9 Best Practices for Choosing a Penetration Testing Company
March 31, 2020

Penetration testing has become one of the common engagements for today’s security-aware businesses. There are many reasons for conducting a pentest, including better security defenses, decreased risk levels or meeting strict compliance requirements; and there are even more penetration testing companies out there. But how does one choose the proper penetration testing company? What does one got to consider before engaging an external provider? and the way are you able to trust this provider to perform the penetration testing engagement to your satisfaction and in accordance together with your business needs?

We’ve gathered 9 best practices which will are available handy when choosing a penetration testing company:

Define what sort of pentest you would like

Before choosing your penetration testing vendor, you’ll need to define what sort of technical testing you’re trying to find. Are you trying to find an internet application pentest, a mobile application pentest or a network/ infrastructure pentest? Or you need red-team engagement? Differing types of pentests require different types of tools, knowledge, and expertise which can also determine the value of a pentest. confirm your pentesting company is well equipped to perform the pentest that you simply choose.

Once you’ve defined the scope of your pentest, you’ll need to indicate how you would like the pentest to be performed, i.e. in black box, grey box or white box mode.

  • Black box tests are performed with none knowledge of the tested environment. the target of a recorder pentest is to assess the extent of security as seen by a 3rd party connected to the interior network or the web, with none prior knowledge of the environment.
  • Grey box tests are performed with standard access or with only limited knowledge of the tested environment. the target of a gray box pentest is to assess the extent of security as seen by a legitimate user of the customer who has an account, along side general information about the tested environment.
  • White box tests are performed with knowledge of the interior structure/ design/ implementation of the tested environment. It is important that your penetration testing company is conversant in these different testing methods and may guide you appropriately in choosing a pentest type and method which will work for your goals and budget.

Evaluate the talents of the pentesting team

In addition to evaluating the pentesting company, you ought to also take an in depth check out the pentesters who will perform the engagement. There are many penetration testers out there, but only few will have the talents and knowledge to deliver a high-quality pentest. What matters may be a solid mixture of proven expertise and actual experience.

Expertise In terms of experience, your pentesting team should be ready to demonstrate their technical knowledge. For instance, a university degree in information security including ethical hacking certifications or continuous education courses are an excellent sign that you simply pentester has acquired the required theoretical and practical skills to urge the work done. A number of today’s most commonly recognized certifications include GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). No matter which expertise your pentesting team has, confirm that their resumes demonstrate their level of technical knowledge and their willingness to find out and stay top of recent pentesting techniques.

Experience. Ideally, your pentesting team should have accumulated experience during a sort of industries, for various sorts of companies and in several sorts of pentesting projects. If your organization operates within the financial sector, confirm that your pentesting team has experience with similar organizations within the field. If you’re trying to find a red team exercise, search for comparable mandates. Generally, your pentesting team should have accumulated a minimum of a few years of experience. The more diverse the experience of your pentesting team, the better it’ll be for them to adapt to your specific context and environment and perform a radical pentest that’s supported proven methodologies. it’s quite common for pentesters to incorporate a summary of their most up to date pentests at the top of their resume.

Ask relevant references for other Penetration tests

Before beginning your pentest, confirm to invite 2-3 references of pentests conducted for organizations of the same size, with an identical scope or that are within the same industry as you. This way, you’ll get another piece of confirmation that your chosen penetration testing company is suitable to try to to a pentest for your specific business context. A quick call with the provided references can assist you validate the professionalism, expertise and value of the penetration testing company in ways in which their sales proposal or the resumes of their pentesters couldn’t reveal. Questions you’ll want to ask:

  • Was the pentest conducted to your satisfaction?
  • What did/ didn’t you wish in working with the penetration testing company?
  • How would you evaluate the pentesting team?
  • Was the pentest delivered on time and on budget?
  • Did the pentest report provide a concise list of the discovered vulnerabilities, plus appropriate remediation measures?
  • Was there anything missing during the pentest?
  • Would you be doing business with this penetration testing company again? The insights gathered during the conversation with the reference contact(s) could convince be very helpful in choosing the pentesting vendor that’s right for you.

Data protection

Determine how your data are going to be secured Pentesters certainly skills to urge access to your confidential data, but their pentesting company will need to demonstrate that they’re going to handle and store this data securely before, during and after the penetration test. After all, you’re entrusting a 3rd party together with your most crucial data assets and will receive an appropriate explanation about data handling before sharing anything confidential. Data security questions can include:

  • How will my data be transmitted?
  • How will my data be stored?
  • How will my data be erased?
  • How long will my records be retained?
  • Has the pentesting company ever been hacked?

Getting clarification on data security are often a deciding factor when choosing a pentesting company you’ll trust.

Get a sample report for Penetration test

The one and only deliverable of a penetration test may be a detailed report, including all test findings also because of the necessary countermeasures and proposals to secure your environment going forward. confirm to urge a replica of a sample pentest report back to facilitate your decision-making process and obtain a pity what you’ll get at the top of the mandate. A good penetration testing report should include:

  • An executive summary describing your overall security posture and indicating items that need immediate attention * A technical review describing the activities performed to work out vulnerabilities and therefore the results of the activities conducting in attacking target systems, including the methodologies used.
  • an in-depth list of the vulnerabilities discovered and their exploits, listed so as of criticality.
  • Recommendations to optimize protection of the assets identified within the report, considerately of the resulting cost in capital investment, operation and maintenance, personnel and time.
  • Appendices capturing tool outputs, screenshots, or other data that helps to offer greater context or clarification to the vulnerabilities detected Regardless of what you’re trying to find during a pentest report, confirm that it contains the proper elements for whoever will read it.

Verify project management capabilities

Just like the other vendor you engage with, a neighborhood of the success of the project will depend upon their project management capabilities. Ask your penetration testing company what quite processes and methodologies they need in situ to make sure that your pentest project is executed smoothly and on schedule. additionally, to posing for the resumes of the pentesting team, confirm to also ask about the qualifications and knowledge of the assigned Project Managers. Have they addressed similar pentesting projects before?

Clarify the methodology and process

When choosing your penetration testing company, confirm to validate that your candidate follows an industry-recognized pentesting methodology and process. you’ll get to know exactly how the pentest is going to be performed, which steps are going to be followed, which tools are going to be used and the way the exploits are going to be evaluated exactly. Normally, this level of detail is included within the sales proposal or within the statement of labor. If not, don???t be shy to ask the pentesting company how they’re going to proceed and what methodology they follow during the moral hacking process. If they follow an identical methodology for all their pentesting engagements, likelihood is that that this may improve the standard of their work and their level of thoroughness within the engagement.

8.   Ask about options for retesting

If you’re on the lookout for a long-term pentesting partner, confirm to debate the likelihood of doing a retesting exercise after the initial pentest has been performed. Retesting may be a critical element during continuous penetration testing practices because it validates if the remediation steps that were proposed by the pentesters are put in situ by your IT team. Any pentesting company curious about improving your cybersecurity posture effectively and sustainably will likely include an option for retesting in their sales proposal, not only to facilitate a long-term partnership and more business, but also to assist you strengthen your defenses against cyberattacks.

Get to understand the pentesting vendor

Lastly, you ought to be going to know your pentesting vendor and take the time to talk with key resources who are going to be involved in the project delivery. To urge started, ask yourself some basic questions:

  • Does the pentesting vendor seem credible?
  • Does the reputation of the pentesting vendor hold true?
  • Is that the communication between you and therefore the pentesting vendor easy and straightforward?
  • Does one desire you’ll trust the pentesting vendor to perform the pentest consistent with what was agreed upon?
  • Would you recommend this pentesting vendor to your network?


When evaluating a penetration testing company, there are several best practices that you simply should confine mind aside from what proportion the pentest costs.

At a minimum, confirm that you simply thoroughly evaluate your potential pentesting vendor and validate their methodology and deliverables, data security practices and project management capabilities.

Reaching bent a few of references are often helpful to urge a pity how the pentesting company conducts similar pentests and whether their pentests are professional and on track.

Lastly, remember to require the time to urge to understand your pentesting vendor candidate. a fast conversation with the vendor’s key resources can assist you to make the proper choice and build a long-term business partnership that’s supported trust and mutual affection. Are you trying to find a penetration testing company and wish some practical guidance about what to seem for? We’ve put together a pentest company checklist for a way to settle on a pentesting vendor which will are available handy for you.