Chris,
I agree with Sami you must estimate to the best of your ability how much
time it will take you to conduct the test and produce some type of
output. Conducting the test is more than just using a scanner. You
need to define a scope for each project separately no project is the
same. Some costs are hard to factor into a project. For example some
projects may require extra research into products that you have not
tackle in the past. The customer may want more data on how to fix the
problem like the commands for their IT to use or what vendor tools to
use. They also may want a special threat matrix designed to fit their
needs and their auditors. You need to also think about how much time it
will take for the customer to review the document and for you to make
any changes.
Remember all project come down to scope......hammering this out is
VERY critical to prevent cost issues (especially losses on fixed
price projects). This last point is important!! Sometimes scope creep
can kill your bottom-line. I saw a consulting firm get hammered by
their client because the scope was to vague. A 12 week assessment
turned into a 1 year project with multiple consultants on-site for the
fix price of only 12 weeks!!!!!!!!!!
You should always factor in some extra time for those "what if" that
always pop-up.
And lastly you should always be prepared to negotiate the pricing with
the customer. The customer will always find someone cheaper and you
will have to prove why you are better for the extra cost.
sami.ghourabi@icn.com.tn wrote:
I would try to evaluate necessary time to do the job and charge XX dinars (or
dollars) per 8 hours day
On Thu Nov 30 10:59 , Chris Stromblad sent:
Hi list,
Those of you who work with this professionally, what sort of pricing
model do you use? How do you assess what should be charged for the test?
Considering the fact that there are many types of pen-tests and all have
different scope. I'm having a hard time figuring out if the prices that
has been given to me are reasonable.
Say I were to give you one of the following scenarios, what would you
charge (roughly):
1. "Black box with shades of gray", 2 /24 networks, not all devices are
active. External scan.
2. Internal scan, only devices
3. Internal scan, procedures, physical security and devices
I know this question is somewhat difficult to answer, because there is
no correct answer, but any advice is welcome.
Cheers,
Chris
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php\?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
