Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Vulnerability assesment , how much should I charge?

Posted on 2016-11-17
3
Medium Priority
?
172 Views
Last Modified: 2016-11-18
Hello to all of you.
Next week I'm going to perform a vulnerability assesment (NO penetration test).
The scope of the assesment is to check the security status of 30 windows clients PC running windows 8.1 and 3 servers running windows 2008 R2 all in an  Active directory enviroment.
I'm not going to perform any web application tests at the moment.
Finally I will need to produce a report of the findings and actions to take.

The tools I'm going to use are:
1) nipper (licensed) to check the configuration of hardware devices
2) Nessus (licensed) to perform the analisys and find vulenrabilities
3) Namap

I'm planning to work 3 days max, 1 at the client 2 for the report.
How much should I charge for this activity ? please consider that I've been working in the security field for several years but always as an employee for several companies . Now I'm on my own.

Thank you
Ps: I live in south Europe where salaries are lower then the rest of Europe and US
0
Comment
Question by:carlettus
  • 2
3 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41891275
Maybe take a step back to see how industry make the charges to stay competitive.

Through consultancy firms, I have seen it charges ard $1495 for Vulnerability Assessment covering the below
- off-site, non-exploitative test of up to 100 individual internal Internet Protocol (IP) addresses or nodes
- used include Metasploit, Nessus, & Retina (utilize subscription-based tools only, no reuse of VM, a ‘new’ VM from a clean template)
- performance of a single test at a time of choosing
- more frequent testing intervals for the same discounted price per occurrence.
- within one to two weeks after signing engagement letter
- issue a formal report covering test (management report), as well as any recommendations regarding remediation, turnaround time for report delivery generally requires one to two weeks for QA purposes

Then people say why not charge based on IP address and no mandays. It does not really make good sense to charge $X per IP address as each IP address requires a different amount of work to test properly. There is also instance where one goes for the so called Time Per Parameter (TPP).  E.g. TPP is the amount of time that one will spend testing each parameter, which is either a service being provided by a network connected device or a testable variable within a web application.

So for your case, you need to decide if you opt for mandays or time spent. Since you have only 3 days max, you may want to discuss with customer to see how much time you spend in one day as typically they will stay with you during the office hours, and may not be that full day. You may encounter challenges such as firewall not allows for certain segment etc...so ideally the actual time really spent in testing the scope agreed will make sense and more equitable to the site as you are a dedicated person throughout the exercise. You can be paid per hour or as per the complexity of the testing. I don't have a magic figure but you can reference the industry example that I shared and apportion it accordingly by the 3 days wrt to the one week. You probably can be cheaper but I suggest you can consider to work within budget of the site....
0
 

Author Closing Comment

by:carlettus
ID: 41892587
Thanks for your message.
I'll ask 300 Euro/Day plus taxation then it should be around 450 Euro/Day for the client.
Bye
Carlettus
0
 
LVL 65

Expert Comment

by:btan
ID: 41892712
Thanks for sharing. Good luck !
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question