Penetration testing price varies significantly depending on multiple factors, including the size of scope, complexity of assets/applications, and any additional complexities to your network that may make the assessment take longer.  Accounting for these variables, our team works hard to match the scope details with the security needs of your organization.

​

We also offer discounts for multiple-year contracts, ensuring your organization has a solid penetration testing partner and can stretch security budgets to get more done.

The length of penetration testing can vary quite a bit, depending on the size and complexity of in-scope infrastructure. Thorium's assessments can take anywhere from 1 week for small ad-hoc web application assessments, to 2/3 weeks for a more typical sized engagement, or a month or two for large complex projects.

While Thorium does everything in our power not to cause any issues, what we do is malicious in nature. Poking, prodding, and pushing buttons that weren't designed to be pushed does occasionally come with unintended side effects. If we come across any critical issues that we believe attempting to verify will cause issues, we will reach out to you before we do anything. Ensuring these identified issues are properly found and documented is crucial, but keeping your business running and your customers online is paramount.​

​

During your assessment, your Thorium consultants will be available to you at all times - as rare as it is nowadays, should something come up, you can reach out at any time and halt the assessment.

Thorium's penetration tests following industry standards for conducting, and meet requirements for PCI, HIPAA, GDPR, GLBA and other compliance bodies when they require that penetration testing be performed. Each body is different in what they require, and additional pieces may be needed to make you fully compliant. If you're under the guise of a specific compliance area, please let us know so we can discuss to make sure you meet the guidelines.

​

We try to do our own due diligence to gather information about your organization, technology you may be using, and your intentions. This information, alongside the scoping questions you will answer, Thorium can provide an accurate pricing for your assessment. 

​

Before an assessment begins, we collect specific network information including a list of in-scope networks/applications/hosts, and some additional information to ensure we don't cause service interruptions during the assessment.

​

With that said, you may be seeking a "black box" approach where little information is provided, simulating a real world attack as closely as possible. In this case scenario, we still need to grasp the size/complexity needed for testing and therefore have some basic questions to scope.

While automated tools are a small step early in our process, a majority of our assessments are manual. The amount of manual work varies project-to-project, but around 95% of the assessments are hands-on.

​

Automated vulnerability scanners do have a place, but should not be the majority of a penetration test. Vulnerability scans are quick and easy tools that should be used on a routine basis to identify missing patches or outdated software in an organization's environment.