Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Pen-testing - pricing model

from [intel96] Network Security [Permanent Link]
Subject: Re: Pen-testing - pricing model
Date: Sun, 03 Dec 2006 13:30:36 -0500 
Stefano,

Yes, I agree that this is very difficult in most cases.   I recently had
to prove that I was better than other bidders jocking to do a global
pentest for a Fortune 1000.  The customer had no idea what the
differences were between a vulnerability test and a pentest.   First, I
had to educate the customer about security testing in general.  Second,
I had to provide the customer with strong references from other pentest
project.  Third, I had to explain why my pricing was up to 11 times
higher than other bidders.  Most of the other bidders were companies
that sell security software and one was a MSSP, who pricing for the
project was ZERO.   The MSSP was also bidding to obtain a 1 million
dollars managed services contract.  Fourth, the customer provide each
bidder a single IP to test.   I was the only one that correctly
identified the OS, web application and vulnerabilities on the system. 
Fifth, I had to provide a sample document, which I refused to do since
even a sample reports can be too detail.

I finally won the project, but only a piece of the overall project.  The
customer gave part to the MSSP who costs were nothing and the rest to
me, but only after I cut my pricing based on the new project details.

The biggest issue that I have in pricing projects today is with the
security software vendors and MSSPs that want to sell their wares to the
customer!!! BUT only after they do a vulnerability test or pentest for
FREE!!!!

Intel96




Stefano Zanero wrote:

And lastly  you should always be prepared to negotiate the pricing with
the customer.  The customer will always find someone cheaper and you
will have to prove why you are better for the extra cost.
    


This is very difficult if your customer does not have an exact idea of
what a pen-test is supposed to be.

What kind of proof would you suggest bringing to help a customer
understand the difference ?

Stefano


  



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[2]: Generating awareness amongst IT staff, Roman Shirokov
Next by Date:  MS VPN, mjc001@juno.com
Previous by Thread:  Re: Pen-testing - pricing model, Ozan Ozkara
Next by Thread:  Re: Pen-testing - pricing model, Lee Lawson
Indexes:  [Date] [Thread] [Top] [All Lists]