-1

What is a fair fee to pay for a Penetration tester in USA to test a website running on PHP, linux, MySql and make recommendations for fixes?

The site has thousands of pages and is running a YouTube Clone script and some WordPress scripts and is similar to a site like this one: epinions.com

frankie goes to Hollywood
  • 11
  • 1
    This question is quite vague so it will likely get closed. FWIW, first develop a detailed requirements document and determine if you need a [Vulnerability Scan or a Penetration Test](http://security.stackexchange.com/questions/2837/what-is-the-difference-between-a-penetration-test-and-a-vulnerability-assessment). Then shop around. The more detail you can provide in the requirements doc the more accurate the estimate will be. – user2320464 Sep 01 '16 at 18:32

1 Answers1

2

It all depends.

There are some flat rate companies that charge by the size and scope of the project (i.e., 10 public webservers, 10 internal servers, 3 firewalls, 1 domain, 100 users, etc. = $X)

Then there are some companies that charge by T&M (time and materials). In which case, the longer the project goes on, the more it costs.

We tend to do fixed fee assessments because we know how long a project should take for a given size. But again, it all depends on the size of the environment. For example, Netflix (in the US anyway) maybe just one site, but may be powered by thousands of servers, a huge infrastructure footprint, etc.

Recommendation

Get a few quotes from some trusted vendors/consultants and pick the one that works best for your comfort level and budget.

HashHazard
  • 5,105
  • 1
  • 17
  • 29