Establishing a penetration testing budget is no more difficult than setting up a budget for car maintenance. With just need a few pieces of information setting a budget is simple.
A range of .25% to 2% of the company’s Information Technology (IT) budget should go to the penetration test. The average IT budget in 2020 was 8.6% of the company’s revenue. That works out to a budget range .0215% – .172% of the company’s total revenue for a penetration test. This range does have a hard lower limit. For example, if your business only has $350k in revenue, there are no $300 penetration test to be found.
Deciding on a Penetration Testing Budget
A range of .25% to 2% of the IT budget is a good rule of thumb but don’t let it prevent you from getting a quality penetration test.
This article uses the following definition of a penetration test but understand the ultimate goal of any penetration test is to penetrate from the outside (or inside) to an unauthorized part of the network and gain access to resources or data.
A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system [or network of computer systems], performed to evaluate the security of the system
Penetration test – Wikipedia
Public Service Announcement: Any penetration testing statement of work that does not include exploitation to penetrate into the network or systems is not a penetration test.
A budget needs to factor in some basic features a penetration test must have to fulfill its objectives as a penetration test. These basic features come with a cost.
- Skills: Penetration skills, that don’t include trashing the network getting tested, takes a lot of time and effort to develop, maintain, and improve.
- Tools: There is a robust open-source community of free tools, however there are still some essential professional tools penetration testing teams need.
- Effort: Penetration testing is methodical and takes a minimum amount of time and effort to be of any use. Trying to ask for a 1 hour or 1 day penetration test to “keep the cost down” is not feasible.
All this conspires together to create a “floor prices” based on the size of the cybersecurity firm. Unless you’re a baller, do not expect to pay under these prices.
Firm Size | Expected Minimums $$/week |
Employee < 10 | $3,800 |
10 to 30 Employees | $5,500 |
Employees > 30 | $10,000 |
For the sake of this article, we will assume you have done a vulnerability scan. (You have done a vulnerability scan, right?) You’ve made some improvements to security and now you ready to make a few more. If you want a solid penetration test covering all the basses (even if not at the luxury level), then get a penetration test that covers these 2 areas:
- External Penetration Test: Tests services exposed to the internet. This should include phishing since it’s the #1 way for hackers to gain a foothold on to the network. Some testing has been separating the external test from the phishing test and this is a way to reduce price.
- Internal Penetration Test: Tests to see what happens if/when a hacker does manage to get on the network.
An example budget might look like this:
Slothful Math Training’s revenue is $15 million with a total IT budget of about $1 million (~7%). They have been doing regular vulnerability scans and have made a few improvements to their cyber security. This is their first penetration test, and they want an external with phishing and an internal penetration test. They budget $15,000 (~1.6%) and anticipate going with a small firm to make sure they get both an external (with phishing) and an internal penetration test.
How Much Should I Pay for a Penetration Test?
Select a price at the cross-section of budget and a penetration testing firm’s bid fees. A penetration test can range from $5,000 to $300,000 or more for a large enough company. If you are reading this article there is half a good chance you don’t need to spend more than $100,000 for a penetration test. For small to medium sized businesses with a revenue ranging from 1 million to 500 million a penetration test in the $10,000 to $100,000 range is not out of bounds.
The following features affect the price of any penetration test
- Network complexity of target organization
- Penetration testing depth
- Penetration testing duration
- Size of the penetration testing firm. As the firm size grows so do the fees.
It’s outside the scope of this article to explain how to select a cyber security firm to conduct the penetration testing, or to assess their quality or capabilities but every firm will speak to their own infinite knowledge and expertise. However, searching for cybersecurity firms, local and remote, will produce a long list of candidates. You will be able to find a short list of bids in the ballpark of your budget. After you get that list, find a way to compress it down to one.
Don’t let a firm cow you into paying more than your budget. Stick to your guns (be able to flex a little) and you will find a firm who will commit to providing the penetration test you want for the price you can pay (unless it’s less than $4k in which your budget just isn’t big enough).
What if the Penetration Test Budget is not Big Enough?
Consider a vulnerability scan covering the external and internal portions of the network infrastructure, if enough money can’t get budgeted for a decent penetration test. A vulnerability scan can be had for a couple thousand dollars (network size depending) and is often all the cyber assessment needed for smaller companies (revenue <1 million) to stay aware of their critical security issues – unless there are industry regulations at play, like Payment Card Industry (PCI), Health Industry (HIPPA), or Financial Industry (FINRA).
Is Penetration Testing Even Worth It?
Penetration is worth it if the desire is to find and fix problems before they get turned into hackable nuggets of pain for your business.
View a penetration test as a diagnostic. It roots through your network uncovering all the gross, pulsating, pustules of poor user configuration, weak passwords, terrifying protocols, and remote code executables ready to explode all over your business as ransomware or some other diabolical infection. A penetration test should uncover the technical aspects of the network waiting for a hacker to leverage and put the business in a position to do something first.
If knowledge is power, penetration testing provides power.
If the objective is to understand the technical weaknesses of the infrastructure a hacker can leverage to give you a bad day, and then do something about it, then a penetration test is a valuable tool in diagnosing serious issues. A penetration test will provide information a vulnerability scan can never provide, such as combo attacks and the discovery dangerous protocols enabled on the network.
If there is no plan to resolve the issues discovered, the best thing is to burn after reading and consume an antacid for the heartburn of wasting the money on the penetration test and now knowing every place the organization can suffer catastrophic failure. Or just don’t get the penetration test, east a steak and repeat after me, “Ignorance is bliss”.