As a former employee of a penetration testing firm, and a current purchaser of such services, this contrary to my expectations.
I expect any competent firm to be able, in an afternoon, to look at the overall documentation of the web site, chat with me for an hour or so, and come up with a multi-point threat model that will guide the testing. I expect to pay for the actual week or weeks that the team is actually testing the system, and that the report after is a day or two and part of the price.
I expect any competent firm to be able, in an afternoon, to look at the overall documentation of the web site, chat with me for an hour or so, and come up with a multi-point threat model that will guide the testing. I expect to pay for the actual week or weeks that the team is actually testing the system, and that the report after is a day or two and part of the price.