How much for charge for network security audit? (Penetration Testing)

Posted on 2006-11-28
Last Modified: 2013-11-16

This might sound unprofessional, but I was wondering if anyone knew what an ideal hourly rate would be for internal and external network security auditing?  I want to start marketing myself as a network security auditor for small/medium businesses in my state.  I am a Certified Ethical Hacker and Security+ certified.  I have about 4 years of network administration experience under my belt and honestly only about 1.5 years of hardcore IT security experience.  This is only a part time job while I finish college... I'll be active duty in the Air Force when I graduate next year.

Based on the size of the client's network, I plan to have my audits take from 10 to 40 hours of working time, average probably being around 20.

Thank you for your help!

P.S. My best guess for a rate right now is $120/hr.  Reasonable? Too high/low?   Thanks!
Question by:wildblue7272
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 18034097
I charge a flat fee, and start from the outside to the in. If I get in the network from the outside with no more than the IP address space or website name, I go to an hourly rate. If they simply want to know if they have unpatched boxes, unsecured records, unsecured wifi, and or easily guessed passwords I charge an hourly rate of $115(US) with a minimum 2 hour charge. If they want me to social engineer, physically enter, or test other security measures I use a flat fee again. Code review and remediation of code is a fee I sort of make up on the spot, depending on the size and scope of they flaws. Typically I provide more guidance than actual code corrections written myself.

There are also considerations for the size and scope of the pen audit that pertain to the pricing. Clients know they need a 3rd party audit or have been asked to get one, but they don't know what that might entail. There are several regulations and acts that recently have sprung up as hot items, such as SOX and HIPAA compliance and conformance.
There are also things you may note in your audit that the client doesn't know any better about, such as privacy laws that vary greatly from state to state, there are many corporations and small business' that violate state laws without knowing the variances. So if you notice that everyone's SSN is posted to a very public place, such as a company IntraNet or some HR spread-sheet that is unprotected, check local laws and make the client aware of compliance or neglect, that's just an example.

Author Comment

ID: 18034141
Thanks, rich... and congrats on being #1 in Security on EE.

Forgive me, but I'm going to wait and see if I get any more answers before I accept.

Thanks again!
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034529
No problem, and thanks. I can wait for the points ;-)
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 79

Expert Comment

ID: 18035980
Would either of you care to comment in this thread:


Expert Comment

ID: 18038151
there are two things you have to think about, first of all the scope of the job (and the asociated tasks to them) and then the kind of client you are offering your services. and you have to think too in the deepness of the analisys too, the deeper the more expensive.

Author Comment

ID: 18039244
Instead of taking that approach - or the flat fee approach - I believe it will be more effective to have a set hourly rate.  Therefore the desired scope and deepness of the job will automatically price itself since either factor will directly effect working time.

Thanks for the reply, though.  If you think my approach is flat out wrong, then please let tell me :)
LVL 38

Expert Comment

by:Rich Rumble
ID: 18039398
There are quite a few things you can apply an hourly rate to, but other tasks you can't... how will the customer/client verify it took you 9hrs to penetrate into the site, or 5hrs to crack all the passwords etc... I charge the flat fee for single penetration and network mapping. I can sometimes create a better network diagram of the site than the client themselves. Once I get in it's basically reconnaissance after that. I document the steps it took to break-in (not all the steps it took, as many don't work, just the ones that paid off) and then I attempt to map the network out from that host, if I need to move to other host's to finish the map I get more written consent (if not consented to previously), after that I create a mitigation summary. When they want me looking at all hosts/offices/policies/procedures etc... then I go hourly as that can be verified. I penetrate remotely, then after that I come into the lan and do the rest. Wifi is an easy entry point, and I fall back to that if the web/vpn/firewall don't let me in within a reasonable amount of time.
When you have tools that can help automate your audit, I tend to go with flat rates, when I have to put "human hours" into something like website code review, physical security, and network mapping I use an hourly rate. It does vary from job to job, but thats pretty much what I do, probably won't work for everybody.

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
OnPage: Incident management and secure messaging on your smartphone
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question