Conducting a security audit has a cost. When companies are asked about the budget they devoted it, we often hear “between €10k and €20k”, sometimes a little more, sometimes a little less. However, there isn’t really a standard price for this type of service: it all depends on what is done, how, and by whom. If the main objective is to be able to show that a pentest has been done less than 6 months ago, it is possible to make concessions to respect an extremely limited budget.
The objective of this article is not to encourage companies to choose “degraded” services for budget reasons, but to provide concrete solutions to those who have a real budget problem and yet urgently need to have a pentest carried out. This is particularly the case for young startups who find themselves in the process of selling their solution to a major account and who are sometimes blocked when they cannot provide a pentest report. The best solution would be to have enough budget to do a thorough security audit, but unfortunately this is not always possible.
A penetration test, or pentest, remains the best way to assess the security level of a system or platform. Beyond an analysis of the technical choices that have been made, and the protections that have been put in place, it tests concretely if security flaws can be found and exploited. The approach is qualitative, and goes further than automated scans.
It is possible to conduct this type of service by limiting the scope to be audited, or the level of depth of the audit, or both. Defining limits on the scope or depth of the audit limits the time to be spent on the tests, and therefore the cost of the service. In an “extreme” case, the pentest can be limited to 1 man-day only, which is the same as conducting a “mini” pentest.
In fact, every pentest has its limits. One could almost always spend more time, in order to cover a wider scope or to go further in the analysis. Likewise, an overmotivated hacker will always be able to spend more time trying to hack a target… if it’s worth the effort. For the company that would like to carry out a pentest, the important thing is therefore to delimit the pentest according to its security stakes, the level of risk, the priorities in terms of protection and in terms of communication on a security level.
A “mini” pentest has the following advantages:
Depending on the results of the pentest, one of the following situations (or an intermediary between the 2 situations) will result:
The “mini” pentest approach is interesting for a target in production (for which one wishes to obtain a very first security feedback) or for a target under construction (for example an application under development, for which one wishes to have feedback along the way in order to build on a good basis).
Of course, a “mini” pentest is not suitable for every business. In many cases, it would be a useless service, as it would be far too superficial.
In some cases, a 5 man-day pentest could also be considered as a “mini” penetration test, given the security stakes of the company, and therefore the need for a more complete analysis. The objectives to be achieved must always be put into perspective with the means to be set to achieve them.
In addition, for companies that choose to conduct a “mini” pentest, it is usually a step towards implementing regular penetration tests or other security actions. The aim is to put a first “foot in the door”, knowing that the results of this first pentest can lead to awareness at different levels (whether at the level of a technical team or at management level, for example).
Even on a very short-term basis, the “mini” audit is usually followed by questions:
In any case, it is possible to make a “mini” penetration test for a budget of less than €1,500, and in some cases this enables to break the deadlock with a first security audit. For some companies this will be relevant, and for others not.
If you are unsure how to proceed in your case, you can contact Vaadata team for a quick assessment of your need.
