The majority of our internal penetration tests are at least a week long.  While we generally have a drop We frequently hear from our clients about the disparity between pricing quotes from multiple vendors. Unfortunately, this often leaves clients lost as they aren’t sure what is a fair price for a quality engagement. It can be frustrating, but unfortunately, the security assessment industry has yet to be normalized or transformed into commodity-style pricing. Read below to learn more about what factors cause pricing differences between similar engagements to ensure you get exactly what you need.

1. Resource Quality

As with any profession, the more skilled a resource is, the more they cost, and it’s no different in the penetration testing community. With a staffing shortage in the security space, which has often been a news topic, it’s hard to find quality testers. Therefore, an abnormally cheap quote may indicate that the resources assigned to your engagement are inexperienced. This may be the best option if you aren’t looking for a thorough assessment and want to adhere to a compliance requirement. However, if you’re after a quality assessment to measure the security of your organization, then you may want to lean towards a more skilled and experienced vendor.

2. Package Pricing and Component Inclusions

With the pace of threat actors targeting organizations, many security assessment providers turn to package pricing to provide a more comprehensive engagement to their clients. Packaged pricing can be of great value to clients, but it can make it challenging to fully understand what is involved in your project. This can take many forms, such as signing a multi-year agreement to get cheaper unit pricing or automatically including re-testing services. If you’re looking for additional services, check to see if there are package pricing, multi-year discounts, or get ad-hoc component pricing. Some security vendors will charge for components such as re-testing even if they may not need it.

3. Brand or Popularity of Vendor

In circumstances where we are able to obtain uncrackable NTLM hashes through relay attacks or NTDS, there are multiple tiers of security assessment vendors that can compare to the retail industry. For example, a famous and fashionable designer may charge a premium for their products even if the quality is similar to lesser-known brands. On the other hand, highly popular or prominent vendors often charge more to cover their additional overhead costs and create a feeling of exclusivity for their clients. Additionally, when a security vendor is very busy, they will increase their pricing as they need to include more resources or have the luxury of abundant clients. You can quickly notice this when you have high-end outliers on your incoming quotes.

4. Sales Representatives and Tactics

Often, a sales representative handles the pricing and sales process, which can introduce price adjustments based on multiple factors. For example, there could be a scoping or level of effort misunderstanding as the sales representative isn’t the one completing the work. In addition, many organizations will make price adjustments based on your industry, non-profit status, revenue, and how large your organization is. For instance, a security firm may charge more to a large financial institution versus a small non-profit hospital.

Wrapping Up

When you are looking for a security assessment quote, these are the most impactful differences between quote variations that a client may receive. Therefore, it’s essential to understand your goal and what you will ultimately be receiving. You can do this by ensuring that all parties understand the scope correctly, effectively communicating your purpose of the engagement, and reviewing that resource quality level fits your target. At TCM security, we strive to standardize our costs and take extra time to understand our client’s goals to avoid much of this confusion.