Information security needs to be a critical component of all businesses. There are many ways to lock down your information security and there are also many ways to test how secure your organization actually is. A penetration test is one of those methods for testing the security posture of your organization.

What is a penetration test?

Penetration testing is a real-world examination of how secure your systems, infrastructure, and buildings are—by attempting to exploit (or gain access to) them. By having your security vulnerabilities exposed, you get a better understanding of where your security issues are and where improvements can and should be made.

But it’s not always advantageous to get a penetration test.

When Should I Get One?

Think of it this way. If you wanted to find out how effective the security system of your house was, you could hire someone to attempt to burglarize you and your home. That’s essentially what a pen test does.

If you don’t have a home security system in place yet though, the staged break-in would be too easy. It’s important that you do a home inspection and install your security controls before testing how they work.

The same is true with a penetration test. If you’ve never had a proper security assessment done on your organization and security practices (or if you don’t have security practices in place at all), finding out how vulnerable they are is both premature and a waste of your time and money.

What Should I Look For?

If you have had a security assessment done for your organization and are ready to schedule a penetration test, there are three things you should consider before selecting someone (or an organization) to conduct the security testing for you:

home invasion

A Methodology

Is the tester just going to wing it or is there a process rooted in an industry standard? Lack of documented, repeatable methods are a sign that you’re working with an amateur.

Consider vetting which penetration testing tools they use. Ensure they are up-to-date on current hacking trends and known vulnerabilities and that they start their testing with any security weaknesses related to those.

Solid Reporting

Don’t settle for someone who’s only going to point out problems. Expect at a minimum an executive summary, a full report with “attack narrative” and appropriate, doable recommendations rooted in reality.

A Real Penetration Tester

Insist on talking to your pen tester and/or security team. It’s important to vet them about his or her background and experience. At FRSecure we do about 100 penetration tests per year, and our team has OSCP training as well as numerous competition awards (like Defcon CTF and Wild West Hacking Fest). If you’re going to have one of these tests done, find security professionals who have similar experience and accolades, so you know you’re not just getting some “script kiddie.”

penetration testing ethical hacker

What Does this Cost?

At FRSecure, we believe in telling the truth (it’s actually our number one core value as a company). After searching for the cost of a network penetration test on my favorite search engine, few people ACTUALLY attempted to answer the question. Most just said, “it depends.”

Well, buckle up, because here comes the truth about the cost of a penetration test.

Let’s do this by size of organization.

External Network Penetration Test Pricing

 External testing attacks network devices from the internet.

  • $6,000 for a small business (fewer than 100 employees) with fewer than 5 active, public-facing IPs.
  • $15,000-$20,000 for a medium-sized business (100-500 employees) with fewer than 25 active, public-facing IPs.
  • $20,000-$30,000 for upper mid-market companies (1,000-3,000 employees) with 25-50 active, public facing IPs.
  • $50,000+ for large companies (fortune 500-ish) with hundreds of active, public-facing IPs.

Internal Network Penetration Test Pricing

Internal testing attacks network infrastructure from inside your network.

  • $10,000 for a small business (fewer than 100 employees) with <100 network devices.
  • $10,000-$15,000 for a medium-sized business (100-500 employees) with <500 network devices.
  • $25,000-$50,000 for upper mid-market companies (1,000-3,000 employees) with <3,000 network nodes.
  • $75,000+ for large companies (fortune 500-ish) with thousands of network nodes.

If your penetration test is pursuant to PCI compliance, add ~25% to the cost. There’s just more paperwork and a level of tedium involved to get it right.

Of course, I’m obligated to say that every network is different and that you should get a customized quote. Get a few. Make sure they are apples-to-apples comparisons—and that they actually meet your network security objectives.

For more information on penetration testing, social engineering, vulnerability scans, other technical security services, and to find out how to schedule one for your organization, visit

penetration testing

John Harmon on FacebookJohn Harmon on LinkedinJohn Harmon on Twitter
John Harmon
President at FRSecure
John Harmon is an alum of Concordia College in Moorhead, MN and has 10+ years of business leadership and IT industry experience, through which he developed an affinity for information security. As president, John's focus is helping clients better understand security requirements and implement effective information security strategies. As FRSecure continues to enjoy positive growth, he is constantly working to refine procedures and leverage our customer feedback to keep FRSecure providing ever-improving value.

1 reply
  1. Sandra Patterson
    Sandra Patterson says:

    Thank you for explaining that with a penetration test, you should expect at least an executive summary and not just someone that will point out problems. I can imagine that if I owned a business, that I would want to be sure that my information as well as the information of my clients to be secure. I will be sure to remember this if I ever have a concern with the security of technology in any setting and recommend a penetration test.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *