Security assessments can identify hidden vulnerabilities in a business systems and remediate them before they become a problem. Many security assessments are done under duress, where the need for an assessment is driven by a looming regulatory deadline or the result of a recent compromise. Many estimates are nothing more than the vendors guess as to the fees required, with no real effort to ensure the estimate is realistic. Fixed fee projects are preferred; fixed fee projects should be preferred. Be wary of vendor project managers that have more than one other active engagement.”]
Source: https://www.csoonline.com/article/3258778/how-to-avoid-security-assessment-cost-overruns.html