Application Testing
The cost of an application penetration test can vary widely from $1,500 – $45,000+. The price depends on a variety of factors such as the type of application, quantity of applications, frequency of testing, the use of credentials (with = Grey Box and without = Black Box), the quantity of API endpoints, how the API is to be tested, configuration of underlying infrastructure, etc.
What are the determining factors of cost for an application penetration test?
- Type of application → There are three types of applications: Web Application / API, Desktop Application, or Mobile Application. These can vary greatly in size and complexity, and therefore cost. The goal is to assess the security controls of the application and evaluate the attack surface.
- A Web Application is an application that runs in a web browser and is platform independent. These web hosted applications allow access to complex features (i.e, login pages, shopping carts, social media news feeds, etc.) without configuring any software. An example would be Gmail and Facebook.
- Desktop Application is an application that is installed locally on a user’s workstation and is platform dependent (Windows, macOS, or Linux). These applications provide a wide range of functionality and benefit from the resources of the workstation operating system and resources. An example would be Microsoft Word or Adobe Photoshop.
- A Mobile Application is an application that is installed locally on a user’s smartphone, or tablet, and is platform dependent (iOS or Android). An example would be Instagram and mobile games.
- An API (Application Programming Interface) is a software intermediary that allows the front-end to communicate with the back-end of an application, or with other third party systems. These can be integrated with any type of application.
- Quantity of applications → The number of applications to be tested directly impacts the duration of testing and therefore cost.
- Frequency of testing → The more frequent a penetration test is to occur, the cheaper the cost per engagement.
- Use of credentials → The use of credentials allows for a deeper dive into assessing the security controls between roles for the application. A test with credentials, called a Grey Box assessment, is more expensive than a test without credentials, called a Black Box assessment. If your application has different permission levels, a credentialed assessment is strongly recommended.
- Quantity of API endpoints → The number of functions for an API directly relates to the overall size of the application. The higher number of endpoints, the higher the cost due to the increased test time.
- API testing → The API can be tested through the front-end user interface or directly, if it’s exposed to third party systems. Testing an exposed API takes longer and therefore has a higher cost.
- Configuration of underlying infrastructure → The underlying infrastructure of an application, i.e, servers, can be tested for exploitable vulnerabilities. Depending on the quantity of systems and their configurations, will impact the duration of testing and therefore cost.
The TYPICAL cost for each
- Web Application / API Pen Test is $2,500 – $10,000+
- Desktop Application is $2,500 – $10,000 +
- Mobile Application is $3,250 – $8,000 +
Network Testing
The cost of a network penetration test can vary widely from $1,250 – $30,000+. The price depends on a variety of factors such as the type of network test, the quantity of systems, frequency of testing, the objective of the assessment, and the environment configuration, etc.
What are the determining factors of cost for a network penetration test?
- Type of network pen test → There are two types of networks: the External Network and the Internal Network.
- The External Network is any public facing system and could include servers (web, file, email, etc.), VPNs, firewalls, cloud storage, etc. An External Network Pen Test, also referred to as a Black Box assessment, simulates an outside attacker trying to find, and then exploit, weaknesses in the network perimeter. The goal is to assess the perimeter defenses and evaluate the attack surface of an organization.
- The Internal Network is an organization’s internal environment that only employees and authorized personnel would have access to. An Internal Network Pen Test, also referred to as a Post Breach assessment, simulates an attacker gaining access through the external perimeter, or via social engineering, and is now inside your network. This assessment measures your security posture from an internal perspective and looks to answer the question “what COULD an attacker do once inside your network?”. Are they able to move laterally, capture credentials, perform relay attacks, elevate privileges, etc? This is the true test to measure your Detection and Response capabilities.
- Quantity of systems → The number of systems to be tested directly impacts the duration of testing and therefore cost.
- Frequency of testing → The more frequent a penetration test is to occur, the cheaper the cost per engagement
The TYPICAL cost for each
- External Network Pen Test is $1,250 – $8,000+
- Internal Network Pen Test is $2,500 – $12,000+
A Vulnerability Assessment is often the first step in an engagement and can be performed on a Web Application Pen Test (with or without credentials), an External Network Pen Test, and an Internal Network Pen Test. These tests are automated by nature and flag any potential vulnerability, whether theoretical or exploitable. These can be performed alone or as part of a penetration test and is a great way to quickly get a prioritized list of fixes, for a low cost. The price is impacted by the number of systems to be tested and ranges from $100 – $3,000+.
Does CyberHunter offer any cyber security packages?
We sure do! We have turned our most popular services into an optional 3-year contract service agreement in order to offer you the most cost effective cyber security packages on the market. The three packages are: External Network Security, Web Application / API Security, and Internal Network Security.
- Package I - External Network Security
- Package II - Web Application / API Security
- Package III - Internal Network Security
The External Network Security Package mimics the actions of an actual adversary by attempting to exploit weaknesses in network security without the dangers of a real threat. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organization to address each weakness.
It should be assumed that every actively listening device that is exposed to the internet will constantly be under attack. Examples of listening services that are typically exposed would be email, web, VPN, cloud authentication, cloud storage, etc.
CyberHunter uses the Penetration Testing Execution Standard (PTES) as well as NIST SP 800-115 as the guideline for all external penetration testing covering:
Enumeration / Reconnaissance – This exercise is a precursor to a penetration test and involves scanning the targets for possible vulnerabilities that may be exploitable. Specifically, we are looking for misconfigurations, vulnerable software, weak credentials, and poorly coded software that a hacker could use to infiltrate a server or compromise the application. This phase can cover areas such as:
- Footprinting
- Information Leakage
- DNS Analysis
- System fingerprinting
- Services Probing
- Exploit Research
Exploitation Testing – In this test phase, Cyberhunter will look to manually exploit any weaknesses or vulnerabilities identified in the servers or web application with the objective of breaching it from a black box perspective (i.e. no credentials or knowledge of the systems). Such tests may cover some or all of the following areas:
- Manual Vulnerability Testing
- Verification of Identified Vulnerabilities
- Intrusion Detection / Intrusion Prevention Testing
- Password Strength Testing
The External Network Security Package on a 3-year term for up to 5 IP addresses costs $2,000 annually. This includes a monthly Vulnerability Assessment to ensure your external network security posture is maintained at the highest possible level of security. This equals savings of up to $1,500+!
The Web Application / API Security Package covers methodologies based on OWASP Top 10 Most Critical Web Application Security Risks, OWASP Testing Guide v4, CWE/SANS TOP 25 Most Dangerous Software Errors, and The Penetration Testing Execution Standard (PTES), where applicable, and can include the following high-level categories:
- Information Gathering
- Configuration and Deployment Management Testing
- Identity Management Testing
- Error Handling
- Cryptography
- Session Management Testing
- Authentication Testing
- Authorization Testing
- Business Logic Testing
- Data Validation Testing
- Client Side Testing
Testing the security of your web-based applications will allow you to:
- Identify security vulnerabilities and security design flaws affecting your web applications.
- Understand the contextualized risk posed by issues found and the impact of security violations
- Reveal your exposure to internal and external attackers
- Learn your application’s overall security posture and how it can affect your business
- Raise risk and security awareness
- Receive detailed recommendations on how to solve issues found, mitigate identified risks and improve the overall security stance of your web-based applications.
The Web Application / API Security Package on a 3-year term for 1 web application, up to 3 user roles, and up to 100 API endpoints costs $5,000 annually. This includes a monthly Vulnerability Assessment to ensure your application security posture is maintained at the highest possible level of security. This equals savings of up to $2,000+!
The Internal Network Security Package, depending on the objective and methods, can sometimes be referred to as a Red Team exercise or a Post-Breach penetration test and can be used to realistically test the Protective, Detective and Responsive security controls in an organization.
The questions and measurements being made during testing are:
- Did you stop any of the threatening actions and behaviors performed?
- If the threats were not stopped, did you see them (event logging)?
- If the threats were observed, did you respond appropriately to them (SOC Team, Blue Team)?
The testing begins by connecting any internal computer using a VPN client to our cloud-hosted VPN server. NOTE: This is a secure connection outbound. We do not need any inbound connection to the network. Our cloud server will obtain a local IP address on the LAN using DHCP (or static assignment) but no credentials will be provided to the test team. In this case, all tools are maintained offsite and used by the testing team to perform reconnaissance, searching for vulnerabilities and exploitable security misconfigurations, potentially exploiting devices, installing a presence in the network and acting on desired objectives. Activities are aligned with MITRE ATT&CK (https://attack.mitre.org/) and may include:
- Reconnaissance
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
The Internal Network Security Package on a 3-year term for a Windows Domain environment with a /24 subnet costs $5,000 annually. This includes a monthly Vulnerability Assessment to ensure your internal network security posture is maintained at the highest possible level of security. This equals savings of up to $1,500+!
These aren’t the only options available to you. We are more than happy to create a custom plan/package for you depending on the scope of the engagement and your budgetary requirements. CyberHunter works with companies both big and small, in all market verticals, so we understand the issues facing your business. We will always do our best to provide excellent service at a rate that works with you. If you’re interested in receiving a proposal, be sure to get in touch with us today!
How are penetration tests performed?
CyberHunter penetration tests are performed manually by our team of penetration testers (also called “Ethical Hackers”), who all reside in Canada and the USA. Our team of testers carry a variety of industry certifications which may include:
- Certified Information Systems Security Professional (CISSP)
- Offensive Security Certified Professional (OSCP)
- Offensive Security Wireless Professional (OSWP)
- CompTIA Security+
- Certified Ethical Hacker (CEH)
- CJIS Level 4
- Global Information Assurance Certification Penetration Tester (GPEN)
- Global Information Assurance Certification (GPEN)
- Web Application Penetration Tester (GWAPT)
Our application penetration tests are done according to industry standards and follow the OWASP Top 10 Most Critical Security Risks, CWE/SANS Top 25 Most Dangerous Software Error, Penetration Testing Execution Standard (PTES), as well as NIST CyberSecurity Framework (CSF). Our testing is never meant to be destructive or disruptive.
Frequently Asked Questions
What’s the difference between a Vulnerability Assessment and a Penetration Test?
The easiest way to explain the difference between a Vulnerability Assessment and a Penetration Test is to imagine yourself standing in front of a door. A Vulnerability Assessment is like a door inspection where you carefully examine it for potential issues such as rusty hinges, loose locks, or cracks in the frame. It identifies all POTENTIAL weaknesses (or vulnerabilities) of that door but doesn’t attempt to exploit them.
A Penetration Test, on the other hand, is like standing in front of that same door and seeing those potential vulnerabilities, then trying to actively exploit them. This would include taking a hammer to the rusty hinges, trying multiple keys on the locks, and taking a crowbar to the cracks in the frame. It aims to see if the weaknesses found in the Vulnerability Assessment can be manually exploited to gain unauthorized access.
How frequently should penetration testing be performed?
Penetration testing frequency varies widely in each industry however, it’s recommended to be performed annually at minimum. Various industry certifications may indicate that more frequent testing occur (ie. quarterly or bi-anually), or when there is a significant change made to an application(s)/network(s). However, it’s ultimately up to you beyond that.
How long does a penetration test take to complete?
The duration of a penetration test ultimately depends on the type, size, and scope of the assessment. The TYPICAL test duration for each assessment is as follows:
- Web Application / API = 5 days per app
- Desktop App = 5 days per app
- Mobile App = 5 days per app
- External Network = 3 days
- Internal Network = 5 days
An additional duration of 1-3 days is typically required for report creation and review process.
Does choosing the most expensive price mean you’re going to get the best service?
No, the most expensive option does not always guarantee that you will receive the best service. The relationship between price and quality for penetration testing can vary significantly. Here are a few things you should consider when selecting a penetration testing vendor:
|
|
BE PROACTIVE.
Trust in a network device is very temporary. Be proactive and ensure you scan, test and hunt on a regular basis.
TRUST NOTHING.
Security teams should NEVER trust an endpoint or server until it can be PROVEN to be trusted.
MALWARE CAN GET IN.
Companies need to prepare and be ready to respond to advanced persistent threats.
