Pentest scoping insights
Technical writing on penetration test scoping, man-day calculation, vendor pricing and procurement.
- ·8 min readprocurementvendors
How to tell a good pentest vendor from a bad one
The same label sells an enthusiast with an automated scanner and a team of certified specialists — both call it a 'penetration test'. Here's how to tell them apart before you sign.
- ·9 min readbuyers-guidescoping
Before you order a pentest: a complete buyer's guide
Most failed pentests fail before the tester writes a single line. They fail at the brief. This guide helps you commission a test that delivers what you actually need — and not pay for it twice.
- ·9 min readscopingmethodology
Pentest scoping — a technical deep dive into what really drives the number
Why does an API quote 2 MDs and a web app 9? What pushes a number from 3 to 12? A technical walk through every scoping driver.
- ·6 min readprocurementpricing
Why vendors lower their MD rate — and inflate the MD count
If your pentest vendor just dropped their day rate, check the MD count. The total has a way of staying suspiciously similar.
- ·7 min readscopingestimation
How pentest man-days are actually calculated
Most pentest quotes are a black box. Here is what a defensible MD calculation actually looks like — surface units, role multipliers, gating and overhead.