This blog has been superseded; the current version is available here.
The Core Impact pricing up until now has been a complex affair (see previous blog post for details). However, from Summer 2020 onwards, Core Systems have radically simplified their pricing.
Like many companies in the Information Security sector, Core Impact has decided to focus on it’s users.
Having a price setting based on a cost per user would have perhaps been the easiest to apply, but in truth a user in a global 1,000-person company would get a drastically different level of value than a user in an SME or smaller consultancy environment.
For this reason, a big and small license approach was created (named “Full” or “Starter” respectively) for the Core Impact Pricing.
To understand what the difference is, I need to explain what a Workspace is; as this is what affects whether a license is considered either big or small.
What is a Workspace?
All versions of the Core Impact product come with an unlimited number of Workspaces. A Workspace is considered how the work is grouped together. This could be a group of machines, a customer project, or any other grouping that makes sense to the tester.
Even if it was possible, you wouldn’t want to have 10,000 machines in a single Workspace, it would be just too cumbersome to manage. Workspaces provide a way to narrow focus onto what matters at that point in time, so a single Workspace is typically a particular project or a customer engagement.
All the reporting is done at the Workspace level, as are several other product features like the automated re-test.
Behind the scenes each Workspace is a database. Core Impact provides tools for managing these Workspaces, so that you can archive and restore them if needed.
The reality is, if you tested a group of machines now, and need to do that same again in 6 months, then you would use a new Workspace. Things will have changed in the interim.
What is the difference between Full and Starter?
A “Full” license comes with unlimited Workspaces and the ability to have an unlimited number of IPs within each Workspace. The “Starter” version comes with unlimited Workspaces, but only 64 IPs within each Workspace.
What if I go for the Starter and want to test 100 IPs?
If you have the Starter version and want to test 100 IPs all is not lost, you still have a few options. First though I need to explain further how the 64 IP limit is implemented.
One of the first steps of a pen-test is usually to scan the network and see what is there. Core Impact can do this for you (it uses NMAP behind the scenes) or you can load data from a previous scan; often Nessus Pro, a manually configured NMAP, or one of lots of other supported tools.
If you have a maximum Workspace size of 64 IPs, then the loading of hosts will stop at 64.
Option 1 – Split the work into <64 IP chunks
If you had 100 hosts then you could split your machines into groups of less than 64, say “all the web servers” and “all the DB servers”, or by operating system, or some other way. The choice is yours.
The implication of this is that you will get multiple reports (one per workspace). This may even make business sense as the reports would naturally go to different owners.
While it is possible to test a 10,000 IP network with a 64 IP license, it would take a very long time because you would need to do so 64 IPs at a time, and there is an overhead to managing Workspaces.
Option 2 – Buy a bigger license
You could always purchase a license with a bigger Workspace size; Core Impact have a very sensible policy here that recognises the value of your existing investment.
Option 3 – Rent a bigger license
To add to the above 2 license types described above, Core Impact have a “Burst” license. This is basically the “Full” license limited for a 3-month period. So, if you are a pen-tester, with the Starter license, and win a really big job, then the Burst license gives you what you need for a limited period of time to complete the work.
Exploit Packs
Core Impact comes with many thousands of exploits built in. The current ones are listed on the Core Impact website here: https://www.coresecurity.com/core-labs/exploits so you can see what is available and subscribe to changes.
There are then packs of extra exploits, built by 3rd parties (a company called ExCraft) but supplied and verified by Core Impact. These target specific testing areas, with the following packs available:
| Pack Name | Description |
|---|---|
| SCADA Standard | A set of exploits targeting SCADA equipment |
| SCADA Professional | This Exploit Pack includes everything in the SCADA pack, plus provides a further set of exploits. |
| Medical Devices | Exploits for Medical devices |
| IoT | Exploits for Internet of Things devices |
| Metasploit Exploits | It it possible to load all of the community exploits available for Mestasploit into Core Impact and run them. They are not verified by Core in the same way as the items above, but it may give you early access to an exploit while the Core guys build and fully test one. |
You can see what exploits are in what exploit pack by looking at the https://www.coresecurity.com/core-labs/exploits page. One of the filters at the top (product name) allows you to specify why exploit pack you are interested in.
Note that the filter “Impact” lists all of the exploits available in the current version.
Perpetual & Subscription license models
Core Impact offers two license models, Perpetual and Subscription; the latter being the simplest to apply.
With a Subscription license, you purchase the right to use the software for a 12-month period. At the end of that period, the software stops working. If you want to continue to use the software, then you spend about the same fee again for another 12-month period at the then-market rate.
The Perpetual license has a higher up-front cost and a lower year 2+ cost. In the first year, you purchase the right to use the software indefinitely (perpetually) and in the year 2+ you just purchase the support and update package to ensure that you get all the new exploits and platform updates.
When comparing Perpetual to Subscription, the break-even point is about 2.5 years. If you want the software for less than 2.5 years then Subscription is cheaper, if longer then consider Perpetual.
You can also start with a Subscription license, to prove the value of the software, then move to a Perpetual license when you are satisfied. This can be mid-year if you want, not just on the anniversary of the contract.
Perpetual is not available for all products
Be aware that some products are only available on a Subscription basis, this makes sense for things like the Burst license (which by definition is a Subscription license), but the exploit packs also have restrictions.
Here is the complete availability:
| Product | Subscription | Perpetual |
| Full (unlimited IPs) | ✔ | ✔ |
| Starter (64 IPs) | ✔ | ✔ |
| Burst (unlimited IPs for 3 moths) | ✔ | ❌ |
| SCADA Standard Exploit Pack | ✔ | ❌ |
| SCADA Professional Exploit Pack | ✔ | ❌ |
| Medical Devices Exploit Pack | ✔ | ❌ |
| IoT Exploit Pack | ✔ | ❌ |
How much does it cost?
S4 Applications are one of Core System’s main re-sellers for Core Impact so we can offer very competitive rates from Core Impact pricing. We have pricing available in EUR, GBP and USD which hopefully fits with your organisation’s needs. Core Impact pricing starts at around $10,000 and goes up depending on your needs.
Next steps
If you want to learn more about Core Impact, read more on our vendor page.
S4 Applications helps organisations protect their assets with vulnerability assessment and remediation solutions whether you are an Enterprise, SME or Security consultant.
