<div dir="ltr"><div>You should be clear if they are doing a "penetration test" or a "network scan" -- they are not the same. A network scan just scans your IPs for anything that's open and reports on potentially vulnerable software/versions running on those ports. A real penetration test is typically more in depth and often focused on a single application where they actually login to it and try to break out of the security protections. Both are valuable things to have done, but make sure you are very clear on the difference (though I would not be so upfront to your client as they might be happy with a network scan instead of a full pen test).<br><br></div>It sounds like you're talking about a network scan, which is still a lot of work as Jim mentioned. For this price, I would expect a pretty in-depth analysis of your environment, so you might want to go back to them and get a full list of the methodology they're going to use for the scan (what tools, how will they process and present them, etc...). This would be a lot of money for something like a simple nmap scan, but if they're probing deeper then it's worth paying for.<br><br>Also keep in mind that external companies are always paid to find *something*, so if you're systems are really locked down it might be worth it to plant something "easy" to find which will also serve as a gauge for you to tell how thorough they were with the scan.<br><div><br><div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>❧ Brian Mathis<br></div>@orev<br></div></div></div>
<br><br><br><div class="gmail_quote">On Wed, Jul 15, 2015 at 8:22 AM, Edward Holcroft <span dir="ltr"><<a href="mailto:eholcroft@mkainc.com" target="_blank">eholcroft@mkainc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-size:small">Folks,</div><div style="font-size:small"><br></div><div style="font-size:small">I have a quote for a pen test for my company. It comes to $15k and they will be looking at about 50 public IP's. They will give us a full report, as well as a general report for our client that has demanded the testing. They also offer a re-test as part of the deal once we have addressed any potential holes that they discover.</div><div style="font-size:small"><br></div><div style="font-size:small">These guys come highly recommended by someone from this list, so I'm ready to pull the trigger on it. But having no experience in this field, I was just wondering if someone can comment on the pricing. Is this typical? Dies it sound about right?</div><div style="font-size:small"><br></div><div style="font-size:small">I realize this is like asking "How long's a piece of string?" but I'd be grateful for any advice. I just need to know if this is in the ball park or if it's nuts.</div><div style="font-size:small"><br></div><div style="font-size:small">cheers</div><div style="font-size:small">ed</div><span class="HOEnZb"><font color="#888888"><div><br></div>-- <br><div><div dir="ltr">Edward Holcroft | Madsen Kneppers & Associates Inc.<br>11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097<br>O <a href="tel:%28770%29%20446-9606" value="+17704469606" target="_blank">(770) 446-9606</a> | M <a href="tel:%28770%29%20630-0949" value="+17706300949" target="_blank">(770) 630-0949</a></div></div>
</font></span></div><span class="HOEnZb"><font color="#888888">
<br>
<span style="font-family:arial"><font size="2">MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception of this e-mail is illegal.</font></span></font></span><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div></div></div></div>