Link to home
Start Free TrialLog in
Avatar of zc2
zc2Flag for United States of America

asked on

penetration test

Could you recommend an affordable service which would perform a penetration test against a web site and then create a comprehensive report document?
I searched  the internet and only found tools I could use to find holes/make sure there is no holes. But we need to pass a clear penetration test report
to our client as required by the contract.
Avatar of btan

This directory has a list of CREST accredited companies which should typically fulfil the PT requirements. Example include Pulse security,  Resolvo system but depending on your region, best that you engage the companies further to understand the services.
You can hire a company + a good first step is to setup all the many public domain tools on a LAMP server + do continuous PEN testing of all your machines + sites for free.

You can use services + they can only report their testing during a given time + can be very expensive.

Likely most or all of these services simply setup all the many free PEN testing tools available to implement their testing.

Even if you're required by law or your niche's licensing requirements to use a certified PEN testing service, still good to do your own continuous PEN testing.
can also look at the PT professional service published by the govt authorities such as NCSC (UK) - total of 41 as of current writing. They are CREST certified and capable of conduct CHECK.[0]=field_assurance_scheme%3A213&f[1]=field_assurance_status%3AAssured

Just to share bit of background - The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with Her Majesty's Government (HMG) policy.  Companies belonging to CHECK are measured against high standards set by the NCSC. The NCSC and CREST  work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors.
Avatar of zc2


@btan, Thank you for the info. As I understand from your explanation, there is no such thing as certified and affordable pentest service?
I visited some links from the CREST list and no one even publish a price for the service, so I expect they are expensive?..
We need a pentest report, if it costs more than the project budget, that makes no sense to use it.
BTW, both we and our client are located in the US, so the UK list may be not what we need.

@David Favor, sometimes I do use some tools like metasploit, sqlmap, etc to check is there any vulnerabilities in our sites (not continuous though), but in this case we need a professionally created report, this is a something different.
Is there a specific reason/part that you want to focus on in the testing? For the most part pen testing is expensive because someone has to manually review any scan results and doing additional custom testing which can get expensive. There are usually split up into application based testing or network level testing.
There is also PCI testing which is a bit more common. This usually gives you a report that does a basic scan and gives you a report and certificate on whether you passed or not. There are different levels of PCI compliance, some that require a full pen test and others that do more of a vulnerability scan. This is more of the industry accepted standard and will likely carry a bit more weight and have a more standard type of report. This is usually more necessary when you are handling any type of payment processing.
Avatar of zc2


The reason, as I explained before - to provide a pentest report to our client for whom we are developing a data processing web site. This was his requirement. The site does not involve any payment processing.
Avatar of Anthony Garcia
Anthony Garcia
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The security test cost is a small price to pay to safeguard your data and systems.

Application testing. Web applications are quite complex. In most cases, the pen testing price can start from $2,000. The final decision will depend on the number of roles in the application and the aim of the testing.

Network penetration testing cost depends on those factors as well. Some of the companies provide a fixed price, and that will usually include a fix list of services available. The pricing for a network pen test starts at $4,000. Anything below the price is very unlikely to be a quality testing.

Actually the pricing is not as expensive if you see non-compliant (like to PCI) companies can end up paying a fine of $5,000 - $100,000.

Besides that, the cost of penetration testing can go up if any additional or specific tools are required. While some of the tools might be free, the person using them need special certification especially for compliance to show verifiable proof it is conducted by qualified professionals. Some of the tools might be quite pricey as well (for example, Burp Suite paid version costs $349 per user). The price for certification may vary from about $349 (CompTIA) up to around $6,210 (SANS).

As the expert has shared,  you can refer an average cost of a penetration test to vary from $4,000 to $100,000. Ultimately,  the price to pay for non compliance or a security incident due to oversight is greater as compared to the regular health test report that you received.

Remember getting the report is just the beginning, all gaps and findings must  be addressed and any major changes made to the system should undergo such testing to assure its security posture is intact.
Avatar of zc2


@btan, thank you for a such detailed explanations.
What you saying has a quite much sense, since I understand that a high quality grade pentest requires a participation of  a very skilled person.
But I believe that affordable, less quality pentest services also exist, since there is at least one provider:
We just want to see if there any others similar to choose from.
Like I said before, the cost of obtaining such report is very important. If it is greater than the project's budget,
that would not make sense to spend money on.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial