Billing Rate For Vulnerability Management

egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+Member Posts: 502 ■■■■■□□□□□

For the experienced consultants out there how much do you all typically bill for Vulnerability Management.  VM typically includes vulnerability scanning, scheduling, vulnerability remediation, vulnerability reporting, etc.  You can share specific rates or provide your rate as a percentage to the hourly wage of a fulltime employee (FTE)
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,715 Admin
    If you refer to it as Enterprise Vulnerability Management (EVM) you can charge a lot more! ;)
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 502 ■■■■■□□□□□

    Ok thanks, way to go with hacking the title. I wish I could get some type of market rate on it though.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,715 Admin
    The rate will vary considerably depending on the size, industry, and geographical location of the organizations that you are targeting as your customers. Medical, financial, and ICS customers will all expect to pay different rates, as would orgs in the US, LATAM, and India. You also have other factors which determine rate, such as Cloud vs on-prem systems, external VM hunting (bug bounties), and are you coordinating multiple org teams to perform the VM duties or are you supplying VM to the org yourself? It's quite a shopping list of service that you could offer in terms of planning, implementation, and day-to-day VM operations. Of course, most customers will want you to supply the best possible service for next to free. ;)
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,435 Mod
    Pricing is a very tricky thing to get right. Someone will pay top dollars to a house hold name like Accenture or Deloitte to run Nessus scan but they'll pay half of that for a new consultancy using the same tool.

    It's all about how you market yourself. Do market research in your area, suss out how much companies usually pay. Get quotation from several providers and price accordingly. Offer it as a package with something else so it's not just vulnerability scan and a report.

    Don't undersell your services, as you're building your own brand so whatever you do, this will be what you'll be remembered for "The guy who charge less than market rate"  or "the guy who provide high quality service".


    I know this isn't the answer you're looking for but I don't have a specific number!
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube Channel!

  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 502 ■■■■■□□□□□

    Thanks for the nuggets @UnixGuy ...you actually gave the perfect answer by providing a practical process to arrive at the solution.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    I am a little older than Jesus, so my rates are higher than most but I am very good at what I do and follow through to assist customers.

  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,715 Admin
    I think the adage "You get what you pay for" is bubbling up in this discussion. ;)
Sign In or Register to comment.