A penetration test is basically a real hacking attack performed by an ethical hacker. If the hacking attack itself is based on a structurally reproducible approach and a client legally commissions this hacking attack as a test against himself or his IT, we call it a professional penetration test. This legal hacking attack is carried out by a so-called penetration tester.
However, the objective differs between a malicious hacker and a penetration tester. It is usually sufficient for a malicious hacker to identify a single critical vulnerability and successfully exploit it. In a penetration test, however, this is not sufficient. The penetration tester not only has to find one vulnerability, but needs to examine the entire attack vector based on a structured approach.
In a black box pentest, the pentester receives only minimal information about their actual target. This is intended to simulate the attack of a malicious hacker as closely as possible. The pentester only knows the company to be attacked, he has to find out all other information such as IP addresses or DNS entries himself. At the end you get the insight of how far a real attacker would have gotten in the same time spent.
The white box pen test is the opposite of the black box pen test: Here a penetration tester receives all potentially helpful information. This includes, for example, documentation about the IT systems or the source code of the applications to be tested. The information basis corresponds most closely to that of an internal employee who already has too much access to various areas of IT in the company.
A compromise between white box and black box pentest that is good in practice and often carried out is the grey box pentest. The pentester receives all the information that he could find out himself anyway, such as IP addresses and DNS entries. However, no comprehensive documentation or source code. If he encounters a problem where it would be helpful, for example, to know which database is being used in the background, he will get this information. The aim here is to make his work efficient as possible in order to be able to identify as many weak points and entry points as possible within the time invested for the pentest itself.
The costs for a penetration test depend on the time required for the pentest itself and the daily rate of the pentester.
A typical daily rate for penetration testing is between €1,200 and €2,000, provided it is a reputable and professional service provider for conducting penetration tests. Lower daily rates usually indicate that the respective service provider is trying to sell an automated vulnerability scan instead of a manual penetration test.
The number of days required to complete the pentest itself depends on the complexity of the target and the attack vector being tested. Shorter penetration tests last only 2 days, pentests of larger systems or applications can take several weeks. Usually 5-10 days is a realistic average, open-ended up and down.
The costs often start at €2,400-4,000 for a small pentest and reach a level of around €8,000-10,000 relatively quickly. In the case of a complex and time-consuming pentest, the costs can be even higher.
Of course, conducting a penetration test has one primary benefit: vulnerabilities are uncovered before a malicious attacker can exploit them. But there are also other reasons why companies have a penetration test carried out. In addition to the intrinsic motivation from within the company to improve its own IT security, these are all external reasons.
As a company, you are contractually forced by your own customers (other companies) to have a penetration test carried out. This is particularly common when developing software or offering cloud solutions that process personal data or other sensitive data. The typical DAX 30 companies in particular are relatively strict in their security requirements for their commissioned service providers. Also the implementation of security standards or norms often requires conducting penetration tests. The ISO27001 and PCI DSS are the prime examples. In addition to the GDPR, the requirements for KRITIS operators, the KBA for iKFZ applications, security requirements for digital health applications (DiGa App), etc. ensure that penetration tests are carried out.