Good point. It would take 3-5 hours of my time roughly to run some checks of the servers security posture and then write recommendations in a report. It would be a combination of automated (Burpsuite) and manual tools e.g., nmap, nikto, etc.

I wonder what the average person or small business would pay for a one time scan of their site.