Advisory Services Calculator
IMR Service Catalog
SKU List
Email Red Team Scoping
Select Service
Choose One
-- Application Security --
Custom/Thick Application Security Assessment (CASA)
Mobile Application Security Assessment (MASA)
Secure Code Analysis (SCA)
Web Application Security Assessment (WASA)
Web Service/API Test (WAPI)
-- Penetration Testing --
External Network Penetration Test (EPT)
Internal Network Penetration Test (IPT)
Physical Security Testing
Wireless Penetration Test (WPT)
Cloud Penetration Test
-- Specialized Testing --
Device Penetration Test
Laptop Penetration Test
Medical Device Test
SAP Penetration Test
-- Security Assessments --
Phishing Drill - Click and Log
Phishing Drill - Credential Capture
Vishing Drill
-- Security Assessments --
Password Cracking and Analysis
Vulnerability Assessment (VA)
-- Red Team Group-led Exercises --
Collaborative Adversary Exercise
Adversary Emulation Exercise
Adversary Simulation Exercise
Clear
External Penetration Test (EPT)
External IP Addresses
Choose One
Up to 50
Up to 250
Up to 500
This is the number of
live
external IP addresses rather than the total allocated IP space.
Full service description.
Internal Penetration Test (IPT)
Internal IP Address Targets
Choose One
Up to 50
Up to 250
Up to 500
This is the number of internal IP addresses to be included as targets. If not all addresses are internal, additional testing services are required.
Full service description.
Wireless Penetration Test (WPT)
Physical Locations
Choose One
(1) Location
(2) Locations
(3) Locations
The total number of physical locations is inclusive of both individual floors of a building and different geographical building locations.
Full service description.
Vulnerability Assessment
Number of IPs
Choose One
Up to 500
Up to 1000
Up to 2500
This is the number of
live
IP addresses rather than the total allocated IP space.
Full service description.
Web Application Security Assessment (WASA)
Custom or COTS
Choose One
Custom Application
OWA
WordPress
Drupal
Joomla
SharePoint
SAP / Business Intelligence
Choose one of the following; while many standard web applications have known associated testing efforts, the vast majority will be custom developed.
Login Form
Yes
No
Is the application protected by a login form or authentication scheme?
REST API
Yes
No
Does the user interface interact with a REST API?
Number of REST API Methods
More than 20 methods
Less than 20 methods
Estimate the general number of REST API endpoints, methods, or unique calls that the user interface executes.
Shopping Cart
Yes
No
Does the application implement a shopping cart or similar style logic?
Custom Reporting
Yes
No
Are there advanced reporting features available for users to retrieve heavily customized reports on demand? (i.e. Not standard, canned reports)
Multi-Tenant
Yes
No
Does the application host multiple unique organizations that each have the ability to manage their own users and roles?
Complex Ecosystem
Yes
No
Are there complex architecture or design aspects that add to the complexity of the user experience? Examples: Multiple database back-ends, heavy mixture of on-premise and cloud resources, out-of-band file upload processes that interacts with the web experience, thick client interface that populates web content, etc.
After Hours
Yes
No
Is it a hard requirement that the application be tested after hours? This may also impact the ability for the client to support the engagement in a timely fashion if issues or questions arise.
Web Service/API Test (WAPI)
API Type
Choose One
REST
SOAP
GraphQL
Total methods is inclusive total number of actions that can be performed against all endpoints.
Full service description.
Number of methods
Choose One
Up to 15
Up to 25
Up to 40
Number of methods
Choose One
Up to 40
Up to 60
Up to 80
Number of mutations/queries
Choose One
Up to 40
Up to 60
Up to 80
Mobile Application Security Assessment (MASA)
Mobile Platforms
Choose One
(1) iOS -or- Android
(2) iOS -and- Android
Mobile testing includes the assessment of (1) mobile application and can be done
either
on a single mobile platform (iOS, Android)
or
on both.
Full service description.
Custom/Thick Application Security Assessment (CASA)
Development Language
Choose One
Plaintext or Byte Code
Compiled Code
Testing includes (1) custom/thick client application. Plaintext and byte code language examples include Python, Electron, .NET, and Java. Compiled code applications must run on Windows, and language examples include C/C++, Rust, and Go.
Full service description.
Secure Code Analysis (SCA)
Lines of Code
Choose One
Up to 25,000
Up to 50,000
Up to 100,000
Lines of code is measured only in
executable
code and does not include comments or whitespace.
Full service description.
SAP Penetration Test
SAP Environment(s)
An SAP test includes internal testing of a distinct installation of SAP systems and supporting infrastructure.
Full service description.
Hardware Device Testing
Number of Devices
Hardware device testing includes testing of a single hardware device.
Full service description.
Medical Device Testing
Number of Devices
Medical device testing includes testing of a single device.
Full service description.
Laptop Penetration Test
Number of Laptop Builds
Laptop testing includes the assessment of a distinct physical laptop configuration and build.
Full service description.
Physical Security Testing
Physical Test Locations
Physical is performed in a limited or zero-knowledge, unescorted adversarial fashion.
Full service description.
Phishing: Click and Log
Targets and campaigns
Choose One
Up to 1000 emails and 2 campaigns
Up to 5000 emails and 4 campaigns
Phishing click and log is based on a maximum number of target email addresses to be included in the engagement, and a maximum number of total phishing campaigns to launch.
Full service description.
Phishing: Credential Capture
Targets and campaigns
Choose One
Up to 500 emails and 2 campaigns
Up to 1000 emails and 4 campaigns
Phishing credential capture is based on a maximum number of target email addresses to be included in the engagement, and a maximum number of total phishing campaigns to launch.
Full service description.
Vishing Drill
Targets and pretexts
Choose One
Up to 20 targets and 2 pretexts
Up to 50 targets and 3 pretexts
Vishing scoping is based on a maximum number of target individuals to be included in the engagement, and a maximum number of total pretexts to utilize for vishing context. Only one pretext will be utilized per individual.
Full service description.
Collaborative Adversary Exercise
Exercise Type
Choose One
Lite
Standard
Immersive
Refer to the full service description for detailed information on sizing.
Full service description.
Include Replay?
Yes
No
Purchase of a replay allows for an additional execution of one exercise to validate remediation.
Adversary Emulation Exercise
Exercise Type
Choose One
Lite
Standard
Refer to the full service description for detailed information on sizing.
Full service description.
Additional Weeks
Additional testing can be purchased in terms of weeks.
Adversary Simulation Exercise
Number of Items
Choose One
Lite
Standard
Refer to the full service description for detailed information on sizing.
Full service description.
Additional Weeks
Additional testing can be purchased in terms of weeks.
Include Physical Location?
Yes
No
Testing may optionally include a physical site.
Include Wireless Test?
Yes
No
Testing may optionally include a wireless location/SSID.
Password Cracking and Analysis
Number of Assessments
One assessment includes a single NTDS export from one domain controller containing up to 2 domains of credentials.
Full service description.
Cloud Penetration Test
Scenarios / Objectives in scope
General
Unauthenticated Attacker Reconnaissance
Assumed Breach
Compromised Developer Credentials
Compromised Low-Privileged Regular User
On-Premises to Cloud Lateral Movement
Cloud to On-Premises Lateral Movement
Azure
Compromised Service Principal of an Application
Conditional Access Testing
AWS
Compromised IAM Role
Cross-Account Access Testing
Assessment sizing is determined by the total number of distinct cloud scenarios and/or objectives to be included.
Full service description.
After Hours
Yes
No
Is it a hard requirement that the testing be performed after hours? This may impact the ability for the client to support the engagement in a timely fashion if issues or questions arise.
Effort Calculation
Service
Scope
SKU
Service Units
Add
Services Summary