Penetration testing duration and cost can vary significantly depending on multiple variables.
Scoping details such as network IP addresses, complexity (and number) applications, and employees for social engineering are key factors in determining project size. This depends on various tasks and complexity. Accounting for these variables, our team works diligently t match the scope details with the security needs of your organization.
First, we conduct a scoping meeting with the customer and then based on such things as e.g. Environment, applications, and overall requirements, we then formulate and provide a cost estimate.
We do provide special price offerings to those customers who engage us in multiple-year contracts, ensuring their organization has both a consistent pen-testing partner and can stretch the security budget further.
This depends on various tasks and complexities related to the test. Depending on the size of the organization and its requirements, the duration of a penetration test depends on multiple variables. Penetration testing is a hands-on process, not suited for short, quick sprints. In general, we tend to see projects lasting as little as a week, while more complex testing can last weeks and even months depending.
Depending on the size of your company, and your business strategy. If you are a medium to large size company, you should schedule testing of your organization at least twice per year.
We understand that clients often have a deadline that they are trying to meet, either due to an audit, or a regulatory push. Whether you are trying to meet a normal regular scheduled requirement, or for providing pentest results to satisfy an audit deadline, we work with the client to accomplished and meet their requirements and timelines. Unfortunately, manual penetration testing requires more time for planning and preparation for the assessment team. At times, and due to such things as the complexities of customers' environment and scheduling this may impact the start of a pen-test in such cases.
With that said, if you have an urgent project feel free to contact us about timelines. Depending on needs and timelines, we may have the ability to pull resources off other internal activities and get started immediately.
Early in the process, we try to familiarize ourselves with your company and the scope of work so that we're able to create an accurate proposal. We intentionally gather this information so that we never come back requesting for more testing time9 and additional costs). The more information you're willing to share, the better assessment we can deliver.
With that said, some clients may seek a black-box approach where little information is provided, simulating an actual real-world attack and response scenario. In this scenario, we still need to grasp the size /complexity needed for the testing and therefore have some basic and fundamental questions for scoping.
A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pen-testing compliance standards including PCI, HIPAA, SOC2, ISO/IEC 27001/02 and others. That said, each compliance standard is different and should be discussed before moving forward. Contact us for more details.