4 mins read
T-shirt sizing is a common pricing approach. The buyer is presented with fixed-price options based on pre-defined criteria. They can choose Small, Medium, Large, or whatever nomenclature your marketing and sales team decides on. My experience is selling penetration testing and other cybersecurity services, but this approach is common across many industries.
T-shirts are rarely made-to-measure. Even when they’re comfortable, there are still compromises. They’re built for averages, not accuracy. Convenient, fast, and “good enough”, sure. But they’re not tailored.
This trade-off is what plays out when t-shirt sizing is applied to penetration testing.
For sales professionals, it reduces friction and can potentially increase short-term close rates. It’s easy to learn, easy to sell. Each product fits trivially as a line item in a spreadsheet, analytics are much easier and more segmented, and a client can often be moved towards a self-service sales flow with a ‘Buy Now’ button.
If you’re the buyer, then it reduces overhead, limits the potential for decision paralysis, and gives pricing transparency.
Where It Breaks Down
That said, a buyer of a penetration test is usually not a subject-matter expert. They do not know the intricacies of the intended target assets. Even technical buyers are often railroaded into subpar choices.
A web application may define t-shirt size by the number of pages. A static website detailing bird species might have 25,000 pages and be labelled ‘XL’. But selling any shirt at all would be egregious, as the content is static. A Single Page Application (SPA) technically has a Single Page, so ‘XS’. But SPAs can be extraordinarily complex. Look at Twitter (fight me). Either the client is being egregiously overcharged, or delivery will be working under unnecessary pressure.
This approach leads to significant challenges for delivery teams if a shirt is undersized. Unrealistic time pressures, unprofitable engagements, and staff morale challenges are all outcomes of poorly scoped engagements. The budget is blown out, recoverable only from kind customers willing to do variations. The report is indefensible. Pre-canned or generated content, fluff and padding, obvious corners being cut, and a significant lack of editorial polish can be present. The assets you are assuring are adequately protected are actually at risk. Consequently, your reputation as a tester or testing firm and your clients’ trust have been eroded.
You saved 30 minutes of scoping time. You also walked away with zero or negative margins, a frustrated client, and a stressed-out delivery team. All because that t-shirt didn’t fit.
Another analogy is health insurance tiers. Paying for the highest tier without needing the coverage is wasted spend, while choosing the wrong tier can still leave you uncovered where it matters.
Defining tiers is the challenge. Simple, marketable, and progressive. This is challenging when most businesses have unique technology assets, unique threats, business profiles, and unique constraints.
A simplified example.
Small Pentest
- 1 user
- 10 to 20 user features
Medium Pentest
- 2 users
- 20 to 30 user features
Now what if the client’s product is:
- You and 2 users can modify the permissions
- 5 user features
Which shirt do you choose here?
Medium because they have more than 1 user?
Small because they have very few user features?
Medium because permissions add extra complexity?
The next step is a talk with an internal consultant for a bespoke scope.
Now, why have t-shirts in the first place?
So, you introduce a rule. If any parameter exceeds the criteria or is a lower tier, you must select a higher tier. A new client has 5 user roles, but two usable features: Large—excellent, price gouging.
The solution? Define more rules and more tiers. At this point, simple, marketable, and progressive tiering is no longer possible.
Why I Don’t Sell T-Shirts
This is why I don’t sell t-shirts. I sell tailored suits. Bespoke penetration tests for discerning clientele. Each customer is unique and special. I don’t run a factory.
My principles are accuracy, quality, and fairness. If you’re looking to get a test, then I will sit down and talk it through with you. I want to know what you want tested, how it works, who its audience is, what the workflow is, and what you actually need at the end. I might be willing to give you a ballpark range for effort and cost based on a brief rundown of it, but I won’t give you a quote until I understand it. These principles may sometimes lose me sales, but I guarantee that you will be happy with the outcome. No surprises, just clean and accurate work. It’s often considered the ‘harder way’, but it’s far less painful than the potential outcome of the alternative, for both sides.
The Avalanche Effect
Pentest delivery can be an avalanche. A minor flaw or mistake early in the preparation stage can snowball throughout the delivery process. That missed depth in identifying API mutations can lead to scrambling to adjust the test plan on the fly, delayed execution, delayed delivery, a potentially compromised report, and a schedule that’s now impacting the next client in line.
“Best Effort Testing”
‘Best effort testing’ is the ultimate result of an under-scoped test. Whether that’s communicated to the client or not, it’s delivery lingo for “We’ll do as much as we can by the deadline. But it won’t be comprehensive.” It may meet the deliverables’ requirements, but it will be shallow. It will always come with the caveat that a follow-up test should be performed.
So with that said, what scoping questions should you ask?
What are the red flags for both sides?
How should delivery push back internally if a sale is seen as risking quality?
If you want a quote instead of a guesstimate, chat to us at Galah Cyber. If you’re unsure about a quote you’ve received, even from another provider, we’re happy to double-check the scope before you commit. Contact a Penetration Testing Expert.
