Core Security have further simplified their pricing for Core Impact, out have gone abstract concepts like Workspaces and IP restrictions, in have come a simple 3 step model with “Basic”, “Pro” and “Enterprise”.
The new pricing takes effect from March 2021 on and is for new users. There is a process (not discussed here) for transitioning old users onto the new model at the appropriate time.
Each of the 3 levels of product come with unlimited IPs and unlimited Workspaces, but varying levels of functionality as defined in the table below.
All prices are per named user. There is a fair degree of flexibility with this, allowing for staff vacations and the like. But if you have a team of 4, then you really should have 4 copies. There are bulk discounts available (see below).
| Feature | Basic | Pro | Enterprise |
|---|---|---|---|
| Network testing The ability to look for and exploit CVEs | ✔ | ✔ | ✔ |
| Client-Side Testing Phishing attacks | ✔ | ✔ | |
| Pivoting The ability to install an agent somewhere else, then “Set Source” so that all activity comes from there. | ✔ | ✔ | |
| CloudCypher Access (see below for description) Submit password hashes to Core’s cloud and get clear text back | ✔ | ✔ | |
| WiFi & Mobile Testing Integration with Hak 5’s Pineapple | ✔ | ||
| Web Application Testing Test web applications using OWASP top 10 and other attacks | ✔ | ||
| Exploit Packs The ability to add additional exploit packs | ✔ | ||
| REST API Use of the API to further automate activity | ✔ | ||
| Teaming The ability for multiple users to work on the same test at the same time | ✔ | ||
| Support | Web & email | Web & email | Web, email & phone |
CloudCypher Access is a service run by Core that will brute force NTLM hashes and provide you with clear-text passwords. This tool uses a combination of dictionary attacks, rainbow tables and various brute force strategies.
From within Core Impact, you can select to automatically have the hashes de-coded and the clear text results returned to the tool.
We have 3 videos showing the functionality in action:
Multi user discount
If you are purchasing multiple copies then a discount is available. For purchasing 2 or 3 copies, we can offer 5% off the total order. For 4 or 5 copies, we offer a 10% discount.
If you want 6 or more copies, please contact us for more details.
Exploit Packs
Core Impact comes with many thousands of exploits built in. The current ones are listed on the Core Impact website here: https://www.coresecurity.com/core-labs/exploits so you can see what is available and subscribe to changes.
There are then packs of extra exploits, built by 3rd parties (a company called ExCraft) but supplied and verified by Core Impact. These target specific testing areas, with the following packs available:
| Pack Name | Description |
|---|---|
| SCADA Standard | A set of exploits targeting SCADA equipment |
| SCADA Professional | This Exploit Pack includes everything in the SCADA pack, plus provides a further set of exploits. |
| Medical Devices | Exploits for Medical devices |
| IoT | Exploits for Internet of Things devices |
| Metasploit Exploits | It it possible to load all of the community exploits available for Mestasploit into Core Impact and run them. They are not verified by Core in the same way as the items above, but it may give you early access to an exploit while the Core guys build and fully test one. |
You can see what exploits are in what exploit pack by looking at the https://www.coresecurity.com/core-labs/exploits page. One of the filters at the top (product name) allows you to specify why exploit pack you are interested in.
Note that the filter “Impact” lists all of the exploits available in the current version.
Also note that you can only use the exploit packs with the Enterprise edition of Core Impact.
Perpetual & Subscription license models
Core Impact offers two license models, Perpetual and Subscription; the latter being the simplest to apply.
With a Subscription license you purchase the right to use the software for a 12-month period. At the end of that period the software stops working. If you want to continue to use the software, then you spend about the same fee again for another 12-month period at the then market rate.
The Perpetual license has a higher up-front cost and a lower year 2+ cost. In the first year you purchase the right to use the software indefinitely (perpetually) and in the year 2+ you just purchase the support and update package to ensure that you get all the new exploits and platform updates.
When comparing Perpetual to Subscription, the break-even point is about 2.5 years. If you want the software for less than 2.5 years then Subscription is cheaper, if longer then consider Perpetual.
You can also start with a Subscription license, to prove the value of the software, then move to a Perpetual license when you are satisfied. This can be mid-year if you want, not just on the anniversary of the contract.
Perpetual is not available for all products
Be aware that some products are only available on a Subscription basis, this makes sense for things like the Burst license (which by definition is a Subscription license), but the exploit packs also have restrictions.
Here is the complete availability:
| Product | Subscription | Perpetual |
|---|---|---|
| Core Impact – Basic | ✔ | ✔ |
| Core Impact – Pro | ✔ | ✔ |
| Core Impact – Enterprise | ✔ | ✔ |
| Core Impact – Enterprise Burst (3 moths/1 project) | ✔ | ❌ |
| SCADA Standard Exploit Pack | ✔ | ❌ |
| SCADA Professional Exploit Pack | ✔ | ❌ |
| Medical Devices Exploit Pack | ✔ | ❌ |
| IoT Exploit Pack | ✔ | ❌ |
How much does it cost?
S4 Applications are one of Core System’s main re-sellers for Core Impact so we can offer very competitive rates from Core Impact pricing. We have pricing available in EUR, GBP and USD which hopefully fits with your organisation’s needs.
Core Impact pricing starts at under $10,000 for a 12-month subscription of the “Basic” tool, and the prices goes up depending on your needs.
Next steps
If you want to learn more about Core Impact, read more on our vendor page.
S4 Applications helps organisations protect their assets with vulnerability assessment and remediation solutions whether you are an Enterprise, SME or Security consultant.
