Finding a pentesting partner that can produce a deep dive pentest is harder than knowing what one should look like. When evaluating vendors, seasoned adversarial firms and scanner-in-disguise vendors look nearly identical on paper. Certifications overlap. A vendor offering agentic offensive security, genuine penetration testing as a service (PTaaS), and one running scheduled vulnerability scans can submit proposals that are indistinguishable until you know the right questions to ask.
Here are five of them.
Automated vulnerability scanning finds known vulnerabilities catalogued in public databases. It does not find the logic flaws, misconfigurations, and trust relationships that a patient, creative attacker would exploit. This is the gap that separates a genuine cyber security assessment from an automated scan. Any firm worth hiring should be able to explain their manual process in plain language — without retreating to jargon or referencing their toolset.
What to request: Ask them to walk you through an anonymized example from a real engagement — how they moved from initial access to a privileged position using techniques no scanner would have flagged. Most vendors will cite NDAs. The ones who can produce a sanitized narrative, with the chain of reasoning intact, are demonstrating confidence in their work that a firm running automated scans simply can't match.
Ask your vendor which MITRE ATT&CK® tactics their last engagement surfaced — and use our breakdown of what a Gold Standard pentest report actually contains as a benchmark for what any vendor claims they'll deliver.
Certifications matter — OSCP, OSWE, and CREST are meaningful signals of technical baseline. But they are the floor, not the ceiling. A firm that leads with credential lists and nothing else is telling you something.
Also ask how they approach engagement design. Do they offer agentic offensive security capabilities — autonomous, AI-driven attack simulation that mirrors how modern threat actors operate? Can they justify which testing methodology — black box, gray box, or white box — they'd recommend for your specific environment, and articulate why? Do they structure engagements against a recognized standard like the Penetration Testing Execution Standard (PTES) or OWASP Top 10 guidelines? The answer tells you whether you're dealing with a firm that designs tests deliberately or one that runs the same playbook for every client.
The real question: Can they walk you through a scenario where they chained two "Low" severity findings into a critical breach? Vulnerability chaining — combining individually minor weaknesses into a catastrophic access path — is one of the clearest markers of adversarial thinking. It's also one of the first things scanner-only vendors miss.
If they hesitate, or if their examples sound like automated scan output narrated by a human, walk away. The best firms have these stories ready because they live them on every engagement.
Most vendor evaluation scorecards have a checkbox for social engineering. Almost no one probes what that actually means in practice.
Social engineering capability is the sharpest differentiator between seasoned and average firms — and the easiest to fake on paper. The CrowdStrike 2026 Global Threat Report found that 82% of detections in 2025 were malware-free — adversaries moving through valid credentials and trusted integrations, not through code your tools are tuned to catch. A pentest that never tests your people is not a full-scope adversarial assessment. It's a technical audit.
Ask specifically: Does the firm conduct pretexting calls? Spear-phishing simulations? Physical bypass attempts against your facilities? Can they demonstrate how they'd map your organizational chart using open-source intelligence (OSINT) before the engagement begins? A true red team engagement is adversary emulation — mirroring the tactics, techniques, and procedures of a real threat actor, not running a scripted checklist. That means coordinated coverage across network infrastructure, web application penetration testing, cloud environments, human targets, and agentic offensive security capabilities in a single campaign. Firms that can't deliver that scope aren't running a red team; they're running a technical audit with a premium price tag.
Rules of engagement are not a formality. They are the primary mechanism that separates a professional adversarial engagement from an uncontrolled risk event — and one of the clearest signals of how mature a firm actually is.
Ask how they approach rules of engagement before you engage. A mature firm won't hand you a template — they'll build it with you. What that process looks like tells you more than their pitch deck ever will. At minimum, a well-scoped RoE should define scope boundaries, testing windows with blackout periods for critical operations, and escalation protocols for when something unexpected occurs mid-engagement.
A firm that hands you a two-page RoE is treating your environment as a commodity. A firm that walks you through each clause — and asks intelligent questions about your production dependencies before finalizing scope — is treating it as a risk management exercise. Also ask how they handle scope modifications in flight; firms that can't answer that haven't thought seriously about operational risk. For more on rigorous scoping, see Do You Know What Kind of Penetration Test Your Organization Needs?
A deliverable that sits unread is a waste of budget — and a significant compliance exposure. If your organization operates under PCI DSS, SOC 2, or ISO/IEC 27001 requirements, the report is also a regulatory artifact — it needs to demonstrate evidence of testing and remediation, not just attestation. The CrowdStrike 2026 Global Threat Report puts the average eCrime breakout time at 29 minutes — the fastest recorded intrusion moved from initial access to data exfiltration in under four minutes. A report your team can't act on immediately isn't a compliance gap. It's a 29-minute window you're handing to the adversary.
That compliance exposure is a deliverable problem as much as a security one — which means the standard you hold the report to matters. At minimum: an executive summary your CFO can act on, an attack narrative that reconstructs the full chain of compromise with proof of concept, and a phased remediation roadmap mapped to business priority — not just CVSS scores. For the full breakdown, see What Does a Pentest Report Look Like? Inside the Results.
The Global Ghost Team™ has maintained a 100 percent success rate in penetrating the security of every system it has been engaged to test — combining technical exploitation, vulnerability chaining, and social engineering in every engagement. Every deliverable is built to the same standard: deep enough for your board, defensible enough for your regulators, and specific enough for your team to act on it the day it lands.
Ask us these five questions in a scoping conversation. We'll answer every one. Request a Consultation to start the conversation — or explore our Penetration Testing Services to see the full scope of what an adversarial engagement looks like.