q r and s).

On another note, I've been involved really good security assessments, and I've had bad ones. For me what differentiated the good from the bad was that the good ones had a realistic attitude, they worked with us to help resolve the issues (the paper included resolutions to the issues they found, but they also talked through our issues with implementing some of those with us).

Hope that helps.
posted by Admira at 10:08 PM on September 25, 2013

« Older Help me entertain him ... senior stroke version   |   I need more Onion in my life. A lot more. Newer »
This thread is closed to new comments.