pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Pen-testing - pricing model

from [intel96] [Permanent Link][Original]
To: Stefano Zanero <s.zanero@securenetwork.it>
Subject: Re: Pen-testing - pricing model
From: intel96 <intel96@bellsouth.net>
Date: Sun, 03 Dec 2006 13:30:36 -0500
Cc: sami.ghourabi@icn.com.tn, pen-test@securityfocus.com, Chris Stromblad <chris@fragzone.se>
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
In-reply-to: <4572B1C7.8050509@securenetwork.it>
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
References: <200612012113.kB1LDUrl026197@MailGateway.planettunisie.com> <4571921B.5050303@bellsouth.net> <4572B1C7.8050509@securenetwork.it>
Resent-date: Sun, 3 Dec 2006 12:52:44 -0700 (MST)
Resent-from: pen-test-return-1078483108@securityfocus.com
Resent-message-id: <20061203195244.E7E0023C91B@outgoing3.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com
User-agent: Thunderbird 1.5.0.8 (Windows/20061025) 
Stefano,

Yes, I agree that this is very difficult in most cases.   I recently had
to prove that I was better than other bidders jocking to do a global
pentest for a Fortune 1000.  The customer had no idea what the
differences were between a vulnerability test and a pentest.   First, I
had to educate the customer about security testing in general.  Second,
I had to provide the customer with strong references from other pentest
project.  Third, I had to explain why my pricing was up to 11 times
higher than other bidders.  Most of the other bidders were companies
that sell security software and one was a MSSP, who pricing for the
project was ZERO.   The MSSP was also bidding to obtain a 1 million
dollars managed services contract.  Fourth, the customer provide each
bidder a single IP to test.   I was the only one that correctly
identified the OS, web application and vulnerabilities on the system. 
Fifth, I had to provide a sample document, which I refused to do since
even a sample reports can be too detail.

I finally won the project, but only a piece of the overall project.  The
customer gave part to the MSSP who costs were nothing and the rest to
me, but only after I cut my pricing based on the new project details.

The biggest issue that I have in pricing projects today is with the
security software vendors and MSSPs that want to sell their wares to the
customer!!! BUT only after they do a vulnerability test or pentest for
FREE!!!!

Intel96




Stefano Zanero wrote:
>> And lastly  you should always be prepared to negotiate the pricing with
>> the customer.  The customer will always find someone cheaper and you
>> will have to prove why you are better for the extra cost.
>>     
>
> This is very difficult if your customer does not have an exact idea of
> what a pen-test is supposed to be.
>
> What kind of proof would you suggest bringing to help a customer
> understand the difference ?
>
> Stefano
>
>
>   


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[2]: Generating awareness amongst IT staff, Roman Shirokov
Next by Date:  MS VPN, mjc001@juno.com
Previous by Thread:  Re: Pen-testing - pricing model, Ozan Ozkara
Next by Thread:  Re: Pen-testing - pricing model, Lee Lawson
Indexes:  [Date] [Thread] [Top] [All Lists]