Rhino Security Labs

Penetration Testing FAQ

Penetration testing duration and costs can vary significantly depending on multiple variables.  

Scoping details such as network IP addresses, complexity (and number) of applications, and employees for social engineering are key factors to determining project size.  Accounting for these variables, our team works diligently to match the scope details with the security needs of your organization.

With that said, there are trends and ranges for projects we tend to see.  Penetration testing generally start around the $10,000 range, but can grow into six figures for large, in-depth projects.  

We also offer discounts for multiple-year contracts, ensuring your organization both has a consistent pentesting partner and can stretch security budgets further.

Similar to the above question on pricing, the length of penetration tests depend on multiple variables. Penetration testing is a hands-on assessment not suited for short, quick sprints. At Rhino Security Labs we tend to see projects starting at about one week, but most projects go multiple weeks or even months.

We understand that clients often have hard deadlines that they’re trying to meet.
Whether you’re trying to meet client requirements which rely on pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be filled as much as 2-6 weeks out.

With that said, if you have an urgent project feel free to contact us about timelines.  Depending on needs and timelines, we may have the ability to pull resources off of a research project & get started immediately.  

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 95% of the pentest is hands-on.

This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

Early in the process we try to familiarize ourselves with your company & the scope of work so that we’re able to create an accurate proposal. We intentionally gather this information so that we never come back requesting for more testing time (and additional costs.) The more information you’re willing to share, the better assessment we can provide.

With that said, some clients may be seeking a blackbox approach where little information is provided, simulating a real world attack and response. In this case scenario, we still need to grasp the size/complexity needed for testing and therefore have some basic questions to scope.

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different and should be discussed before moving forward. Contact us for more details.