Learn what are the right questions to ask when choosing a penetration testing company with our top 10 tips and make better decisions when hiring a pentest provider.
Cybersecurity is a critical component in any successful modern business, and the need to protect data and systems from cyber-attacks has become increasingly important in today’s digital environment.
Businesses must take measures to ensure their confidential data is kept secure, protect against disruption caused by cyber-attacks and minimize reputational damages and fines caused by data breaches.
With regulatory compliance such as GDPR and PCI DSS, together with the increase in popularity of SOC 2, one of the most effective ways to tick all the boxes is by having a solid cybersecurity program in place, and security testing is a vital part of it.
However, selecting the right pentest provider for your unique needs can be difficult. With so many penetration testing vendors on the market, how can you be sure you’re choosing a reputable one to fulfill your security testing requirements?
In this blog post, we’ll provide the right questions to ask a penetration testing company and tips on choosing a reliable partner that will meet your needs when hiring pen testing services.
Ensure your pentest provider offers manual penetration testing, not just automated vulnerability scanning
It is crucial to be aware that some cybersecurity companies might provide automated vulnerability scanning under the guise of manual penetration testing.
To support your goals, you must be mindful of the distinction between the two and make sure you receive the right service.
Manual penetration testing requires a skilled tester to exploit vulnerabilities actively. In contrast, automated vulnerability scanning relies on signatures and known vulnerability patterns to identify potential weaknesses and often yields a high rate of false positives.
Manual penetration testing is a superior approach, as it allows for a more thorough and customized assessment of the system’s vulnerabilities.
While an automated vulnerability scan can still be useful for identifying vulnerabilities, it is not a substitute for a penetration test led by an experienced security engineer.
What certifications the consultants of the penetration testing company I am looking to hire should have?
There is no shortage of certifications related to penetration testing. Some are well respected in the industry for having a high bar, focusing on practical and hands-on assessments.
Others are far from challenging and don’t adequately assess a candidate’s ability to perform penetration tests and security audits at a professional level.
Below are some of the certifications that ensure a penetration tester is certified with practical skills to conduct a pentest assessment:
- Offensive Security Certified Professional (OSCP) and Offensive Security Web Expert (OSWE)
- Burp Suite Certified Practitioner (focused on web/API security testing)
- SANS GIAC GPEN and GWAPT (popular in the US)
- CREST CRT and CREST CCT (popular in the UK, Singapore, Hong Kong, and Australia)
It’s important to note that the popular Certified Ethical Hacker (CEH) certification is often mocked in the industry by experienced practitioners and seen as low-quality; it is not hands-on and is considered easy to pass.
What penetration testing methods should my vendor employ in the testing process?
When considering a company that can provide penetration testing services, it is essential to ensure they use best practices and proven methodologies.
On the other hand, it is desirable that the provider has a hacker mindset and “think out of the box” creativity to go beyond common checklists.
Popular methodologies include the PTES, OSSTMM, SANS CWE 25, NIST SP 800-115, or the OWASP Top 10; the latter has specific methodologies for pentesting web applications, mobile apps, API, and IoT devices.
Google’s Pentest Guidelines provide invaluable insights into how they recommend business partners evaluate a pentest vendor’s proposed methodology and approach for penetration testing.
The right experience and technical expertise for the job
The right partner company should have staff that stays up-to-date with the latest tools and techniques and often showcases their technical capabilities in the form of blog posts, open-source tools, and presentations at industry events.
It is important to ask questions about the company’s experience with your scope of work to ensure they have the required expertise for the assessment. If you are looking for an internal penetration test of your internal network, a company with solid knowledge of Active Directory, for example, is preferred. Or if you are looking for an SAP security assessment, it makes little sense to hire a pentest company that is strong in pentesting web applications only.
Ask to review sample reports and other deliverables
Ask the pentest company to provide sample reports, attestation letters, and other deliverables they might have. These documents are required to understand the quality of their findings and the depth of testing. Look for clear and actionable insights and recommendations for addressing vulnerabilities. Quality of reporting is key; after all, a report is the main deliverable you will receive as part of your penetration testing engagement.
We have written a blog post titled What To Expect From a Penetration Testing Report that explains all details about this topic.
Looking for a pentest provider? Let us challenge your cyber defenses.
Talk to our experts for a custom quote
Ask for references from past and existing customers
When it comes to evaluating potential vendors for penetration testing services, getting direct feedback from past and existing customers is invaluable. Requesting references from these sources should be a critical part of your evaluation process – this will not only provide you with important information about the quality of service delivered by the penetration testing firm but also bring additional insight into the vendor.
Pricing – what is the fair cost of a pentest?
In our experience, the final cost of a penetration test can vary depending on the scope size and complexity and the number of consultants involved in the project, with rates per penetration tester employed by a reputable firm averaging between $1,600 to $2,500 per day in the United States.
Many pentest providers start at a ballpark figure of $200 to $300 per hour – with niche and specialized work often having a higher hourly price tag. We have written a comprehensive blog post about the topic of how much a penetration test costs and all factors influencing it.
The average rate per pentester in the United Kingdom is between 1,000 GBP to 1,300 GBP per day, varying more or less among pentest providers. In European countries with strong economies, such as Germany, The Netherlands, and Nordic countries, average daily rates range from 1,200 to 1,700 EUR. Niche work, and the reputation of the brand of the penetration testing vendor, are factors that influence pricing.
Be suspicious of a penetration testing provider charging dramatically low prices. It is highly likely they mainly use automated testing and perform a vulnerability scan disguised as a manual pentest, not fully assessing the attack surface of your systems.
Does your provider have data protection measures in place?
When selecting a supplier for penetration testing, data protection and data security standards must be upheld to the highest degree. It is essential that mature penetration testing providers are compliant with data protection standards such as the ones outlined in ISO 27001 certification, a popular international information security standard, or SOC 2, both of which provide assurance of best practices when it comes to handling sensitive data.
Surprisingly, many cybersecurity service providers do not have strong data protection controls in place and lack the right certificates to demonstrate they are suitable to handle third-party sensitive data.
Does the company have adequate liability insurance?
Professional liability insurance is essential for any business, including those offering services related to data protection and cybersecurity.
When procuring pen testing services, ensure your supplier has adequate liability insurance to cover any potential damages in the unlikely event something goes wrong in an assessment.
Companies have different requirements in setting a minimum amount for coverage for professional liability insurance. In our experience, many companies are comfortable with an insurance cover of $2,000,000 or €2,000,000; however, this can change depending on the contract and industry, with financial services and banks requiring significantly more coverage. Here at Blaze, we opted to have higher worldwide insurance coverage of €5,000,000 due to the requirement of enterprise customers.
Tips for choosing the right penetration testing company
- Look for a vendor with a proven track record of security research, with experience in penetration testing similar organizations, and able to provide references of clients.
- Give preference to working with a vendor specializing in cybersecurity services. These often provide superior pentest assessments than firms with a more extensive portfolio of services, many not directly related to cyber (e.g., accounting and audit firms, providers of managed IT services, etc.)
- Consider the scope of the engagement: It’s important to define the scope of the engagement so you can choose a company that has the necessary expertise and resources. For example, if you need a penetration test of an IoT product, you’ll want to choose a company with experience in product security testing for IoT devices, or if you want a complex mobile app assessed, look for a vendor with a track record in mobile app security testing.
- A qualified penetration testing provider usually has a technical blog, Github, or other channels to display their technical capabilities, vulnerabilities they have found, and original cybersecurity research.
- Make sure the supplier has a team of penetration testers with the necessary skills and experience to carry out a comprehensive assessment, uses state-of-the-art tools, and follows industry-standard methodologies.
- Check if the penetration testing company has adequate liability insurance to cover any damages in the unlikely event that something goes wrong in the security testing assessment.
- Consider the cost: Make sure to get pentest quotes from multiple companies to compare pricing and ensure that you’re getting a fair price for the services you need. It’s important to keep in mind that dramatically low prices may hint the company isn’t suitable for the job or perform vulnerability scans as opposed to manual pentests.
- Check for the right certifications: Consider a penetration testing company with qualified staff with credentials such as OSCP, OSCE, OSWE, and SANS GIAC, as these can be indicators of the company’s expertise and commitment to professionalism.
- Verify whether the company has a full-time and vetted staff with background checks or uses only freelancers. While some organizations don’t mind contractors, some have strict policies not allowing freelancers access to sensitive systems and data. Surprisingly, many vendors, especially those operating in the crowdsourced security field, work exclusively with freelancers, not full-time pen-testers.
- Ensure that the vendor has robust security procedures to protect your sensitive data during the pentest, such as being SOC 2 or ISO 27001. Ironically, many penetration testing companies are not compliant and don’t have auditable data security procedures.
Don’t take our word for it alone: many of the recommendations above have been developed by Google to help companies undergoing Vendor Security Assessment with penetration testing provider selection.
Below is a penetration testing company selection checklist infographic.
Choosing the best penetration testing company for your needs can be a complex task. With a market full of different options and similar offerings, there is hardly clear guidance for buyers to select a penetration test provider that is the perfect fit for what they are looking for.
When exploring the realm of pen testing companies, it is crucial to look beyond the surface. By focusing not just on cost but also on factors such as team expertise, methodology, comprehensive penetration test report, and communication, you can better discern the value that each contender brings to the table. Remember, pen testing should not be seen as just a compliance exercise. Therefore, selecting from the top penetration testing companies should be a priority.
The best penetration testing provider for your organization is the one that can tailor its approach to your unique needs. This includes not only being able to identify vulnerabilities within your systems but also advising on how to rectify them in the most efficient way. The top providers are those that offer comprehensive penetration testing services combined with a custom approach backed by experience and certifications. Proven track record in security consulting, helping businesses improve their security and compliance posture, is a testament to their capabilities.
By following the tips outlined in this article, you should be well on your way to finding a reputable and competent penetration test partner that will suit your needs. If your organization is looking for a new provider and wants to engage with a CREST-accredited qualified vendor offering top-notch pen testing services, and founded by experienced cybersecurity engineers, contact us today.