I’ve seen some companies charge very little ($2-$5k) for a pen test. How are you able to charge $350/hour for essentially the same work? Is there some pitch or playbook you’re using to justify the price for doing the same work?
A $5K is pentest is just some guy running a couple of off-the-shelf, open source, or scriptkiddie tools and handing you the reports.
For $350/hr you get
- someone knowing which pentest tools to start with
- someone knowing how to follow up with more focused attention on problem areas and run additional tests
- someone analyzing the raw reports to understand the causes of the vulnerabilities
- a multi-page written formal report with interpretations and recommendations for mitigation, including a cost/risk/benefit summaries.
Edit to add: in my experience the companies offering cheap pentests and handing you the logs are the ones that then say, "If you want to understand these logs and know what to do about them, you can contract with us at $VERY_HIGH_RATE"
I've seen a couple of the cheap pen tests by a few German companies.
The whole thing looked like a 1-2 days of work and the person doing it was doing the basic stuff, but definitely conducted by a knowledgeable person and when problems were found reasonable suggestions were offered in the report. The apps were standard - frontend in Angular, backend in Spring Boot on Tomcat.
basic DoS, XSS, SQLi, token abuse, open ports with not up to date services, generic vulnerability scanner, basic password brute forcing
