As the head of IT, you know the value of a thorough penetration test.
If only finding the right pentesting company were easy.
You need someone you know will do a meticulous job and provide useful results— all within your scope and security budget. Anyone who’s had the job of picking the best service provider knows this is no simple feat.
When vetting pentesters to uncover your enterprise’s weaknesses, whittle down your list by asking the right questions:
1. “Who’s on your team?”
A pentesting team is only as good as the white hat hackers on their taskforce. Pay for novice pentesters, and their findings may only scratch the surface of the capabilities of a real-life, seasoned hacker.
As we explain in What Makes a Pentesting Team Great, junior pentesters are far more likely to miss lesser known vulnerabilities. While every pentester has to start somewhere and it’s unfair to judge them strictly based on their years of experience, it’s wise to look for a pentesting team with a greater senior to intern ratio. Seek pentesters with at least ten years experience in a Red Team or offensive security role.
2. “What type of penetration testing do you specialize in?”
Many don’t realize there’s more than one. In fact, there are six types of penetration tests.
Some testers only focus on your external network, searching for open source intelligence (OSINT) to get in. Others look internally, posing as untrustworthy employees trying to attack from within. Others still employ physical pentesting tactics, dressing as fake delivery personnel to sneak into your office.
When looking for a pentester, ask them which attack vectors they specialize in. If, for instance, you just had your employees complete security awareness training, you may want to run a social engineering-focused pentest to see if they fall for a phish. Or, you may want to test your wireless network to see if bad guys could gain unauthorized access to your wireless networks.
Whatever you do, don’t get overwhelmed. Start with a tighter scope, then make plans to expand your testing down the road. Look for a pentester who recommends the best route for your needs today, but thinks big picture for your future partnership.
3. “How actionable is your final pentesting report?”
As an IT Director, you know the whole point of running a security assessment is to improve your security. While checking the compliance box is an added perk, this pentest has a purpose— and it’s nothing without tangible takeaways for strengthening your security posture.
You want a pentesting company that compiles a robust pentesting report detailing their findings. Look for a pentester who creates a simplified Executive Summary, without the tech-talk, for your C-suite team or external stakeholders to easily understand. Seek someone who illustrates their attack vectors and methodology, step-by-step, telling the complete story of how they began their exploit and got past your best defenses.
Perhaps most importantly, you want to ensure they end with thoughtful, useful recommendations for improving your weaknesses. Seek a pentesting company who ranks your risks in order of priority and gives a few suggestions for strengthening your security over time.
4. “Can you connect us with organizations that will make necessary security improvements?”
After you receive your pentesting report and understand the recommendations for improving your security, you may need help crossing things off your to-do list. While many pentesting companies focus on finding, not fixing the vulnerabilities, some pentesters have a network of other professionals who can help with fixes.
Ask the penetration company if they have resources to help you apply your pentest results. Whether it be referring you out to a trusted partner or empowering you with a few choices of software for the job, look for advisors who can help you make the important security changes.
5. “What was one of your toughest pentests to crack?”
This question is a fun way to see how much the pentester is willing to disclose about their attack vectors and tactics. The company may not want to give too much away, but see if they can paint you enough of a picture for you to understand how hard they’re willing to bypass your layered defenses.
This question will also give you an idea of how the pentester handles a challenge and to understand the types and size of projects they’ve taken on in the past. Note their passion in their work. Do they sound excited about their accomplishment? Ask what they learned in the end.
6. “What’s the real cost?”
Ah, the dreaded “price” chat. Some pentesters don’t want to be transparent about cost until they rope you in, so it helps to push for scoping calls early in the process to nail down your quote.
The right pentesting company will take the time to discuss and define the size and complexity of the penetration test—openly— once they determine your interest.
Remember that when investing in a team of seniored testers, you’re paying for their unique expertise. Check out our article, What Should You Budget for a Penetration Test, for a better idea of the true cost.
See Their Work for Yourself
When looking for a penetration testing company, it’s important to be thorough. Here are even more tips from InfoSec on choosing a pentester.
Here at Mitnick Security, we’re proud to have a 100% success rate of breaching systems when using social engineering.
Learn how World Surf League worked with Mitnick Security’s team to expose its vulnerabilities in this case study.