Demystifying Penetration Testing Pricing
As information and cybersecurity services continue to become more commoditized and as more vendors flood the market to take advantage of the high demand, it is increasingly important for leaders to understand available services and maximize value from their budget and resources. Fortalice clients routinely seek our expertise when budgeting for and prioritizing their next steps to strengthen their organization’s cybersecurity posture. To best serve them, we are open and transparent, not only about our services but also what other options may be in their best interests. Our approach allows client leaders to make timely and informed decisions and demonstrates that we build long-standing and meaningful relationships, not transactional ones.
As Director of Client Solutions at Fortalice, I strive to connect existing and prospective clients with Fortalice services that build cyber resilience and provide an immediate benefit. Often what makes sense depends on customer requirements, including getting the most for their budgets. When addressing pricing for penetration testing, where multiple bids are often being solicited or companies have a requirement to periodically rotate vendors, I routinely receive questions on cheaper, automated penetration testing alternatives, some of which cost less than $1,000.
In the Fortalice spirit of full transparency, what does Fortalice penetration testing offer that these automated, budget options do not?
MYTH: Automated penetration tests are the most cost-effective.
FACT: Automated penetration tests are not actual penetration tests!
First, automated penetration tests are a misnomer. These products are almost always vulnerability scanning tools that attract customers due to their low price point and false equivalency with true penetration testing. Vulnerability scans are a building block, not the entirety, of penetration testing and produce only a cursory view of your network weaknesses. Akin to performing a home inspection through a quick walk around the building, there are more thorough and diligent methods necessary for protecting your organization and its investments in security and technology.
Second, these bargain options often produce lengthy, unvalidated reports that contain false positives that require validation by your security team. Additionally, removing the human component of penetration testing, and the skills and experience of expert offensive security engineers eliminates insight into how, or to what extent, an attacker could leverage a vulnerability to infiltrate your network. Your money may leave you with a spreadsheet of scan results with little guidance and a virtual pat on the back to implement your own remediations until it’s time for the next scan.
Third, these products encourage an abandonment of annual or semiannual penetration testing in favor of on-demand “testing.” Frequent vulnerability scanning is good practice, but again not an apples-to-apples comparison to full-scale penetration testing. If your organization has a requirement, compliance or otherwise, to perform penetrating testing annually, “automated” scans at any interval will not suffice.
MYTH: Automated vulnerability scanning produces superior results to human-curated penetration testing.
FACT: True penetration testing requires human experts and provides insight into how susceptible your organization is to a real-world attack.
Fortalice boasts an industry-leading Offensive Cyber Operations (OCO) team that performs a full suite of offensive security services, including penetration testing, purple team engagements, full-scale red team exercises, and mobile and web application assessments. Our team has the educational background and certifications, and professional skills and experience, to customize each penetration test to target your organization’s sensitive business information. Fortalice penetration tests utilize vulnerability scanning in our process, but extend past scan results to show how a real-world attacker would initially target your organization and what attack paths they may utilize. Unlike automated scanning reliant on database updates and manual validation, the Fortalice OCO team improves tradecraft through each engagement to utilize cutting-edge adversarial techniques to extend well beyond vulnerability scanning and provide greater value per dollar spent.
Further, we design our reports to be actionable and clearly and concisely inform all organizational stakeholders, from executive- and board-level leadership to information security teams. Each Offensive Security Assessment Report contains an executive summary outlining the engagement scope and results, a list of findings ranked by severity to the organization, existing strengths noted in the client environment, and detailed, phased remediation plan for each finding. Fortalice prioritizes offering actionable recommendations that are low-to-no-cost, but as appropriate will indicate where an additional tool, resource, or program or process may be needed to address the risk.
MYTH: Vulnerability scanning and penetration testing are interchangeable.
FACT: Vulnerability scanning or “automated” penetration testing may not be the best use of organizational funds.
Although vulnerability scanning is a passive activity and lacks the in-depth, manual exploitation that provides the most insight into possible attacks, it is a foundational component in establishing good cyber hygiene. Vulnerability assessments can be performed on a regular basis from both an external and internal perspective to provide information on items such as missing patches, unsupported operating systems, or infrastructure misconfigurations.
However, scanning results depend on how frequently the tool’s vulnerability database is updated, and may not provide guidance on how to remediate the vulnerabilities as they relate to your unique environment. Vulnerability management program success relies on regularly scheduled scans and dedicated team members responsible for investigating, rectifying, and validating scan results. Most importantly, vulnerability scans fail to demonstrate the likelihood and extent that the vulnerabilities can be exploited by adversaries.
How can you decide which service is best for your current needs?
Does your organization perform vulnerability scanning? If not, consider implementing a vulnerability scanning program and begin remediating risks before engaging in a penetration test.
Has your organization ever performed a penetration test? If not, it may be a good idea to begin regular penetration testing with a trusted partner like Fortalice.
Has your environment had large changes since your last penetration test? Industry best practice dictates penetration testing should be performed at least annually against your environment. Large-scale changes may introduce unforeseen critical vulnerabilities and necessitate more frequent testing.
What would be the reputational and financial damage of a breach to your organization? If significant reputational or financial damage is possible, vulnerability scanning is inadequate to protect your organization. Attackers will not stop at the surface level, and penetration testing is the best way to proactively discover and address items that put your security at risk.
What are your next steps?
If you have any questions about Fortalice offensive security services including penetration testing or establishing a vulnerability management program, can benefit you, contact us at email@example.com to schedule a 30-minute consultation.
Discussion of environments susceptible to lateral movement through resource-based constrained delegation (RBCD) attacks, prompting me to take a deeper dive into the topic