binautopsy · /opt/research/firmware-security-assessment-costtechnical note26 APR 2026~3 min
← /opt/research

0x · technical note

How Much Does a Firmware Security Assessment Cost? A Transparent Breakdown

26 APR 2026~3 min readartefact-first · evidence-led

The range a buyer will hear, calling around, is roughly $15,000 to $250,000 per device. That spread is not negotiation. It reflects four genuinely different categories of work being sold under one phrase. Knowing which one you are buying — and which one your situation actually requires — is the entire question.

This is a plain breakdown of what drives firmware security assessment cost, where the price tiers come from, and how to tell when you are paying for theater.

The Four Tiers of What Gets Called a Firmware Assessment

Tier 1: Automated Scan. A SaaS tool ingests the firmware image, produces a CVE list and a generated SBOM, and emails a PDF. Pricing is typically $2,000–$10,000 per image or a subscription model. Turnaround is hours to days.

What you get: a list. What you do not get: exploitability context, license analysis, or anyone who will sign their name to a verdict. For a procurement decision on a high-blast-radius device, this is documentation, not diligence.

Tier 2: Tooling Plus Light Analyst Review. A scanner plus a junior analyst spending two to five days triaging the output. Pricing is typically $15,000–$40,000. Turnaround is two to four weeks.

This is the most common offering and the one most likely to disappoint, because the analyst rarely has enough hours to reverse-engineer reachability claims. The output is better than Tier 1 but still leaves the buyer doing real triage.

Tier 3: Forensic Dissection With Signed Verdict. Senior reverse engineers open the artifact, derive the SBOM from the binary, rank findings by reachability and deployment context, audit licenses, and deliver a partner-signed memo. Pricing is typically $35,000–$90,000 depending on artifact complexity. Turnaround is two to four weeks.

This is the tier the Pre-Procurement Binary Autopsy and Regulatory Readiness Autopsy occupy. The output is a defensible verdict, not raw findings.

Tier 4: Full Custom Research Engagement. A traditional appsec consultancy spending six to twelve weeks on deep custom analysis, source review where available, and bespoke exploitation research. Pricing is $100,000–$400,000+. Turnaround blows past every procurement gate.

For most buyers facing a contract deadline, Tier 4 is the wrong shape of engagement regardless of budget.

What Actually Drives Price Within a Tier

Three variables move the number more than anything else.

Artifact complexity. A single-binary IoT firmware is a different job from a multi-board industrial controller running three operating systems and a hypervisor. Component count, architecture diversity (ARM, MIPS, x86, RISC-V in the same image), and the presence of nested firmware blobs all add hours.

Obfuscation and packing. Stripped symbols are normal. Aggressive obfuscation, custom packers, or anti-analysis measures multiply the unpacking effort before any actual review begins. This is the variable most likely to surprise buyers mid-engagement on a fixed-scope quote.

Regulatory mapping. A general security review and a CRA-mapped or FDA premarket-mapped review are different deliverables. The mapping work — translating findings into the language and structure regulators expect — is real effort and belongs in the price.

What Drives Price That Should Not

Page count. Some consultancies still price on report length. A 400-page deliverable is not better than a 30-page one. It is usually worse, because nobody reads it and the verdict is buried.

Vendor relationship management. If the firm is charging extra to coordinate with the vendor whose product you are buying, you are paying twice for the same conversation.

Dashboard access. A live findings portal is fine. Paying ongoing subscription fees for access to last quarter’s report is not.

Matching the Tier to the Decision

For a $50,000 SaaS contract with low blast radius, Tier 1 is fine. For a $4 million firmware deployment that will sit inside the perimeter for seven years, anything less than Tier 3 is documenting a decision you cannot defend.

For M&A diligence on a target whose product is the entire thesis, the M&A Diligence Sprint is the version of Tier 3 compressed into the diligence window. Same depth, same partner-signed memo, fitted to the timeline IC materials require.

The Honest Answer

A firmware security assessment from Binautopsy at the Pre-Procurement Binary Autopsy tier sits in the $35,000–$90,000 range, fixed scope, two-week turnaround, partner-signed verdict. That is what it costs to open the artifact, rank what is actually exploitable, audit the licenses, and put a name on the conclusion.

If the procurement gate is real, the device is real, and the deployment will outlast the buyer’s tenure, that is the price of a defensible answer.

filed under research · binautopsy labs request scoping →