Mary Braunwarth
- Compliance with security testing requirements from a third-party authority, such as the HIPAA Security Rule, PCI Security Standards, or industry regulators (e.g., OCC, FDIC, FRB, State Bank Regulators – NYDFS).
- Hardening application security prior to deployment.
- Managing code change.
- Validation and benchmarking of existing security controls.
- Support internal IT, development, and security teams.
- Reducing incidents and breaches.
Knowing which variables impact the cost of a penetration test will allow you to strategically allocate budget based on your cybersecurity program objectives, your organization’s risk tolerance, and compliance and regulatory requirements. My goal is to help you better understand the cost components to ensure you’re paying only for what you need. Interested in learning how to optimize your penetration testing budget? Read our guide.
As you evaluate your cybersecurity budget for next year, keep these six core components in mind.
1. The Complexity of the Penetration Test Environment
It's important to consider the criticality of the environment. One with a high level of risk or critical business impact (your “crown jewels”) can cost more to test due to urgency, the number of people it affects, and its role in day-to-day business operations.
Will the test require overnight testing or extensive travel? Ensure you budget for these nuances.
Multiple types of penetration testing services exist. There's network pentesting, application pentesting, and cloud pentesting, as well as red team operations, to name a few. The time, effort, and resources required for each test may differ based on the complexity of the environment and the size of the attack surface. Here are a few examples of how complexity can influence cost:
Application Penetration Testing
A two-page application with one user role is less expensive to test than an application with multiple user roles and varying levels of access. Some components that contribute to the complexity of the app include:
- Production vs. non-production applications
- Number of dynamic and static pages (or screens)
- Number of unique API requests serving content
- Number of endpoints
- Number of user roles, type of role, and their levels of access
Cloud Penetration Testing
The complexity of a cloud pentest depends on how it’s configured in your organization, the assets stored on the cloud, and the number of people who utilize it. Other elements include:
- Type of testing required (internal testing, external testing, or configuration review)
- Cloud architecture (AWS, Azure, or Google Cloud)
- Number of systems and services on the cloud
- Number of tenants or business units
Social Engineering Penetration Testing
These security exercises assess a company’s ability to identify and respond to real-world attack and breach scenarios in real-time. The level of complexity varies based on the type of assessment. With social engineering, assessments can range from an email phishing campaign to a full-blown on-site physical pentest. Other considerations include:
- Automation vs. human-led assessments
- Time box
- Number of pre-defined targets
2. Regulatory Compliance
Compliance requirements vary across industries, geographies, and more.
The pentest requirements in the payment card industry differ from healthcare and financial institutions, governed by well-known standards such as PCI DSS, HIPAA, and FINRA, respectively. Highly regulated industries such as banks and healthcare require more in-depth and frequent pentests, while industries such as technology, higher education, and nonprofits demand less extensive pentests due to fewer regulatory requirements. Geography can also influence the depth of security activities required by your local, state, and federal laws.
Additionally, customized reporting for your compliance requirements warrants additional time and dedication from your team, which can also increase the cost of a pentest.
While compliance may be a core objective for your organization's pentesting program, at NetSPI, we encourage a risk-based approach to security. You can learn more about this in the SC Media article I wrote, Rethink Your Cybersecurity Resiliency Using a Risk-based Strategy.
3. Penetration Testing Methodology
Pentesting companies and internal teams develop their own penetration testing methodology, but many are derived from the top three globally recognized frameworks: OWASP, NIST, and MITRE ATT&CK.
These frameworks serve as a great resource due to their adaptability and level of standardization over the years.
With these frameworks as a baseline, some vendors rely entirely on automated pentesting, others manual. Others take a hybrid approach. Automated pentests yield results quickly and are typically inexpensive, but they cannot detect all security vulnerabilities or chain together low-risk vulnerabilities to identify areas of weakness. They simply aggregate surface-level data, which can check the box for some organizations.
A manual pentest on the other hand can yield detailed, critical-level results and explanations but is lengthy and relies heavily on the tester assigned to your project. Each has its pros and cons, but the most strategic and cost-effective pentests utilize both.
NetSPI uses a team-based approach supported by our Resolve™ Penetration Testing as a Service (PTaaS) platform. We combine automated pentesting and manual pentesting to deliver the highest quality vulnerability findings efficiently and consistently.
4. Pentest Depth and Breadth
Manual pentesting can drive up costs but provides the greatest value: uncovering business critical vulnerabilities that tools cannot. If a vendor quotes you lower than the average pentest cost of other vendors, I recommend exploring their methodology deeper to understand the depth and breadth of the pentest.
It all comes down to the depth and breadth of the checklist, methodology, and tenure of the pentester – the insights and perspectives that have been brought into that methodology and approach.
A word of advice? Any pentest on a medium-sized application with multiple user roles listed at $4,000 is probably not a true penetration test.
Alternatively, consider a source code assisted penetration test. A source code assisted penetration test offers many benefits:
- More thorough results
- More comprehensive testing
- More vulnerabilities discovered
- No added cost
- Much more specific remediation guidance for identified vulnerabilities
5. Remediation Testing
Paying a third-party for remediation testing will cost more, but the value of retesting typically outweighs the cost. With it, you gain peace of mind that the remediation steps taken were effective and that the vulnerability does not persist. Additional remediation-related tasks that may drive costs up include in-depth remediation support and guidance.
The number of vulnerabilities being retested following remediation directly affects the penetration test cost. A word of caution: some vendors automatically bundle remediation into their pricing model for all vulnerabilities. Often, this level of remediation testing is unnecessary, given many organizations balance testing between internal and external teams. You shouldn’t be charged for something you don’t need.
Some firms, like NetSPI, have transitioned to a "pay for only what you need" a la carte approach which significantly reduces costs and ensures you do not overpay for remediation testing. You only pay for the number of vulnerabilities you need retested. If you have an in-house team validating vulnerabilities, you won't get charged for this extra step. Or, if you uncover only a few critical vulnerabilities, you can choose to only retest and validate that the issues that pose the greatest risk to your business were resolved.
6. Quality and Expertise of Pentesters
When you pay for a penetration test, you pay for the quality and expertise of your pentesters.
Consider working with teams that hold industry standard certifications. For example, CREST-certified penetration testing companies are known to demonstrate competency and consistency in their services. You can learn about other valuable certifications in this CSO article, 8 Top Penetration Testing Certifications Employers Value, including:
- Offensive Security Certified Professional (OSCP)
- Offensive Security Wireless Professional (OSWP)
- EC-Council Certified Ethical Hacker (CEH)
- SANS offensive security courses
Certifications alone are not enough. Like in any field, proven, hands-on experience is invaluable. An experienced partner should be familiar with the scope and type of assessment and should have experience testing similar sized organizations and industries. Less experienced or established partners may charge less.
This factor also directly correlates with the complexity of the environment being tested. Complex environments – mainframe, IoT, etc. – require more experienced pentesters.
It’s important to note that choosing a penetration testing partner backed by years of experience and equipped with the necessary tools for the engagement can save you money in the long run. Experienced, quality pentesters can identify critical security vulnerabilities that others miss.
One Size Pentest Does Not Fit All
So, how much does a penetration cost? It depends.
The six factors above play a critical role in how your costs will change and the results you receive. Use these as a baseline to help you identify a solution and partner that fits your organizational priorities and cybersecurity budget.
As you evaluate your testing program and budget, you’ll quickly find many providers in the space. Beyond the factors that influence the average cost of a pentest, here are four criteria to help you choose a penetration testing partner:
- Select an agile team. They're always improving their processes to meet the ever-changing needs of the business.
- Look for consistency: They should also have a consistent and standardized methodology built around the delivery of quality, service, and results. Your test shouldn’t only be as good as the latest tester assigned.
- Select a team that spends more time on the actual testing versus the administrative tasks. Enable your pentesting team to use creative approaches to find business logic vulnerabilities.
- Decide how much external support you want or need from a remediation standpoint.
- Ask about their pentesting talent, processes, technology, and culture to ensure you're working with a team that meets your objectives.
There are many factors that determine the cost of a penetration test. When looking for a penetration testing partner, consider a team like NetSPI that will look out for your best interest both from a financial and risk perspective.
This post is part of a series on cybersecurity budgeting. Check out the below additional resource:
[post_title] => How Much Does a Penetration Test Cost? [post_excerpt] => Uncover the six core components that impact the average cost of a penetration test. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cost-of-a-penetration-test [to_ping] => [pinged] => [post_modified] => 2024-03-29 14:46:56 [post_modified_gmt] => 2024-03-29 19:46:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28318 [menu_order] => 218 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 25277 [post_author] => 62 [post_date] => 2021-05-04 07:00:00 [post_date_gmt] => 2021-05-04 07:00:00 [post_content] =>Choosing the best pentesting company for your organization is not a simple decision given the hundreds of providers vying for your business, each offering varying levels of expertise, testing methodologies, and technologies to perform penetration tests.
To help you identify the best penetration testing companies for your needs, it is important to ask the right questions. To get started, here are 10 essential questions to ask potential pentesting companies during the RFP process – and what to look for in their responses.
- Are your resources contracted resources? If not, what are your hiring practices?
Ask this question to understand how a company sources its pentesters, project managers, and other day-to-day practitioners working on your assessment. Would you prefer working with a team that works together often or a team of outsourced experts? The answer should also provide insight into the effort an employer puts into finding the best talent. It is especially necessary for you to understand how the company trains and ensures the resources have the expertise needed for your testing.
- Which regulatory bodies and compliance frameworks does my organization need to be aware of?
Test the industry knowledge of the pentest companies you are evaluating. Learn how well they understand the external pressures your organization is facing and the additional expertise they can bring to the table.
- Can you share a breakdown of the tool-based vs. manual effort that goes into a typical penetration testing engagement?
Find the right balance between automated scanning and manual testing based on the requirements of your organization. The answer should also reveal the company’s testing methodology and give you an understanding of the vulnerability management tools they use. Remember, to find critical business logic vulnerabilities, manual testing is required.
- How do you ensure your team is up to date on the latest certifications and training?
The answer to this question will be an indicator of how much the company values its employees continued education and advancement. A company that strives for innovation will have a long list of processes, checklists, peer reviews, and more. Beyond external trainings and certifications, be sure to ask about the technology the organization is leveraging to ensure that the product of an assessment isn’t directly related to the tenure of the individual assessor.
- How do you ensure return on investment (ROI) from each engagement?
Ensure your testing partner is maximizing your investments to find business impactful vulnerabilities, not focusing on administrative tasks. ROI for security initiatives can be difficult to measure - and pentesting is no exception. Pentest efficiency is a great place to start. Ask the prospective companies how they reduce or eliminate the administrative burden of de-duplication and vulnerability tracking, how they enable multiple testers to work simultaneously, and learn about the automated processes they have in place to enable their pentesters to perform a test efficiently and thoroughly.
- How do you contribute to the greater security community?
Instead of asking an organization to, “Describe your culture” ask this question. Explore the various ways a pentest company participates in the security community to gauge its drive to innovate. Review its open source tools, GitHub repository, public trainings, conference participation, community involvement, and more. This will specifically ensure their mission/vision statement is actually being delivered in their day-to-day efforts.
- What do you consider your specific focus areas?
A straightforward question that can reveal a lot about a pentest company. Which types of pentesting (application, infrastructure, cloud, mobile, red teaming, etc.) are they hired for most? Do they have specific industry niches What types of companies do they work with and in what industries? Which technologies enable their services?
- How do you ensure consistency and repeatability across all engagements?
Consistency is key in penetration testing. How can you ensure that your results don’t vary by tester? In this response, look for how they maintain centralized communication, repeatable processes, validate vulnerabilities, and track the progress of each test.
- How do you plan to grow with my organization over time?
Maintaining a relationship with one pentest company over time has its benefits, but only if that company can scale with your business. Talk about the plans for your organization and learn how each company can support you at every part of your growth journey.
- What areas are not addressed within this RFP?
A key benefit of working with a third-party penetration testing company is that it should be able to look at your security program holistically. Ask this question to explore other possible areas of risk and, as a bonus, learn how the company delivers its recommendations.
On February 9, 2021, NetSPI's VP of Strategic Accounts Mary Braunwarth was featured in SC Magazine:
Security leaders, especially in highly regulated industries, are overwhelmed because their security decisions solely comply with audit and regulatory frameworks.
Many have to comply with HIPAA for healthcare, PCI DSS for credit card handling, and the Office of the Controller of the Currency and FDIC for financial services, leaving security teams fatigued and unable to innovate. Over time, their strategy mirrors their organization’s regulatory and compliance demands. This impacts the maturity of security programs and exponentially increases an organization’s risk, making it susceptible to cyberattacks and even nominal regulatory fines. For example, the Citibank incident, in which Citibank was fined $400 million for falling short in its regulatory-driven risk management processes.
Over the years, I’ve observed that security leaders lose control of their programs because they try to meet the ever-growing demands of regulators, line of business, expanding attack surface, and third parties – the list goes on. It’s critical for security leaders to drive an organization’s security strategy – not the second line of defense (risk management) nor the third line (auditors), nor regulators. After all, it’s the security leaders who inform executives and board members of the risk to critical information assets and how to manage it – and whose jobs are on the line.
My recommendation? Security leaders should pivot from their institutionalized regulatory and audit-driven security programs to one that focuses on both risk and compliance.
Read the full article here: https://www.scmagazine.com/perspectives/rethink-your-cybersecurity-resiliency-using-a-risk-based-strategy/
[post_title] => SC Magazine: Rethink your cybersecurity resiliency using a risk-based strategy [post_excerpt] => On February 9, 2021, NetSPI's VP of Strategic Accounts Mary Braunwarth was featured in SC Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-magazine-rethink-your-cybersecurity-resiliency-using-a-risk-based-strategy [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:01 [post_modified_gmt] => 2022-12-16 16:51:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21265 [menu_order] => 430 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 13859 [post_author] => 62 [post_date] => 2019-11-01 07:00:58 [post_date_gmt] => 2019-11-01 07:00:58 [post_content] =>
The Situation
In a report published by consulting firm West Monroe Partners, 40 percent of acquiring businesses said they discovered a high-risk security problem at an acquisition after a deal went through. With this in mind, executive management at one of America’s largest banks wanted to ensure that one of their subsidiaries wasn’t suffering from similar security control gaps. In addition, the bank wanted to understand if identified security gaps could be leveraged to gain unauthorized access to the subsidiary’s networks and resources. To answer those questions, and report on the subsidiary’s responsiveness to real-life attack scenarios, the bank hired NetSPI to conduct a red team operation.
The Approach
During some red team operations, clients provide information to save time, such as employee names, reporting structures, policy details, or system targets. In this instance, the test was conducted using a black box approach, meaning no information was provided by the client. Despite this handicap, NetSPI would put the bank’s newly merged digital infrastructure to the test by attempting to achieve and maintain unauthorized network access via both technical testing methods and social engineering. The bank wanted to know if system, services, or employee identification processes were vulnerable. If so, they wanted NetSPI to exploit those vulnerabilities in order to gain access to critical resources owned by the subsidiary. They also wanted to know if any operating systems or applications were creating immediate risk and if the security controls that were deployed could be bypassed? NetSPI would find out.
The team began by conducting a significant amount of reconnaissance, learning the names of some employees and identifying their email addresses and phone numbers. Armed with this information, NetSPI initiated a targeted social engineering attack. A robo-caller was used to spoof the bank’s voice mail system, asking a targeted employee to verify their identity with their username and password. This tactic was successful in gaining an employee’s username and password. Having successfully obtained the necessary credentials, the next step was to impersonate the employee in an attempt to obtain access to the corporate Virtual Private Network (VPN).
At A Glance
Client
One of the largest U.S. financial institutions offering a comprehensive range of financial services nationwide.
Challenge
Conduct a black box red team assessment to identify weaknesses in network security, policies and procedures.
Approach
Using social engineering and technical testing methods to gain credentials, access the network and escalate privileges.
Results
Security practices and procedures have been strengthened, significantly improving the bank’s overall security posture.
A NetSPI red team member, acting as the targeted employee, called the bank’s IT help desk and stated they were having trouble connecting to corporate network over the VPN. The help desk provided the NetSPI team member with the information below without verifying the caller’s identity beyond asking for their username, which had been obtained using the robo-caller:
- A link where the VPN client could be downloaded.
- Installation instructions for the VPN client
- A one-time token that could be used for the VPN Multi-Factor Authentication (MFA) process, which was sent to a non-corporate email address controlled by the NetSPI red team member.
Now, with remote access to the target network and Active Directory domain credentials in hand, NetSPI started examining the environment for privilege escalation paths. It wasn’t long before a critical discovery was made: a Microsoft Windows server had been left unpatched, enabling the team to exploit the EternalBlue vulnerability. NetSPI then exploited this vulnerability to gain a foothold on the domain system and continue escalation towards establish targets. This foot hold was maintained for multiple days, and the MFA token used to access the network over VPN was reused multiple times. This shined some light on a gap between the bank’s policy that mandates a one-time VPN token to expire after 24 hours and the reality of the subsidiaries implementation.
After multiple days, the bank’s internal IT staff identified that there was an unauthorized user on the network and their Incident Response team was dispatched to confiscate the targeted employee’s compromised laptop. At this point, the bank personnel in the know, revealed to all necessary parties that the bank had engaged NetSPI to conduct a red team assessment. A conference call was quickly held to begin the deconfliction process to ensure that the bank had indeed discovered NetSPI’s activities and not that of an actual attacker. The bank and NetSPI were able to confirm that the red team breach had been discovered. The bank elected to end the engagement and NetSPI moved on to the reporting phase which resulted in a deliverable that contained both the overall narrative of the engagement as well as detailed writeups for all discovered vulnerabilities and weaknesses.
The Results
After the deconfliction process, internal teams worked with NetSPI to understand the attack path and technical testing leveraged throughout the engagement. The bank then took this information and built a remediation plan to address the deficiencies. For example, the off-the-shelf network detection software the bank had installed performed poorly, even though evidence of a network intrusion was captured in the log files. Because the software had not been properly tuned to the environment, alarms were not being triggered even though intrusion had been detected. This has now been remedied along with large improvements to their vulnerability management practices.
In addition, the findings of the assessment resulted in additional funding being made available to address the problem areas highlighted in the final report. A special focus was made on security awareness training for employees, adherence to employee identification and verification practices used by the help desk staff to make them more aware of malicious actors.
To verify the remediation activities were successful at the bank, NetSPI performed additional round of technical testing to verify the identified vulnerabilities were remediated.
[post_title] => Leading Financial Institution Leveraged NetSPI Red Team Service to Improve Their Security Posture [post_excerpt] => In a report published by consulting firm West Monroe Partners, 40 percent of acquiring businesses said they discovered a high-risk security problem at an acquisition after a deal went through. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => leading-financial-institution-leveraged-netspi-red-team-service-to-improve-their-security-posture [to_ping] => [pinged] => [post_modified] => 2023-06-22 18:34:04 [post_modified_gmt] => 2023-06-22 23:34:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=13859 [menu_order] => 552 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 5 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 28769 [post_author] => 62 [post_date] => 2022-11-01 09:00:00 [post_date_gmt] => 2022-11-01 14:00:00 [post_content] =>At NetSPI we are often asked, “Will our cybersecurity spend plateau or decrease?” or “Our security testing quantity and frequency continues to rise year over year, shouldn’t our vulnerabilities findings decrease over time?” – or a variation of these questions.
Many assume that, over time, operational scale and efficiencies would generate this result. But we do not expect to see this correlation in the foreseeable future.
If you look at the macro numbers, we are in a never-ending race against sophisticated adversaries, and organizational attack surfaces are growing exponentially. As companies continue to grow, innovate, acquire, divest, and hire, the threat landscape evolves at the same rate – or faster.
Vulnerabilities, cybersecurity spending, and threats are all on the rise.
According to the NIST National Vulnerability Database vulnerability count has historically fluctuated – until 2017, where we saw a massive spike in total vulnerabilities. Since then, vulnerabilities have steadily increased year-over-year and are on track to trend upwards throughout the remainder of 2022.
Data also shows that high/critical vulnerabilities slightly decreased in 2021. However, the most critical vulnerability category is not included within this data but would impact the number of vulnerabilities drastically: people. According to a study by IBM, human error is the primary cause of 95% of cyber security breaches.
At the same time, cybersecurity remains a budgetary priority and spending continues to increase industry wide. Gartner predicts end-user spending in the information security and risk management market to grow at a compound annual growth rate (CAGR) of 11 percent through 2026.
Adversaries are no longer limited to individual actors and include highly sophisticated organizations that leverage integrated tools and capabilities with artificial intelligence and machine learning. While sophistication increases, so does activity. McKinsey & Company saw an exponential increase in the number and types of threats over the past decade. Additional reports have validated this over the past few years: Phishing increased 220 percent at the onset of COVID-19, governments and healthcare organizations worldwide saw an increase in ransomware attacks (1,885% and 755%, respectively), three in five companies were targeted by supply chain attacks in 2021, the list goes on.
Traditional penetration testing is compliance driven – and most compliance frameworks are 2-5 years behind current threat vectors. By evolving from compliance driven to risk and compliance driven testing, enterprises will identify more critical risks and vulnerabilities… but this does come at an increased cost.
It is highly unlikely that vulnerabilities will decrease year-over-year, based on your security testing investments alone.
It is important to understand that penetration testing does not directly reduce vulnerabilities, it identifies exposures and security issues. To reduce vulnerabilities, it requires fingers on a keyboard to change application code, reconfigure an operating system, update device configurations, among other activities. The number of vulnerabilities can also be impacted by external factors that organizations cannot control.
Let’s explore six core factors, beyond security testing investments, that can be attributed to the increasing number vulnerability findings organizations globally are observing today.
| Factor | Examples/Context |
|---|---|
| New Attack Vectors and Increasing Sophistication |
|
| Adoption of New Technologies |
|
| Infrastructure and Development Practices |
|
| Organizational Change |
|
| Talent Shortage |
|
| Evolving Testing Approaches and Technologies |
|
