Bidding on Jobs -- How do you guesstimate time?

[IAMZOMBIE]

Do youguys have any strategies or tools or formulas or anything to help with specing the time on a Pen-Test of Vulnerability Assessment?

I usually just kind of guess and if I go over I'll just eat the time. However I usually do smaller(10-20 server) jobs where going over by 20-25% isn't a big deal. I'm trying to bid on a project that's a LOT bigger than any prior job, and I have no clue how to guess how many hours it will take...

Thoughts? Advise?



.

[mikec]

When I first started I wanted to eat overtime the same way you appear to want to. However, as the jobs add up and you get more experience (I assume you are somewhat new because of the nature of your question) I think you will find that jobs often exceed estimates. Sure, you might be a great estimator, but the fact is that there is usually more work than you initially believe (an onion has many layers).

To counter this I communicate from the very beginning that what I have given is an estimate to the best of my professional abilities and that it will likely go over and that you will be charged for all the time I put into the project. For this to work they have to trust you not to rip them off, but that is normal, trust is a big part of the equation. If you have a good relationship, appear confident and competent then things should go well.

As for how do you make a good estimate, that is very difficult, just try it many many times. Some times you will be way off and that will be a learning experience (those times you usually have to eat the mistake).

[thorin]

It kind of depends on a number of factors.

1) Pentest takes more effors than VA.
2) Amount of validation.
3) # of systems.
4) Reporting requirements (a full blown doc in a word processor takes a lot more time then an executive summary with all the results in a spreadsheet).
5) Only network/infrastructure level or also including web apps?

[webtrol]

(disclaimer: my experience is in estimating Dev jobs -java for last 8 years or so, C++, VB etc before)

There are 2 parts to estimate:
1) initial estimate.
2) confidence level.

The only good way to learn how, is to get experience and know how much something takes for particular team/person.
Divide the project into as small as possible tasks or sub-projects.
Whenever estimating new technologies or completely new types of projects confidence of estimate is low and as such I add more and more padding to each step (each step might have different confidence level). THEN I add customary final padding at the end :P.

Then when I get final number I do sanity check on that to make sure I did not get it way too big.
While I do not remember any of my projects missing dates I do rememeber VERY well last weeks being a hell on wheels often enough.

Sin-cerely,
Trol

P.S The more defined goals/requirements the easier to estimate.