How much for charge for network security audit? (Penetration Testing)

Posted on 2006-11-28
Last Modified: 2013-11-16

This might sound unprofessional, but I was wondering if anyone knew what an ideal hourly rate would be for internal and external network security auditing?  I want to start marketing myself as a network security auditor for small/medium businesses in my state.  I am a Certified Ethical Hacker and Security+ certified.  I have about 4 years of network administration experience under my belt and honestly only about 1.5 years of hardcore IT security experience.  This is only a part time job while I finish college... I'll be active duty in the Air Force when I graduate next year.

Based on the size of the client's network, I plan to have my audits take from 10 to 40 hours of working time, average probably being around 20.

Thank you for your help!

P.S. My best guess for a rate right now is $120/hr.  Reasonable? Too high/low?   Thanks!
Question by:wildblue7272
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 18034097
I charge a flat fee, and start from the outside to the in. If I get in the network from the outside with no more than the IP address space or website name, I go to an hourly rate. If they simply want to know if they have unpatched boxes, unsecured records, unsecured wifi, and or easily guessed passwords I charge an hourly rate of $115(US) with a minimum 2 hour charge. If they want me to social engineer, physically enter, or test other security measures I use a flat fee again. Code review and remediation of code is a fee I sort of make up on the spot, depending on the size and scope of they flaws. Typically I provide more guidance than actual code corrections written myself.

There are also considerations for the size and scope of the pen audit that pertain to the pricing. Clients know they need a 3rd party audit or have been asked to get one, but they don't know what that might entail. There are several regulations and acts that recently have sprung up as hot items, such as SOX and HIPAA compliance and conformance.
There are also things you may note in your audit that the client doesn't know any better about, such as privacy laws that vary greatly from state to state, there are many corporations and small business' that violate state laws without knowing the variances. So if you notice that everyone's SSN is posted to a very public place, such as a company IntraNet or some HR spread-sheet that is unprotected, check local laws and make the client aware of compliance or neglect, that's just an example.

Author Comment

ID: 18034141
Thanks, rich... and congrats on being #1 in Security on EE.

Forgive me, but I'm going to wait and see if I get any more answers before I accept.

Thanks again!
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034529
No problem, and thanks. I can wait for the points ;-)
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 79

Expert Comment

ID: 18035980
Would either of you care to comment in this thread:


Expert Comment

ID: 18038151
there are two things you have to think about, first of all the scope of the job (and the asociated tasks to them) and then the kind of client you are offering your services. and you have to think too in the deepness of the analisys too, the deeper the more expensive.

Author Comment

ID: 18039244
Instead of taking that approach - or the flat fee approach - I believe it will be more effective to have a set hourly rate.  Therefore the desired scope and deepness of the job will automatically price itself since either factor will directly effect working time.

Thanks for the reply, though.  If you think my approach is flat out wrong, then please let tell me :)
LVL 38

Expert Comment

by:Rich Rumble
ID: 18039398
There are quite a few things you can apply an hourly rate to, but other tasks you can't... how will the customer/client verify it took you 9hrs to penetrate into the site, or 5hrs to crack all the passwords etc... I charge the flat fee for single penetration and network mapping. I can sometimes create a better network diagram of the site than the client themselves. Once I get in it's basically reconnaissance after that. I document the steps it took to break-in (not all the steps it took, as many don't work, just the ones that paid off) and then I attempt to map the network out from that host, if I need to move to other host's to finish the map I get more written consent (if not consented to previously), after that I create a mitigation summary. When they want me looking at all hosts/offices/policies/procedures etc... then I go hourly as that can be verified. I penetrate remotely, then after that I come into the lan and do the rest. Wifi is an easy entry point, and I fall back to that if the web/vpn/firewall don't let me in within a reasonable amount of time.
When you have tools that can help automate your audit, I tend to go with flat rates, when I have to put "human hours" into something like website code review, physical security, and network mapping I use an hourly rate. It does vary from job to job, but thats pretty much what I do, probably won't work for everybody.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question