Estimating the resources and deliverables
As is applicable for any project, the success of the vulnerability assessment depends on estimations that are close to the actual. Output from the scoping and planning phases helps in estimating the most important factor in a vulnerability assessment—the time required to complete the assessment.
If a tester is having a very good experience running assessments over a scoped environment or similar, then the estimation is done on the basis of previous experience. If a tester is new to the environment then previous tests reports and communications are referred to for estimation. Additionally, a tester considers additions and changes in scope, involvement of third-party services / service providers, if any, and updates the estimates accordingly.
Once rough estimates are ready, time padding is considered and time is added over the anticipated time required. This time padding is usually set at 20%. This helps the tester to deal with any unsolicited challenges...