How much for charge for network security audit? (Penetration Testing)


This might sound unprofessional, but I was wondering if anyone knew what an ideal hourly rate would be for internal and external network security auditing?  I want to start marketing myself as a network security auditor for small/medium businesses in my state.  I am a Certified Ethical Hacker and Security+ certified.  I have about 4 years of network administration experience under my belt and honestly only about 1.5 years of hardcore IT security experience.  This is only a part time job while I finish college... I'll be active duty in the Air Force when I graduate next year.

Based on the size of the client's network, I plan to have my audits take from 10 to 40 hours of working time, average probably being around 20.

Thank you for your help!

P.S. My best guess for a rate right now is $120/hr.  Reasonable? Too high/low?   Thanks!
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
I charge a flat fee, and start from the outside to the in. If I get in the network from the outside with no more than the IP address space or website name, I go to an hourly rate. If they simply want to know if they have unpatched boxes, unsecured records, unsecured wifi, and or easily guessed passwords I charge an hourly rate of $115(US) with a minimum 2 hour charge. If they want me to social engineer, physically enter, or test other security measures I use a flat fee again. Code review and remediation of code is a fee I sort of make up on the spot, depending on the size and scope of they flaws. Typically I provide more guidance than actual code corrections written myself.

There are also considerations for the size and scope of the pen audit that pertain to the pricing. Clients know they need a 3rd party audit or have been asked to get one, but they don't know what that might entail. There are several regulations and acts that recently have sprung up as hot items, such as SOX and HIPAA compliance and conformance.
There are also things you may note in your audit that the client doesn't know any better about, such as privacy laws that vary greatly from state to state, there are many corporations and small business' that violate state laws without knowing the variances. So if you notice that everyone's SSN is posted to a very public place, such as a company IntraNet or some HR spread-sheet that is unprotected, check local laws and make the client aware of compliance or neglect, that's just an example.
wildblue7272Author Commented:
Thanks, rich... and congrats on being #1 in Security on EE.

Forgive me, but I'm going to wait and see if I get any more answers before I accept.

Thanks again!
Rich RumbleSecurity SamuraiCommented:
No problem, and thanks. I can wait for the points ;-)
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Would either of you care to comment in this thread:

there are two things you have to think about, first of all the scope of the job (and the asociated tasks to them) and then the kind of client you are offering your services. and you have to think too in the deepness of the analisys too, the deeper the more expensive.
wildblue7272Author Commented:
Instead of taking that approach - or the flat fee approach - I believe it will be more effective to have a set hourly rate.  Therefore the desired scope and deepness of the job will automatically price itself since either factor will directly effect working time.

Thanks for the reply, though.  If you think my approach is flat out wrong, then please let tell me :)
Rich RumbleSecurity SamuraiCommented:
There are quite a few things you can apply an hourly rate to, but other tasks you can't... how will the customer/client verify it took you 9hrs to penetrate into the site, or 5hrs to crack all the passwords etc... I charge the flat fee for single penetration and network mapping. I can sometimes create a better network diagram of the site than the client themselves. Once I get in it's basically reconnaissance after that. I document the steps it took to break-in (not all the steps it took, as many don't work, just the ones that paid off) and then I attempt to map the network out from that host, if I need to move to other host's to finish the map I get more written consent (if not consented to previously), after that I create a mitigation summary. When they want me looking at all hosts/offices/policies/procedures etc... then I go hourly as that can be verified. I penetrate remotely, then after that I come into the lan and do the rest. Wifi is an easy entry point, and I fall back to that if the web/vpn/firewall don't let me in within a reasonable amount of time.
When you have tools that can help automate your audit, I tend to go with flat rates, when I have to put "human hours" into something like website code review, physical security, and network mapping I use an hourly rate. It does vary from job to job, but thats pretty much what I do, probably won't work for everybody.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.