This is a question that both our current and potential customers ask: "How much will it cost do perform a penetration test on our company?"  Usually our method to answer this is to go through a survey with the client that addresses several topics:

 

 

 

 

• Scope of the test: web application, full company test, white box test, black box test, etc...
• For webapp tests, we get a feel for the number of pages containing dynamic content. For full corporate tests, we look at how many sites, how big the network is, how large the employee base is
• Attacker modeling - who are your potential attackers, what do they stand to gain by compromising your application/website/company?

This is a huge simplification - it usually involves a good amount of discussion, several pages of notes, and getting a feel for what would be too much or too little.

But, and I preface telling customers this by saying this sounds like a slimy sales pitch, but it is not: What it really comes down to is what is the client's budget. How much are you willing to spend to make sure that you are fairly secure? How much do you think potential malicious users would spend? Often our initial estimates are higher than what clients expect - then begins the process of where time should be focused to provide the best service for a negotiated price.

Network World Magazine has a article about a great example of this, today. Briefly, it looks like somebody (most likely, a nation state) spent a large chunk of cash and resources in attempt to cause significant damage to Iran's nuclear reactor. To do this, they...

• Found/purchased four zero-day exploits in Windows and Siemen's SCADA software
• Developed the first known rootkit for Siemen's industrial systems
• Had a nice amount of R&D time on a Siemen's plant control system (read: multimillion dollar lab)
• Created a worm, written in several programming languages, targeted to find a particular Siemens system (based off configuration settings) and then stop spreading any further, so it would stand better chances of not being found.

So, somebody had a budget of several million dollars for this project. Obviously, this is an exception, not the norm for malicious users. The point of this post is not to scare people (I do not believe in FUD) but to say this: Understand your business, your risks, and who might want to profit from you. Then act accordingly.