Solved

Vulnerability assesment , how much should I charge?

Posted on 2016-11-17
3
122 Views
Last Modified: 2016-11-18
Hello to all of you.
Next week I'm going to perform a vulnerability assesment (NO penetration test).
The scope of the assesment is to check the security status of 30 windows clients PC running windows 8.1 and 3 servers running windows 2008 R2 all in an  Active directory enviroment.
I'm not going to perform any web application tests at the moment.
Finally I will need to produce a report of the findings and actions to take.

The tools I'm going to use are:
1) nipper (licensed) to check the configuration of hardware devices
2) Nessus (licensed) to perform the analisys and find vulenrabilities
3) Namap

I'm planning to work 3 days max, 1 at the client 2 for the report.
How much should I charge for this activity ? please consider that I've been working in the security field for several years but always as an employee for several companies . Now I'm on my own.

Thank you
Ps: I live in south Europe where salaries are lower then the rest of Europe and US
0
Comment
Question by:carlettus
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41891275
Maybe take a step back to see how industry make the charges to stay competitive.

Through consultancy firms, I have seen it charges ard $1495 for Vulnerability Assessment covering the below
- off-site, non-exploitative test of up to 100 individual internal Internet Protocol (IP) addresses or nodes
- used include Metasploit, Nessus, & Retina (utilize subscription-based tools only, no reuse of VM, a ‘new’ VM from a clean template)
- performance of a single test at a time of choosing
- more frequent testing intervals for the same discounted price per occurrence.
- within one to two weeks after signing engagement letter
- issue a formal report covering test (management report), as well as any recommendations regarding remediation, turnaround time for report delivery generally requires one to two weeks for QA purposes

Then people say why not charge based on IP address and no mandays. It does not really make good sense to charge $X per IP address as each IP address requires a different amount of work to test properly. There is also instance where one goes for the so called Time Per Parameter (TPP).  E.g. TPP is the amount of time that one will spend testing each parameter, which is either a service being provided by a network connected device or a testable variable within a web application.

So for your case, you need to decide if you opt for mandays or time spent. Since you have only 3 days max, you may want to discuss with customer to see how much time you spend in one day as typically they will stay with you during the office hours, and may not be that full day. You may encounter challenges such as firewall not allows for certain segment etc...so ideally the actual time really spent in testing the scope agreed will make sense and more equitable to the site as you are a dedicated person throughout the exercise. You can be paid per hour or as per the complexity of the testing. I don't have a magic figure but you can reference the industry example that I shared and apportion it accordingly by the 3 days wrt to the one week. You probably can be cheaper but I suggest you can consider to work within budget of the site....
0
 

Author Closing Comment

by:carlettus
ID: 41892587
Thanks for your message.
I'll ask 300 Euro/Day plus taxation then it should be around 450 Euro/Day for the client.
Bye
Carlettus
0
 
LVL 63

Expert Comment

by:btan
ID: 41892712
Thanks for sharing. Good luck !
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sftp vs SendThisFile 9 48
SMTP connect() failed - WordPress 6 53
Need a modeling tool 2 39
Pasword self service reset in Azure 6 45
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question