Information security needs to be a critical component of all businesses. There are many ways to lock down your information security and there are also many ways to test how secure your organization actually is. A penetration test is one of those methods for testing the security of your organization.

What is a penetration test?

Penetration testing is an examination of how secure your systems, infrastructure, and buildings are— by attempting to exploit (or break into) them. By having your weaknesses exposed, you get a better understanding of where security improvements can and should be made.

But it’s not always advantageous to get a penetration test.

When Should I Get One?

Think of it this way. If you wanted to find out how effective the security system of your house was, you could hire someone to attempt to burglarize you and your home. That’s essentially what a penetration test does. If you don’t have a home security system in place yet though, the staged break-in would be too easy. It’s important that you do a home inspection and install your security measures before testing how they work.

The same is true with a penetration test. If you’ve never had a proper security assessment done on your organization and security practices (or if you don’t have security practices in place at all), finding out how vulnerable they are is both premature and a waste of your time and money.

What Should I Look For?

If you have had a security assessment done for your organization and are ready to schedule a penetration test, there are three things you should consider before selecting someone (or an organization) to conduct the testing for you:


A Methodology

 Is the tester just going to wing it or is there a process rooted in an industry standard? Lack of documented, repeatable methods are a sign that you’re working with an amateur.

Solid Reporting

Don’t settle for someone who’s only going to point out problems. Expect at a minimum an executive summary, a full report with “attack narrative” and appropriate, doable recommendations rooted in reality.

A Real Penetration Tester

Insist on talking to your penetration tester. It’s important to vet them about his or her background and experience. At FRSecure we do about 100 penetration tests per year, and our team has OSCP training as well as numerous competition awards (like Defcon CTF and Wild West Hacking Fest). If you’re going to have one of these tests done, find an organization who has similar experience and accolades, so you know you’re not just getting some ‘script kiddie’


What Does this Cost?

At FRSecure, we believe in telling the truth (it’s actually our number one core value as a company). After searching for the cost of a network penetration test on my favorite search engine, few people ACTUALLY attempted to answer the question. Most just said, “it depends.”

Well, buckle up, because here comes the truth about the cost of a penetration test.

Let’s do this by size of organization.

External Network Penetration Test Pricing

 External network penetration tests attack network devices from the internet.

  • $5,000 for a small business (fewer than 100 employees) with fewer than 10 active, public-facing IP’s.
  • $10,000-$15,000 for a medium-sized business (100-500 employees) with fewer than 25 active, public-facing IP’s.
  • $15,000-$30,000 for upper mid-market companies (1,000-3,000 employees) with 25-50 active, public facing IP’s.
  • $50,000+ for large companies (fortune 500-ish) with hundreds of active, public-facing IP’s.

Internal Network Penetration Test Pricing

Internal network penetration tests attack network infrastructure from inside your network.

  • $7,500 for a small business (fewer than 100 employees) with <100 network devices.
  • $10,000-$15,000 for a medium-sized business (100-500 employees) with <500 network devices.
  • $25,000-$50,000 for upper mid-market companies (1,000-3,000 employees) with <3,000 network nodes.
  • $75,000+ for large companies (fortune 500-ish) with thousands of network nodes.

If your penetration test is pursuant to PCI compliance, add ~25% to the cost. There’s just more paperwork and a level of tedium involved to get it right.

Of course, I’m obligated to say that every network is different and that you should get a customized quote. Get a few. Make sure they are apples to apples comparisons— and that they actually meet your objectives.

For more information on penetration testing, and to find out how to schedule one for your organization, visit

penetration testing

John Harmon on FacebookJohn Harmon on LinkedinJohn Harmon on Twitter
John Harmon
President at FRSecure
John Harmon is an alum of Concordia College in Moorhead, MN and has 10+ years of business leadership and IT industry experience. Since joining FRSecure in 2012, John has worked with FRSecure clients and partners to further FRSecure’s world-class mission of building better security programs. As President, John has developed an affinity for information security regulation. His primary focus is helping our clients clarify security requirements and start working toward an effective information security strategy. His ability to effectively communicate to individuals and groups is derivative of his business leadership experience and 15+ years as a classically trained singer, a passion he still pursues today. Internal process improvement is also a focus for John. As FRSecure continues to enjoy positive growth and reach, he is working behind the scenes to refine procedures and leverage our customer feedback to keep FRSecure providing ever-improving value.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *