I have never seen a ROI analysis in a pentest report. How do you
perform such an analysis?
Kish Pent wrote:
Hello all, :)
I totally agree with carnevali davide, he's absolutely
right because pen-test pricing is based on man hours
put in for the work, not the goals or skills.
In the company I work, the pricing is usually decided
as follows.
1)Once the scope of the test is determined, the
standard pricing per hour for 8 hours a day is
determined.
2)The report is submitted in hard copy after the test
is over with ROI analysis to prove the time-value
trade off.
Regards
--- Davide Carnevali <carnevali@protechta.it> wrote:
Generally Pen Test should be a "time based"
activity.
You define targets, goals and TIME within achieve
these goals.
Once TIME is defined, with the client, you get the
price.
Skills are not part of the pricing model: skills
affect TIME and goals.
My 2 cents
Chris Stromblad ha scritto:
Hi list,
Those of you who work with this professionally,
what sort of pricing
model do you use? How do you assess what should be
charged for the test?
Considering the fact that there are many types of
pen-tests and all have
different scope. I'm having a hard time figuring
out if the prices that
has been given to me are reasonable.
Say I were to give you one of the following
scenarios, what would you
charge (roughly):
1. "Black box with shades of gray", 2 /24
networks, not all devices are
active. External scan.
2. Internal scan, only devices
3. Internal scan, procedures, physical security
and devices
I know this question is somewhat difficult to
answer, because there is
no correct answer, but any advice is welcome.
Cheers,
Chris
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download
Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
--
Davide Carnevali
CEO
Protechta - Information Security
OPST, CCSP
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/
e-mail: davide@protechta.it
Disclaimer: http://www.protechta.it/disclaimer
Kishore
Penetration Tester
Smart Security
17/1,Upstairs,Sarojini St,
T.Nagar , Chennai - 600 017
Phone: 91 98841 80767
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
