$995 Penetration Test

This service is an off-site, non-exploitative test of up to 25 individual Internet Protocol (IP) addresses or URLs owned or controlled by your organization. To perform this service, you must designate the IP addresses you wish to be tested, and we will perform testing using our toolkit of automated testing solutions.

The IT security industry has not yet developed consistent or standardized terms for describing the specific characteristics of penetration tests or vulnerability assessments. In many settings, the terms ‘penetration test’ and ‘external vulnerability assessment’ may be used interchangeably, while in other settings a ‘penetration test’ may refer to more in-depth testing that seeks to actively exploit detected vulnerabilities in order to compromise (or demonstrate the ability to compromise) specific systems or assets. When we describe our testing as non-exploitative, we are referring to the fact that we will report on detected vulnerabilities or weaknesses but we will not attempt to actively exploit these findings. Within the context of this service, the terms penetration test and external vulnerability assessment are generally synonymous. We consistently use the term ‘penetration test’ to describe this service because this is the label most familiar to our clients.

Our toolkit is constantly reviewed to ensure we are able to meet the challenges presented by a continuously evolving security environment. Representative tools we have used include Nessus, Nexpose, Metasploit, & Retina. The tool(s) selected for your engagement may vary based on our perception of the appropriate tool necessary to properly assess your environment. As a rule, we only utilize subscription-based tools in order to ensure we are using tools with updated definition files to facilitate testing for recently emerged exploits or vulnerabilities.

We’re a professional service firm that was founded in 2003 and has worked extensively in the banking industry in the midwestern United States. We value our reputation for competence and honesty and we’ll do everything in our power to deliver on our commitments to you. As a former senior FDIC IT examiner, our CEO understands the obligations we have to our clients and that our reputation is our most valuable currency.

One of the characteristics that set us apart from the competition is the manner in which we structure our IT audit teams. Many firms utilize individuals with a traditional audit background to perform testing services. Although these individuals may possess credentials such as the CISA or CEH, many do not have practical work experience as a network administrator, which diminishes their ability to understand the mechanics or results of a penetration test since they haven’t worked directly with the technologies or systems being audited. Instead of this approach, we have been fortunate to maintain blended teams that include personnel with experience in the administration of complex network environments and personnel with more traditional IT audit experience, as they generally have a better knowledge of internal control systems and audit practices. In practical terms, this approach yields more in-depth, technical IT assessments while ensuring that we fulfill all necessary audit functions and provide a comprehensive evaluation of your environment.

For our penetration testing services, you will work with one of our experienced technical IT auditors, which provides our firm with the ability to discuss – in detail – the findings of our review with your internal IT personnel or 3rd party network services providers or vendors. We actively attempt to filter false positives or errors generated by our automated tools before providing you with a report and our auditors are available to discuss your findings in detail after the conclusion of our testing.

Your test will be performed by direct employees of Superior Consulting, LLC. At present, all of our employees are based in the United States, subject to extensive criminal and civil background checks, and have confidentiality agreements with our firm. We will not utilize 3rd party contractors to perform any of our testing without providing prior notice to you and, unless otherwise stated, all testing will be performed by our direct employees. We do not outsource any testing or assurance activities outside of the United States.

Absolutely. We frequently performing testing services on systems hosted by Amazon Web Services, Microsoft Azure, and other cloud providers. Please note: these providers commonly require YOU to request and obtain permission from them prior to the start of any testing. It is your responsibility to obtain this permission and provide documentation to this effect to our personnel prior to the commencement of any testing.

Performance of testing requires an executed engagement letter between Superior and your company. Once we have the appropriate contracts in place, testing can ordinarily be scheduled to commence within the next 48 – 72 hours; however, expedited testing may be available upon request.

Our $995 service fee provides for the performance of a single test at a time of your choosing. We also offer more frequent testing intervals, which may or may not be further discounted depending on size and frequency. Many organizations perform testing on a predefined schedule, such as monthly, quarterly, or semi-annually. As a best practice, we strongly encourage all organizations to perform a penetration test after any changes to your firewall configurations or installation of new, externally-facing hardware. An external penetration test is the only way to effectively validate that these changes did not result in the creation of new vulnerabilities. Periodic penetration testing is also an excellent mechanism for demonstrating the effectiveness of your overall monitoring program to regulatory authorities, customers, and internal users.

This is the easiest question we receive – the answer is simple: value and transparency. In an effort to simplify the morass of different terms and highly variable – often excessive – pricing for this service, we decided to develop a competitive, value-based, fixed priced offering based on the needs of our clients. We believe our fixed $995 pricing represents a clear and equitable price for this service. By the way, when we say $995, we mean it! As stated above and below, the $995 test covers 25 external IP addresses and includes a formal report written by our personnel (not just a canned automated report). This price does not cover re-testing, more than 25 IP addresses, multiple testing reports, or services rendered outside the normal course of the engagement (e.g. depositions, regulatory responses, extensive post-engagement consultation). We’re happy to offer those services as well, but in order to deliver on our fixed $995 price, those are necessarily outside of the scope of our engagement.

Unfortunately, we can’t control what other firms charge, but we can control our own prices and quality of work. Superior Consulting has been working with financial institutions throughout the Midwest since 2003. During that time, we have developed an excellent reputation as one of the leading providers of consulting services to banks and data centers in this region. We can certainly provide a list of bank or other industry references to you upon request. Our audit personnel are consummate professionals and have over 80 years of combined experience in the banking and IT industries.

We issue a formal report for all of our review services. This report will include an overview of the findings from our test (management report), as well as any recommendations regarding remediation. A copy of the full automated testing results will be included as an appendix to our report. To reiterate the above, the management report is written directly by our personnel and the results of any scanning are added as an addendum, with our goal being that the final deliverable from our engagement will be polished and understandable.

We issue all of our reports in electronic format (PDF) via our proprietary secure website or via secure e-mail. Report turnaround time generally requires one to two weeks in order to process the report through our internal quality control function; however, expedited issuance of reports is available upon advance request.

Absolutely, please Contact Us if you would like to obtain a sample external penetration testing report.

Certainly. Please Contact Us in order to receive a customized proposal specific to your environment and the volume of addresses you require to be tested. We regularly provide testing for organizations with more than 25 distinct external IP addresses; however, we find that most organizations have less than 25 addresses that require testing, which is why we’ve set our pricing threshold at this level.

Sure. As a rule, our pricing works on a block basis, so each additional block of up to 25 IP addresses will result in an additional $995; however, we occasionally offer discounts in order to ensure our pricing is equitable. Please Contact Us to discuss the specifics of your situation.

Re-testing is not included in the $995 price. Our goal with the $995 price is to deliver a fair value to all our clients regardless of whether or not a given client requires re-testing services. In consequence, our service offering is not padded with additional time or margins that may or may not be justified depending on your decision to request re-testing. If re-testing is required, we do offer this service at a reasonable additional fixed fee of $595 for a single re-test including the issuance of another formal report OR a discounted fee of $295 for a re-test without an additional formal report.

Yes, we are able to issue additional formal reports that separate the results of our testing, but an additional cost may be incurred. As stated above, our $995 pricing is a fixed price for delivery of a very inclusive yet specific service offering. We don’t pad our pricing to cover deviations from the norm, so changes of this nature may result in an additional charge. We always commit to keep any additional costs fair and commensurate to the cost of the underlying engagement.

No! We strongly encourage you to read our statements and responses above and our Terms & Conditions below. Our $995 test is, as referenced, a non-exploitative assessment principally utilizing automated vulnerability scanning tools. If you have specific needs that are not encompassed by the scope of this offering, please Contact Us as we’re happy to help you evaluate them; however, please understand this service is not designed to replace an intensive, multi-week, and technically complex testing service.