Tips for choosing a penetration testing company

Learn the right questions to ask when choosing a penetration testing company with our top 10 tips.

Cybersecurity is a critical component in any successful modern business, and the need to protect data and systems from cyber-attacks has become increasingly important in today’s digital environment.

Businesses must take measures to ensure their confidential data is kept secure, protect against disruption caused by cyber-attacks and minimize reputational damages and fines caused by data breaches.

With regulatory compliance such as GDPR and PCI DSS, together with the increase in popularity of SOC 2, one of the most effective ways to tick all the boxes is by having a solid cybersecurity program in place, and security testing is a vital part of it.

However, selecting the right pentest provider for your unique needs can be difficult. With so many penetration testing vendors on the market, how can you be sure you’re choosing a reputable one to fulfill your security testing requirements?

In this blog post, we’ll provide the right questions to ask a penetration testing vendor and tips on choosing a reliable pen-testing provider that will meet your needs.

Ensure your pentest provider offers manual penetration testing, not just automated vulnerability scanning.

It is crucial to be aware that some cybersecurity companies might provide automated vulnerability scanning under the guise of manual penetration testing.

To support your goals, you must be mindful of the distinction between the two and make sure you receive the right service.

Manual penetration testing requires a skilled tester to exploit vulnerabilities actively. In contrast, automated vulnerability scanning relies on signatures and known vulnerability patterns to identify potential weaknesses and often yields a high rate of false positives.

Manual penetration testing is a superior approach, as it allows for a more thorough and customized assessment of the system’s vulnerabilities.

While an automated vulnerability scan can still be useful for identifying vulnerabilities, it is not a substitute for a penetration test led by an experienced security engineer.

What certifications the consultants of the penetration testing company I am looking to hire should have?

There is no shortage of certifications related to penetration testing. Some are well respected in the industry for having a high bar, focusing on practical and hands-on assessments.

Others are far from challenging and don’t adequately assess a candidate’s ability to perform a pentest at a professional level.

Below are some of the certifications that ensure a penetration tester is certified with practical skills to conduct a pentest assessment:

• Offensive Security Certified Professional (OSCP) and Offensive Security Web Expert (OSWE)
• Burp Suite Certified Practitioner (focused on web/API security testing)
• SANS GIAC GPEN and GWAPT (popular in the US)
• CREST CRT and CREST CCT (popular in the UK, Singapore, Hong Kong, and Australia)

It’s important to note that the popular Certified Ethical Hacker (CEH) certification is often mocked in the industry by experienced practitioners and seen as low-quality; it is not hands-on and is considered easy to pass.

What penetration testing methods should my vendor employ in the testing process?

When considering a potential provider who can provide penetration testing services, it is essential to ensure they use best practices and proven methodologies.

On the other hand, it is desirable that the provider has a hacker mindset and “think out of the box” creativity to go beyond common checklists.

Popular methodologies include the PTES, OSSTMM, SANS CWE 25, NIST SP 800-115, or the OWASP Top 10; the latter has specific methodologies for pentesting web applications, mobile apps, API, and IoT devices.

Google’s Pentest Guidelines provide invaluable insights into how they recommend business partners evaluate a pentest vendor’s proposed methodology and approach for penetration testing.

The right experience and technical expertise for the job

The right partner company should have staff that stays up-to-date with the latest tools and techniques and often showcases their technical capabilities in the form of blog posts, open-source tools, and presentations at industry events.

It is important to ask questions about the company’s experience with your scope of work to ensure they have the required expertise for the assessment. If you are looking for an internal penetration test of your internal network, a company with solid knowledge of Active Directory, for example, is preferred. Or if you are looking for an SAP security assessment, it makes little sense to hire a company that is strong in pentesting web applications only.

Ask to review sample reports and other deliverables

Ask the pentest company to provide sample reports, attestation letters, and other deliverables they might have. These documents are required to understand the quality of their findings and the depth of testing. Look for clear and actionable insights and recommendations for addressing vulnerabilities. Quality of reporting is key; after all, a report is the main deliverable you will receive as part of your penetration testing engagement.

We have written a blog post titled What To Expect From a Penetration Testing Report that explains all details about this topic.

Ask for references from past and existing customers

When it comes to evaluating potential vendors for penetration testing services, getting direct feedback from past and existing customers is invaluable. Requesting references from these sources should be a critical part of your evaluation process – this will not only provide you with important information about the quality of service provided by the vendor but also bring additional insight into the vendor.

Pricing – what is the fair cost of a pentest?

The final cost of a penetration test can vary depending on the scope size and complexity and the number of consultants involved in the project, with rates per penetration tester employed by a reputable firm averaging between $1,600 to $2,500 per day. Many pentest providers start at a ballpark figure of $200 to $300 per hour – with niche and specialized work often having a higher hourly price tag.

The average rate per pentester in the United Kingdom is between 1,000 GBP to 1,300 GBP per day, varying more or less among providers. In European countries with strong economies, such as Germany, The Netherlands, and Nordic countries, average daily rates range from 1,200 to 1,700 EUR. Niche work, and the reputation of the brand of the penetration testing vendor, are factors that influence pricing.

Be suspicious of a penetration testing provider charging dramatically low prices. It is highly likely they mainly use automated testing and perform a vulnerability scan disguised as a manual pentest, not fully assessing the attack surface of your systems.

Does your provider have data protection measures in place?

When selecting a supplier for penetration testing, data protection and data security standards must be upheld to the highest degree. It is essential that vendors are compliant with data protection standards such as the ones outlined in ISO 27001 certification, a popular international information security standard, or SOC 2, both of which provide assurance of best practices when it comes to handling sensitive data.

Surprisingly, many cybersecurity service providers do not have strong data protection controls in place and lack the right certificates to demonstrate they are suitable to handle third-party sensitive data.

Does the company have adequate liability insurance?

Professional liability insurance is essential for any business, including those offering services related to data protection and cybersecurity.

When procuring penetration testing services, ensure your supplier has adequate liability insurance to cover any potential damages in the unlikely event something goes wrong in an assessment.

Companies have different requirements in setting a minimum amount for coverage for professional liability insurance. In our experience, many companies are comfortable with an insurance cover of $2,000,000 or €2,000,000; however, this can change depending on the contract and industry, with financial services and banks requiring significantly more coverage. At Blaze, we opted to have higher insurance coverage due to the requirement of enterprise customers.

Tips for how to choose a penetration testing company

1. Look for a vendor with a proven track record, with experience in penetration testing similar organizations, and able to provide references of clients.
2. Give preference to working with a vendor specializing in cybersecurity services. These often provide superior pentest assessments than firms with a more extensive portfolio of services, many not directly related to cyber (e.g., accounting and audit firms, providers of managed IT services, etc.)
3. Consider the scope of the engagement: It’s important to define the scope of the engagement so you can choose a company that has the necessary expertise and resources. For example, if you need a penetration test of an IoT product, you’ll want to choose a company with experience in product security testing for IoT devices.
4. A qualified penetration testing provider usually has a technical blog, Github, or other channels to display their technical capabilities, vulnerabilities they have found, and original cybersecurity research.
5. Make sure the supplier has a team of penetration testers with the necessary skills and experience to carry out a comprehensive assessment, uses state-of-the-art tools, and follows industry-standard methodologies.
6. Check if the provider has adequate liability insurance to cover any damages in the unlikely event that something goes wrong in the security testing assessment.
7. Consider the cost: Make sure to get quotes from multiple companies to compare pricing and ensure that you’re getting a fair price for the services you need. It’s important to keep in mind that dramatically low prices may hint the company isn’t suitable for the job or perform vulnerability scans as opposed to manual pentests
8. Check for the right certifications: Consider a penetration testing company with qualified staff with credentials such as OSCP, OSCE, OSWE, and SANS GIAC, as these can be indicators of the company’s expertise and commitment to professionalism.
9. Verify whether the company has a full-time and vetted staff with background checks or uses freelancers. While some organizations don’t mind contractors, some have strict policies not allowing freelancers access to sensitive systems and data. Surprisingly, many vendors work almost exclusively with freelancers, not full-time pen-testers.
   
10. Ensure that the vendor has robust security procedures to protect your sensitive data during the pentest, such as being SOC 2 or ISO 27001. Ironically, most penetration testing companies are not and don’t have auditable data security procedures.

Don’t take our word for it alone: many of the recommendations above have been developed by Google to help companies undergoing Vendor Security Assessment with penetration testing provider selection.

Below is a penetration testing company checklist infographic.

Final words

Choosing a penetration testing company can be a complex task. With a market full of different options and similar offerings, there is hardly clear guidance for buyers to select a penetration test provider that suits their needs best.

By following the tips above, you should be well on your way to finding a reputable and competent penetration test partner that will suit your needs. If your organization is looking for a new provider and wants to engage with a qualified vendor, contact us today.