Can You Cut the Cost of Penetration Testing to Match Your Budget?

January 10, 2022 Claranet Limited

Sixty-six percent of UK businesses increased their cyber security budgets within the last year. This is primarily a result of the constantly changing security landscape, as well as evolving workplace practices. 

Naturally, many of these businesses want to prioritise cutting costs where they can, especially in these uncertain times. However, in the case of security, it's not always possible. After all, peace of mind should take priority over saved pennies. 

Where “do nothing” is not really an option, what you can do is ensure you’re getting the most value out of your security testing. 

Today, we'll be discussing whether it's possible to cut the cost of pen testing or whether you should focus on ROI and value instead. Let's first start by weighing up the costs of ad hoc tests. 


Cost vs value: one-off penetration tests 

The cost of a penetration test will vary depending on the size of your business, the scope of the project, and the complexity of your environment. 

For three days of testing and one day of reporting, we estimate that an average test could cost around £4,000, and that is just the third-party consultant cost. There are all the internal costs needed to manage the findings and mitigate the risks too. If you were to provision these tests over a year, the costs will naturally stack up. 

This is why many businesses opt to complete penetration tests either annually or whenever they have a system update or modification. This offers a high-level of assurance at a “point-in-time”. To maintain that level, ad-hoc tests will need repeating regularly which, for many, is prohibitively expensive. This is why many are using modern approaches to get more value. You can have complete and consistent penetration testing AND it can be affordable. You need to adopt a Continuous Security Testing (CST) approach. 


A better approach to testing 

CST is excellent value. That's because it magnifies your return. For a slightly higher investment you get: 

  • Continuous testing that is 24/7/365 (get a continuous picture of your security posture). 
  • A subscription pricing model (which budget owners often prefer). 
  • Flexible scoping (customers can change the scope at any time). 
  • Accurate, timely reporting and service advice. 
  • The expertise of a highly-experienced team working round-the-clock to ensure your business is secure. 
  • The peace of mind that comes from working with reliable, CREST-certified partners. 

If you carry out occasional penetration tests in-house, you don’t get the security insight that your business needs. 

With Continuous Security Testing, you may not spend less, but you will get better quality security and more value for the cost. 


The value of peace of mind 

When it comes to protecting your business, a reactive approach will always cost more due to lost productivity, revenue, and incurred damages that have already taken place. However through a proactive investment, you hedge against cyber threats, reducing the negative impacts and financial and reputational damage on your business. 

Your IT security is a necessary investment, much like the locks on your house doors and windows. 

But, not all security practices provide the best value for your business. With one-off penetration testing, you get a limited view of your security, which may mean you’re missing a cybersecurity risk that could have significant impact on your business. 

Just take a look at the cost of an average data breach. As it stands in 2021, organisations pay an average of £3.22 million ($4.24 million) per breach. And the costs are only rising. 


At Claranet, our CST service combines continuous, automated vulnerability scanning with logic-driven human intervention. We weed out false positives, offer expert remediation guidance, and provide value for money. 

If you'd like to learn more, please get in touch for a quote. 


Previous Article
How to identify and stop a compromised AWS account
How to identify and stop a compromised AWS account

Don't let the hackers win. Here's how you can identify and stop an unauthorised user on your AWS account.

Next Article
The new world of hybrid work
The new world of hybrid work

We’re back in our offices and collaborating in person with colleagues, with that buzz in the air that you j...