PentestPlannerAll posts
Published·6 min read

Why vendors lower their MD rate — and inflate the MD count

If your pentest vendor just dropped their day rate, check the MD count. The total has a way of staying suspiciously similar.

Procurement loves a discount. "We cut your day rate by 15 %." The CFO is happy, the contract is signed, the kick-off is scheduled. Six weeks later the invoice arrives — and it is exactly what last year cost. Sometimes more.

The mechanic

The vendor's gross margin per engagement is the lever they protect, not the day rate. When the day rate is squeezed, the only honest moves are: do less work, send a junior, or accept lower margin. Less ethical vendors take a fourth path — quietly inflate the man-day count.

It looks like this:

  • Last year: 10 MDs × €1,200 = €12,000
  • This year, after "negotiation": 13 MDs × €1,020 = €13,260

Same scope. Same application. 15 % "off" the rate. The invoice went up. The buyer almost never spots it because nothing is benchmarked.

Why it works on you

  1. You have no independent baseline. Without a reference calculation, any MD number sounds plausible.
  2. Vendor expertise asymmetry. They scope every day; you scope twice a year. They win every conversation about "complexity".
  3. Overhead is invisible. Project management, workshops and reporting are bundled into scope MDs — easy place to hide an extra day or two.
  4. Black-box is over-quoted. A real black-box engagement on a thin perimeter is small. Some vendors quote it like a full grey-box.

How to detect it in 5 minutes

  • Run the same scope through an independent calculator (yes, like PentestPlanner). Compare the MD breakdown line by line.
  • Demand the split: scope MDs vs PM / reporting / retest. Anyone who refuses is hiding something.
  • Ask which roles, which sizing unit, and which gating flags were assumed. Vague answers = inflated quote.
  • Compare year-over-year MD count for the same asset. It should only move if the asset changed.

What good vendors do

They show their math, they separate scope from overhead, and they welcome an independent calculator on the other side of the table. The honest ones want the buyer to be informed — it shortens negotiation and protects long-term trust.

Where this platform helps

PentestPlanner produces a deterministic, methodology-aligned MD estimate from the same inputs the vendor uses. Drop a quote next to a PentestPlanner output and the inflation — if any — becomes visible in seconds. You don't have to be a pentester to ask the right question. You just have to have the number.

All posts