Solved

Vulnerability assesment , how much should I charge?

Posted on 2016-11-17
3
42 Views
Last Modified: 2016-11-18
Hello to all of you.
Next week I'm going to perform a vulnerability assesment (NO penetration test).
The scope of the assesment is to check the security status of 30 windows clients PC running windows 8.1 and 3 servers running windows 2008 R2 all in an  Active directory enviroment.
I'm not going to perform any web application tests at the moment.
Finally I will need to produce a report of the findings and actions to take.

The tools I'm going to use are:
1) nipper (licensed) to check the configuration of hardware devices
2) Nessus (licensed) to perform the analisys and find vulenrabilities
3) Namap

I'm planning to work 3 days max, 1 at the client 2 for the report.
How much should I charge for this activity ? please consider that I've been working in the security field for several years but always as an employee for several companies . Now I'm on my own.

Thank you
Ps: I live in south Europe where salaries are lower then the rest of Europe and US
0
Comment
Question by:carlettus
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41891275
Maybe take a step back to see how industry make the charges to stay competitive.

Through consultancy firms, I have seen it charges ard $1495 for Vulnerability Assessment covering the below
- off-site, non-exploitative test of up to 100 individual internal Internet Protocol (IP) addresses or nodes
- used include Metasploit, Nessus, & Retina (utilize subscription-based tools only, no reuse of VM, a ‘new’ VM from a clean template)
- performance of a single test at a time of choosing
- more frequent testing intervals for the same discounted price per occurrence.
- within one to two weeks after signing engagement letter
- issue a formal report covering test (management report), as well as any recommendations regarding remediation, turnaround time for report delivery generally requires one to two weeks for QA purposes

Then people say why not charge based on IP address and no mandays. It does not really make good sense to charge $X per IP address as each IP address requires a different amount of work to test properly. There is also instance where one goes for the so called Time Per Parameter (TPP).  E.g. TPP is the amount of time that one will spend testing each parameter, which is either a service being provided by a network connected device or a testable variable within a web application.

So for your case, you need to decide if you opt for mandays or time spent. Since you have only 3 days max, you may want to discuss with customer to see how much time you spend in one day as typically they will stay with you during the office hours, and may not be that full day. You may encounter challenges such as firewall not allows for certain segment etc...so ideally the actual time really spent in testing the scope agreed will make sense and more equitable to the site as you are a dedicated person throughout the exercise. You can be paid per hour or as per the complexity of the testing. I don't have a magic figure but you can reference the industry example that I shared and apportion it accordingly by the 3 days wrt to the one week. You probably can be cheaper but I suggest you can consider to work within budget of the site....
0
 

Author Closing Comment

by:carlettus
ID: 41892587
Thanks for your message.
I'll ask 300 Euro/Day plus taxation then it should be around 450 Euro/Day for the client.
Bye
Carlettus
0
 
LVL 61

Expert Comment

by:btan
ID: 41892712
Thanks for sharing. Good luck !
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now