How much for charge for network security audit? (Penetration Testing)

Posted on 2006-11-28
Medium Priority
Last Modified: 2013-11-16

This might sound unprofessional, but I was wondering if anyone knew what an ideal hourly rate would be for internal and external network security auditing?  I want to start marketing myself as a network security auditor for small/medium businesses in my state.  I am a Certified Ethical Hacker and Security+ certified.  I have about 4 years of network administration experience under my belt and honestly only about 1.5 years of hardcore IT security experience.  This is only a part time job while I finish college... I'll be active duty in the Air Force when I graduate next year.

Based on the size of the client's network, I plan to have my audits take from 10 to 40 hours of working time, average probably being around 20.

Thank you for your help!

P.S. My best guess for a rate right now is $120/hr.  Reasonable? Too high/low?   Thanks!
Question by:wildblue7272
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 18034097
I charge a flat fee, and start from the outside to the in. If I get in the network from the outside with no more than the IP address space or website name, I go to an hourly rate. If they simply want to know if they have unpatched boxes, unsecured records, unsecured wifi, and or easily guessed passwords I charge an hourly rate of $115(US) with a minimum 2 hour charge. If they want me to social engineer, physically enter, or test other security measures I use a flat fee again. Code review and remediation of code is a fee I sort of make up on the spot, depending on the size and scope of they flaws. Typically I provide more guidance than actual code corrections written myself.

There are also considerations for the size and scope of the pen audit that pertain to the pricing. Clients know they need a 3rd party audit or have been asked to get one, but they don't know what that might entail. There are several regulations and acts that recently have sprung up as hot items, such as SOX and HIPAA compliance and conformance.
There are also things you may note in your audit that the client doesn't know any better about, such as privacy laws that vary greatly from state to state, there are many corporations and small business' that violate state laws without knowing the variances. So if you notice that everyone's SSN is posted to a very public place, such as a company IntraNet or some HR spread-sheet that is unprotected, check local laws and make the client aware of compliance or neglect, that's just an example.

Author Comment

ID: 18034141
Thanks, rich... and congrats on being #1 in Security on EE.

Forgive me, but I'm going to wait and see if I get any more answers before I accept.

Thanks again!
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034529
No problem, and thanks. I can wait for the points ;-)
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

LVL 79

Expert Comment

ID: 18035980
Would either of you care to comment in this thread:


Expert Comment

ID: 18038151
there are two things you have to think about, first of all the scope of the job (and the asociated tasks to them) and then the kind of client you are offering your services. and you have to think too in the deepness of the analisys too, the deeper the more expensive.

Author Comment

ID: 18039244
Instead of taking that approach - or the flat fee approach - I believe it will be more effective to have a set hourly rate.  Therefore the desired scope and deepness of the job will automatically price itself since either factor will directly effect working time.

Thanks for the reply, though.  If you think my approach is flat out wrong, then please let tell me :)
LVL 38

Expert Comment

by:Rich Rumble
ID: 18039398
There are quite a few things you can apply an hourly rate to, but other tasks you can't... how will the customer/client verify it took you 9hrs to penetrate into the site, or 5hrs to crack all the passwords etc... I charge the flat fee for single penetration and network mapping. I can sometimes create a better network diagram of the site than the client themselves. Once I get in it's basically reconnaissance after that. I document the steps it took to break-in (not all the steps it took, as many don't work, just the ones that paid off) and then I attempt to map the network out from that host, if I need to move to other host's to finish the map I get more written consent (if not consented to previously), after that I create a mitigation summary. When they want me looking at all hosts/offices/policies/procedures etc... then I go hourly as that can be verified. I penetrate remotely, then after that I come into the lan and do the rest. Wifi is an easy entry point, and I fall back to that if the web/vpn/firewall don't let me in within a reasonable amount of time.
When you have tools that can help automate your audit, I tend to go with flat rates, when I have to put "human hours" into something like website code review, physical security, and network mapping I use an hourly rate. It does vary from job to job, but thats pretty much what I do, probably won't work for everybody.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
The onset of year 2018 has been a usual business for IT teams still struggling to find their way out in terms of strengthening their cloud security.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question