Penetration testing costs: A comprehensive guide

June 21st, 2023 Posted in Penetration Testing

In this guide to penetration testing costs, we will explain why making sure that the quality of the service and accreditations of testers should be a priority over the price tag for organisations when it comes to choosing a penetration testing provider. We also discuss the average cost you can expect to pay for penetration testing services in the UK. 

In today’s digital landscape, with cyber threats around every corner, ensuring the security of your organisation’s sensitive data, and the common vulnerabilities that could be found through pen testing, is paramount. One highly effective measure for bolstering your defence against potential breaches is, of course, penetration testing. 

There are various rationales for carrying out a pen test. Some of them include regulatory compliance, raising awareness of how the organisation is being protected, understanding how the baseline security is defending the company and ensuring that new applications and changes to the environment do not expose the organisation to other risks. If you’re new to penetration testing, then our blog on what a pen test is and when to get one will help. 

However, in today’s economy with costs to run a business skyrocketing, organisations are prioritising other areas of the business over cyber security. We are seeing many organisations, as a result of cost-cutting considerations, opting for the cheapest service option when it comes to the procurement of penetration testing solutions. A risky move in today’s digital climate.  

The dangers of budget penetration testing

Whilst, understandably, businesses are striving to minimise expenses, treating services such as penetration testing as a “nice-to-have” and not an absolute necessity, can prove detrimental to an organisation overall.  

Simply opting for the most affordable option without considering the quality, skillset, and approach of the team behind the pen testing service, often, means a less thorough assessment with limited scoping. As a result, this may compromise the security of your system, as significant vulnerabilities may be left undiscovered, leaving it open to risk, and we don’t need to tell you the reputational, operational, and financial damage a cyber incident can cause, to an organisation.  

Surely cheap penetration testing is better than none?  

Perhaps. But with this mindset also comes a false sense of security. As such, we advise clients to have board-level buy-in when it comes to cyber security, ensuring that board members and stakeholders have transparency over security improvement plans so they can be in agreement and budget accordingly. The Board should be kept up to date with all relevant information so that they are equipped to make good security decisions long term, such as making sure penetration testing is effective within the scope of the budget. 

If there is a lack of visibility or understanding from the top down, there is the potential for an assumption that the pen testing scope has covered everything, which may in fact, not be the case. Fixing vulnerabilities identified through limited scoping and testing can still leave back doors open for threat actors to exploit and many can go undetected for some time.

This point is further proved by Verizon’s Data Breach Investigation Report (DBIR) – which is based on an analysis of more than 79,000 breaches in more than 80 countries worldwide. The report showed that around 60% of cyber incidents were discovered within days. However, a staggering 20% of these incidents could take months or more before organisations realised something was wrong. As an example, a recent highly targeted cyber attack against an East Asian IT company was uncovered. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.

Growing API threats (Application Programming Interface)

As API usage grows increasingly ubiquitous in organisations’ daily operations and interconnected systems, not to mention their supply chains, it is easy to see the multitude of potential vulnerabilities for threat actors to take advantage of. 

Gartner recently predicted that by 2024 the number of API-reported incidents will double to that seen in 2022. This has proved true thus far as throughout the start of 2023 we have seen a rise in API attacks across all industries. Some prominent headlines included the automotive industry, with large-scale API attacks that affected companies such as Toyota and Hyundai. 

The limited budgets and time constraints faced by stretched IT security teams make it difficult to effectively uncover vulnerabilities in APIs. To exacerbate the issue, security teams find themselves in the challenging position of securing their organisations’ infrastructure with finite resources. Add to this, the ongoing scarcity of skilled cyber security personnel across the industry and you have a recipe for a cyber incident. With threat actors taking advantage of modern tools and innovative technology such as AI (Artificial Intelligence), the relentless onslaught of exploitation remains whilst security professionals grapple with internal operational issues. 

Skills over bills: Choosing your penetration testing service providers

So, how do you know which security testing vendor to engage with? When choosing a penetration testing company, there are a few factors to consider. Using a CREST penetration service, like Evalian, to carry out penetration testing means that the quality and the technical capability and skills of the consultants you have access to are of an internationally recognised high standard.  

Using a professional pen tester/s with the relevant skills and certifications means that considerable time and effort is being put in to assess your systems and find vulnerabilities, using the latest methodologies, tools, and expertise. Meticulous attention to detail is essential when it comes to penetration testing, the less you pay, the more limited the testing.  

You will also be ensuring that the penetration testing report you get is comprehensive and easy to understand and that one of the testing team is on hand to discuss anything you are unsure of. A simple list of all the vulnerabilities found during the exercise is unhelpful. A reputable pen test partner should not send you a list of things to fix and send you on your way, they will be there to support you with any questions on the test findings, and remediations, and many will offer a free retest of fixed vulnerabilities.  

This level of detail and expertise comes at a cost but should be viewed as an investment in the long run. Additionally, by establishing a good relationship with a penetration testing provider you can trust, you can be safe in the knowledge that the service you are getting is of quality and you have full transparency over the service provider’s methodology and best practice.  

Evalian recently supported Ningi with their penetration testing requirements and they found the pen test reporting process extremely helpful:

“The penetration testing report was comprehensive, I’m not a tech expert by any means but it was easily digestible, and I was able to understand it. Our tech team were able to digest the report, break it down, make tickets, and create actions and didn’t need further meetings to go back for clarification which shows how effective the report was.” – Jym Brown, Ningi 

The multi-faceted nature of pen testing

Just as all organisations are unique, so too are their cyber security requirements. Pen testing is not a one-size-fits-all, and the costs associated with it can vary based on several factors, so it is vital to understand the multi-faceted nature of the testing process.  

Several factors can affect the cost of penetration testing. Considerations should include the types of penetration tests required (e.g whether you need white box testing or black box testing), as well as: 

  • The complexity of and size your infrastructure 
  • The testing methodology needed 
  • Depth of reporting required 
  • On-site or off-site testing
  • Manual vs automated (having both gives you the most accurate assessment, and reputable pen test firms will always supplement any automated work with manual testing).

A good penetration testing process can be divided into 6 different stages which are pre-engagement interaction, reconnaissance, or OSINT (Open-Source Intelligence), vulnerability identification, exploitation, analysis & recommendation, and reporting.  

By understanding these factors, you can make an informed decision on the budget required to address your needs. You need to think about the number of days needed to test, and whether you need an onsite test. Most pen tests can be performed off-site through network security testing, but if you require onsite testing of internal networks and systems, then you need to consider the additional costs of travel for a tester to reach your site and whether that includes accommodation for any overnight stays involved. 

After these questions are answered, or at the very least thought about, you can engage with a pen testing provider, armed with the knowledge to ensure you are getting the best service possible and able to confidently scope your pen test. 

Other considerations to take into account include the type of penetration test you require, whether it is a website, a web application, mobile application and external or internal infrastructure. Many reputable pen testing providers will also offer some form of social engineering service such as phishing assessments. This type of assessment and/or employee training can be extremely beneficial long-term in ensuring your first line of defence (your employees!) have a good awareness of phishing techniques and what processes to follow should they fall victim to a scam.  

So, let’s get to the main question…

How much does a pen test cost in the UK?

At the risk of being annoying, we can probably answer this with “How long is a piece of string?.” The average cost of hiring an external penetration testing team can widely vary depending on the factors we previously discussed. But it’s safe to say, as a rule of thumb, it should be that the higher the testing cost, the more comprehensive the test.  

Penetration testing providers can charge anywhere between £600 to over £3000 per day. There will undoubtedly be some organisations that offer a lower price than others – but tread lightly and do your research beforehand, there is the risk that they could solely be selling automated vulnerability scanning and not offering the full detailed assessment that manual penetration testing provides.  

But how can you be sure what they are offering is reasonable? As with any supplier onboarding, make sure you shop around, collect information on each potential vendor, check credentials and find evidence of reviews and case studies. Gather penetration test quotes, discuss your requirements in full, and make sure you understand the full cost of their penetration testing services, so you have no surprises during or after the assessment. If in doubt, ask. 

Quality = assurance

By prioritising quality over the cost of a penetration testing service, you can rest assured that your organisation is getting a fully comprehensive assessment of its security posture. Although costs are, of course, one of the integral factors of running a business, affordability should not be the driving force in your decision-making when it comes to cyber security.  

Furthermore, getting regular, comprehensive penetration testing can also help with your compliance obligations. Although not a mandatory aspect within ISO 27001: 2022, penetration testing does help in satisfying control 8.8 – the Management of Technical Vulnerabilities, which requires you to obtain information about weaknesses and the appropriate measures taken.  

Think of the process as an opportunity to invest in the long-term security of your business. By taking a proactive approach and setting a good budget for services such as penetration testing, you can ensure you are getting the expertise necessary to safeguard your assets and mitigate cyber threats. One might say that is priceless.  

Want to take a deeper dive into pen testing? Download your free Guide to Penetration Testing

Want to know more about our penetration testing costs?

Our comprehensive penetration testing service includes expertise from our skilled CREST (Council for Registered Ethical Security Testers) accredited penetration testers. We include a detailed report and free retest of remediated issues with support and a wash-up call. If you’d like to discuss your pen testing requirements, get advice on the type of testing you need, or simply want a free and fast quote, contact our friendly team today: 

 

Image by macrovector on Freepik
Evalian Icon PNG

Written by Evalian®