Cyber Security Articles & News

5 Questions To Ask When Evaluating a Penetration Testing Company

Whether your organization has been the victim of a recent data breach or your organization has never had expert penetration testing done before, it’s probably time to call in cybersecurity experts. The right cybersecurity company can help you identify the strengths and weaknesses of your networks and systems so you can improve the security posture of your organization and stay one step ahead of threat actors. 

One way they can help is through penetration testing. A penetration test can identify your network vulnerabilities and remediate to decrease risks — but which cybersecurity expert should you hire to run it? Below, we’ll discuss the five questions to ask (and what answers to look for) when evaluating a penetration testing company.


5 Questions To Ask Penetration Testing Companies


1. What Type of Pentesting Do You Specialize In?

Not every cybersecurity company has the experience and knowledge to handle all six types of penetration tests. Penetration testing types include:

  • External Network Penetration Testing
  • Internal Network Penetration Testing
  • Social Engineering Testing
  • Physical Penetration Testing
  • Wireless Penetration Testing
  • Application Penetration Testing

When listening to the response, see if they suggest one type of penetration testing over another and look out for companies who don’t ask you questions to find out which penetration testing services are right for your organization. Although all penetration test types are valuable, the best penetration testing companies can identify which test(s) you need the most urgently. 


2. What Certifications Does Your Company Hold?

There are many cybersecurity certifications that can help show you the level of professionalism and experience you can expect from the penetration testing company when undergoing penetration testing services. 

Respectable certifications include:

  • EC-Council’s Certified Ethical Hacker (CEH)
  • GIAC’s (Global Information Assurance Certification) GPEN
  • CompTIA’s PenTest+ 
  • Offensive Security Certified Professional (OCSP)

While the CEH and GPEN certifications are entry-level, CompTIA’s PenTest+ is considered an intermediate certification. Only the more experienced companies will have the advanced certification — OCSP. If a newer company is just starting out, they may not yet be able to handle the cybersecurity needs of larger companies.


3. Do You Rely on Automated Tools When Conducting Your Pentest?

“Set it and forget it” should not apply to penetration testing. This is because pentests are supposed to simulate an attack by real threat actors. Automated tools have limitations, and they may miss some of the more subtle weaknesses that threat actors definitely wouldn’t miss. 

Accurate penetration testing is performed by a team of cybersecurity experts — called pentesters — using a penetration testing framework to carry out the simulated attack. The PCI Data Security Standard asserts that, “Judgment is required in selecting the appropriate tools and in identifying attack vectors that typically cannot be identified through automated means.” (p.14) With this in mind, be on the lookout for cybersecurity companies who try to sell you automated scans, as these are not true penetration tests.


4. What Does Your Pentest Report Cover?

If the company you are asking says that their test doesn’t come with a report, this is a red flag. A detailed report is the entire purpose of the penetration test. That’s because a comprehensive penetration report should include:

  • A summary of what was done during the test
  • A walkthrough of the simulated attack
  • Mitigation recommendations for found vulnerabilities

The report should be a full account of the pentesting services provided as well as what vulnerabilities were found and which ones (and how) you need to address first.


5. Does Your Pentesting Services Include a Remediation Plan?

Once you are made aware of vulnerabilities in your systems, you’ll want to know what you can do about it. A remediation plan will show you the steps to take to resolve identified vulnerabilities. A quality penetration testing company will include a remediation plan in the report that they will go over with you to ensure that you know what steps to take to defend against cyber attacks in the future.


Find the Risks, Understand the Consequences

Penetration testing can be one of the most beneficial components of your cybersecurity protocol — if you work with an experienced penetration testing company who puts your organization’s needs first. 

Find out how the right penetration tests can keep threat actors out and your private data in by exploring more about pentesting services at Mitnick Security.

Learn More

Topics: penetration testing

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

What is a Penetration Testing Framework?

Penetration testing services are performed by cybersecurity companies to help find weaknesses in an organization's network, internal systems, and show..

Read more ›

What To Expect During Red Team Operations

Companies are producing an exponential amount of data every day and by 2025, it’s estimated that there will be about 181 zettabytes of data. As your o..

Read more ›

4 Considerations When Choosing Between Pentesting Companies

As business models continue to evolve the need for cybersecurity measures is more necessary than ever before.

Read more ›