Penetration Testing
      Back to home
      1. Secure Ideas Help Center
      2. Services
      3. Penetration Testing

      What factors impact the cost of an external penetration test?

      This article describes the main factors that we take into consideration while estimating the cost of an external penetration test.

      The basic structure of an external penetration test is to assess the external attack surface of your organization. Social engineering attacks are often removed from the scope for this type of test because they are assumed to succeed (which is one of the reasons why internal penetration tests are necessary). Therefore, what remains primarily consists of scanning,  reconnaissance, and analysis of the combined information to determine what potential paths other than social engineering are available to an adversary.

      As with most penetration testing, a gray box external test is the most efficient method. This is not to say that you need to provide user accounts to the testing team, but rather that you should add scanning source IPs to an allow list so that the scanning can proceed efficiently. For example, a network firewall that reports all ports as open will hinder the progress on this type of test. Similarly, a web application firewall (WAF) that shuns origins of cross site scripting payloads will increase the assessment effort. To accommodate for loosening these types of controls, we will validate vulnerabilities through an alternate ( not allow-listed) IP address in order to determine the effectiveness of the control.

      The two factors that are most likely to affect the effort of an external penetration test are:

      1. Size

      How big is your attack surface? Most organizations have a relatively small (i.e., less than 100 hosts) external attack surface. It is rare but possible for an organization to have a much larger external attack surface, significantly increasing the effort needed to scan and analyze it.

      2. Atypical Scenarios

      Scenarios such as black-box testing of the external surface or bringing social engineering into scope can dramatically increase the effort of such a test. Black box testing requires more tact and may involve firewall evasion techniques, which can be very time-consuming. Social engineering from outside the organization requires substantial additional research and planning effort.