Cyber Security Articles & News

4 Considerations Before Choosing the Right Type of Pentesting Company

Posted by Mitnick Security on Sep 28, 2020 7:54:00 AM

Performing a penetration test against your organization’s network is an excellent way to assess its overall security posture and locate potential holes in the network. 

Unfortunately, with so many security companies offering pentesting services in a wide range of pricing, it can be challenging to determine which company to choose. 

This article will help you determine what to look for when partnering with a penetration testing company. 

1. Consider the Pentesting Company’s Specialty & Your Unique Needs

Just because a pentesting company may be perfect for one organization doesn’t mean that it is the right partner for your organization. 

Pentesters specialize in types of pentests. Typically, pentesting companies will offer a wide variety of services, including social engineering, web application testing, and network penetration testing. 

However, after determining the most critical factors for your organization, you’ll want to partner with a vendor that is an expert in that area. For example, if you are interested in having a web application tested, you wouldn’t want to partner with a company whose specialty is social engineering

Are you doing everything you can to protect your organization? Discover our top tips here.

2. Review the Pentesting Company’s Certifications 

When assessing and comparing potential partners, inquiring about the various certifications that their engineers hold may help make the decision.

Some valuable industry certifications include the following: 

EC-Council’s Certified Ethical Hacker (CEH)

The CEH is an entry-level certification widely recognized throughout the security industry. Certified Ethical Hackers understand malware and hacking tactics that can assist in their testing procedures. 

GIAC’s (Global Information Assurance Certification) GPEN

The GPEN certification is another entry-level certification. The certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing, and properly conducting a penetration test.

CompTIA’s PenTest+ 

This certification is vendor-neutral and considered intermediate. It tests an individual's ability to perform a penetration test through practical, scenario-based questions and multiple-choice questions.

Offensive Security Certified Professional (OCSP)

An advanced industry certification, the OSCP is widely respected as one of the industry's best. In order to obtain an OSCP certification, candidates must pass a 24-hour practical exam in which they must assess a real-world scenario. 

3. Compare the Price for Pentesting Services

While it may be tempting to go with the cheapest option available, the sentiment that you get what you pay for is certainly true here.

To avoid wasting money, you must verify what is included in the price. 

Below are some of the questions that you may want to ask the potential vendors: 

  • How many testers will be working on this project? 
  • Will any part of the testing be conducted with automated tools? 
  • How long will the penetration test take to carry out?
  • Will the penetration test cause any interruptions to regular business?
  • Will social engineering techniques be used throughout the test?
  • What type of reports will be produced and presented to the organization?
  • Can the organization provide testimonials from previous customers?

 

Additionally, some vendors may be willing to work with you to custom fit an assessment for your organization's budget and needs. 

After asking the suggested questions, it is recommended that businesses obtain quotes from at least three potential partners to review before making their final decision. 

4. Inquire About the Pentesting Company’s Firm Size

Another essential factor to consider when determining the best pen testing company is the size of the firm. Smaller, boutique firms are more likely to specialize their services, while larger firms will be more a “jack of all trades.”

A larger firm may offer a more in-depth assessment experience by having pentesters of various specialties. However, choosing a too large firm may result in a less personal experience or a lack of communication. 

Finding the right combination of size, cost, and experience may vary, but it’s a decision that must be made by the organization. 

Start Narrowing Down Your Options

While choosing the right testing vendor can be intimidating, knowing the right questions to ask and items to look for can make all the difference. 

Are you considering a pentest for your organization? Screen prospective vendors over the phone before committing to any one company.

Talk to our team today to learn more about our process, methods, and specialties— and to discover if we’re the right partner for you.

New call-to-action

Topics: penetration test

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

What To Expect When You Get a Vulnerability Assessment From Mitnick Security

Since threat actors are constantly developing new tools and techniques for infiltrating an organization’s defenses, effective cybersecurity can never ..

Read more ›

What's Included in a Penetration Test Report?

Penetration tests are an extremely useful exercise to mitigate risks and patch your security gaps. If you’ve been asking yourself why do penetration t..

Read more ›

What Is Pivoting in Cyber Security and What Does It Mean for Pentesters?

Data breaches in 2022 were abundant and sophisticated. Realistically, it’s expected that this year we will continue to see threat actors test their li..

Read more ›
tech-texture-bg

© Copyright 2004 - 2023 Mitnick Security Consulting LLC. All rights Reserved. | Privacy Policy