Performing a penetration test against your organization’s network is an excellent way to assess its overall security posture and locate potential holes in the network.
Unfortunately, with so many security companies offering pentesting services in a wide range of pricing, it can be challenging to determine which company to choose.
This article will help you determine what to look for when partnering with a penetration testing company.
1. Consider the Pentesting Company’s Specialty & Your Unique Needs
Just because a pentesting company may be perfect for one organization doesn’t mean that it is the right partner for your organization.
Pentesters specialize in types of pentests. Typically, pentesting companies will offer a wide variety of services, including social engineering, web application testing, and network penetration testing.
However, after determining the most critical factors for your organization, you’ll want to partner with a vendor that is an expert in that area. For example, if you are interested in having a web application tested, you wouldn’t want to partner with a company whose specialty is social engineering.
2. Review the Pentesting Company’s Certifications
When assessing and comparing potential partners, inquiring about the various certifications that their engineers hold may help make the decision.
Some valuable industry certifications include the following:
EC-Council’s Certified Ethical Hacker (CEH)
The CEH is an entry-level certification widely recognized throughout the security industry. Certified Ethical Hackers understand malware and hacking tactics that can assist in their testing procedures.
GIAC’s (Global Information Assurance Certification) GPEN
The GPEN certification is another entry-level certification. The certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing, and properly conducting a penetration test.
This certification is vendor-neutral and considered intermediate. It tests an individual's ability to perform a penetration test through practical, scenario-based questions and multiple-choice questions.
Offensive Security Certified Professional (OCSP)
An advanced industry certification, the OSCP is widely respected as one of the industry's best. In order to obtain an OSCP certification, candidates must pass a 24-hour practical exam in which they must assess a real-world scenario.
3. Compare the Price for Pentesting Services
While it may be tempting to go with the cheapest option available, the sentiment that you get what you pay for is certainly true here.
To avoid wasting money, you must verify what is included in the price.
Below are some of the questions that you may want to ask the potential vendors:
- How many testers will be working on this project?
- Will any part of the testing be conducted with automated tools?
- How long will the penetration test take to carry out?
- Will the penetration test cause any interruptions to regular business?
- Will social engineering techniques be used throughout the test?
- What type of reports will be produced and presented to the organization?
- Can the organization provide testimonials from previous customers?
Additionally, some vendors may be willing to work with you to custom fit an assessment for your organization's budget and needs.
After asking the suggested questions, it is recommended that businesses obtain quotes from at least three potential partners to review before making their final decision.
4. Inquire About the Pentesting Company’s Firm Size
Another essential factor to consider when determining the best pen testing company is the size of the firm. Smaller, boutique firms are more likely to specialize their services, while larger firms will be more a “jack of all trades.”
A larger firm may offer a more in-depth assessment experience by having pentesters of various specialties. However, choosing a too large firm may result in a less personal experience or a lack of communication.
Finding the right combination of size, cost, and experience may vary, but it’s a decision that must be made by the organization.
Start Narrowing Down Your Options
While choosing the right testing vendor can be intimidating, knowing the right questions to ask and items to look for can make all the difference.
Are you considering a pentest for your organization? Screen prospective vendors over the phone before committing to any one company.
Talk to our team today to learn more about our process, methods, and specialties— and to discover if we’re the right partner for you.