How to Choose a Pentesting Vendor
Penetration testing has become one of the most common engagements for today’s security-aware businesses. There are many reasons for conducting a pentest, including better security defenses, decreased risk levels or meeting strict compliance requirements; and there are even more penetration testing companies out there.
But how do you choose the right penetration testing company? What do you need to consider before engaging an external provider? And how can you trust this provider to perform the penetration testing engagement to your satisfaction and in accordance with your business needs?
We’ve gathered 10 best practices that may come in handy when choosing a penetration testing company:
- Define what type of pentest you need
- Evaluate the skills of the pentesting team
- Ask for relevant references
- Find out how your data will be secured
- Ask for liability insurance
- Get a sample report
- Verify project management capabilities
- Clarify the methodology and process
- Ask about options for retesting
- Get to know the pentesting vendor
1. Define what type of pentest you need
Before choosing your penetration testing vendor, you will have to define what type of technical testing you are looking for. Are you looking for a web application pentest, a mobile application pentest or a network/ infrastructure pentest? Different types of pentests require different types of tools, knowledge and expertise which will also determine the cost of a pentest – make sure your pentesting company is well equipped to perform the pentest that you choose.
Once you’ve defined the scope of your pentest, you will have to indicate how you want the pentest to be performed, i.e. in black box, grey box or white box mode.
- Black box tests are performed without any knowledge of the tested environment. The objective of a black box pentest is to assess the level of security as seen by a third party connected to the internal network or the internet, without any prior knowledge of the environment.
- Grey box tests are performed with standard access or with only limited knowledge of the tested environment. The objective of a grey box pentest is to assess the level of security as seen by a legitimate user of the customer who has an account, along with general information about the tested environment.
- White box tests are performed with knowledge of the internal structure/ design/ implementation of the tested environment.
It is important that your penetration testing company is familiar with these different testing methods and can guide you appropriately in choosing a pentest type and method that will work for your goals and budget.
Usually, the pentesting company’s scoping questionnaire will ask for enough details to be able to propose a pentest that’s customized to your situation.
2. Evaluate the skills of the pentesting team
In addition to evaluating the pentesting company as a whole, you should also take a close look at the actual pentesters who will perform the engagement.
There are many penetration testers out there, but only few will have the skills and knowledge to perform a high-quality pentest. What matters is a solid mix of proven expertise and actual experience.
In terms of expertise, your pentesting team should be able to demonstrate their technical knowledge. For example, a university degree in information security coupled with ethical hacking certifications or continuous education courses are a great sign that you pentester has acquired the necessary theoretical and practical skills to get the job done. Some of today’s most commonly-recognized certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). When it comes to continuous education, the SANS Institute offers a variety of penetration testing courses to hone ethical hacking skills, including web application pentesting, social engineering, red team operations, wireless pentesting and more.
No matter which expertise your pentesting team has, make sure that their resumes demonstrate their level of technical knowledge and their willingness to learn and stay on top of modern pentesting techniques.
Ideally, your pentesting team should have accumulated experience in a variety of industries, for different types of companies and in different types of pentesting projects. If your organization operates in the financial sector, make sure that your pentesting team has experience with similar organizations in the field. If you’re looking for a red team exercise, look for comparable mandates. In general, your pentesting team should have accumulated at least a couple of years of experience. The more diverse the experience of your pentesting team, the easier it will be for them to adapt to your specific context and environment and perform a thorough pentest that is based on proven methodologies. It is very common for pentesters to include a summary of their most recent pentests at the end of their resume – make sure to request a copy!
3. Ask for relevant references
Before beginning your pentest, make sure to ask for 2-3 references of pentests conducted for organizations of similar size, with a similar scope or that are in the same industry as you. This way, you will get another piece of confirmation that your chosen penetration testing company is suitable to do a pentest for your specific business context.
A quick phone call with the provided references can help you validate the professionalism, expertise and value of the penetration testing company in ways that their sales proposal or the resumes of their pentesters could not reveal.
Questions you may want to ask:
- Was the pentest conducted to your satisfaction?
- What did/ didn’t you like in working with the penetration testing company?
- How would you evaluate the pentesting team?
- Was the pentest delivered on time and on budget?
- Did the pentest report provide a concise list of the discovered vulnerabilities, plus appropriate remediation measures?
- Was there anything missing during the pentest?
- Would you do business with this penetration testing company again?
The insights gathered during the conversation with the reference contact(s) could prove to be very helpful in choosing the pentesting vendor that’s right for you.
4. Find out how your data will be secured
Pentesters certainly know how to get access to your confidential data, but their pentesting company will have to demonstrate that they will handle and store this data securely before, during and after the penetration test. After all, you are entrusting a third party with your most critical data assets and should receive an appropriate explanation about data handling before sharing anything confidential.
Data security questions can include:
- How will my data be transmitted?
- How will my data be stored?
- How will my data be erased?
- For how long will my records be retained?
- Has the pentesting company ever been hacked?
Getting clarification on data security can be a deciding factor when choosing a pentesting company you can trust.
5. Ask for liability insurance
Before signing a contract with a pentesting company, ask them whether or not they have liability insurance in place. Liability insurance is important because it will provide protection to your business from liability risks. For example, if the pentesting company causes any damage to your environment during their testing and intrusion activities, a liability insurance will help remedy this damage.
After all, penetration testing companies are in the business of information security and risk management, so they should be able to prove their legitimacy with a valid liability insurance policy.
6. Get a sample report
The one and only deliverable of a penetration test is a detailed report, including all test findings as well as the necessary countermeasures and recommendations to secure your environment going forward. Make sure to get a copy of a sample pentest report to facilitate your decision-making process and get a feel for what you will actually get at the end of the mandate.
A good penetration testing report should include:
- An executive summary describing your overall security posture and indicating items that require immediate attention
- A technical review describing the activities performed to determine vulnerabilities and the results of the activities conducting in attacking target systems, including the methodologies used.
- A detailed list of the vulnerabilities discovered and their exploits, listed in order of criticality.
- Recommendations to optimize protection of the assets identified in the report, with consideration of the resulting cost in capital investment, operation and maintenance, personnel and time.
- Appendices capturing tool outputs, screenshots, or other data that helps to give greater context or clarification to the vulnerabilities detected
- [Optional: A tactical summary outlining possible next steps that may include temporary workaround and/or longer-term solutions that may need to be integrated into larger projects or investigated further.]
Regardless of what you’re looking for in a pentest report, make sure that it contains the right elements for whoever will read it.
Your technical IT team will be especially interested in the detailed list of vulnerabilities and exploits, along with step-by-step remediation recommendations, whereas your C-level executives or IT Director/VP may only review the executive summary to get an overview of your cybersecurity posture and risk exposure.
7. Verify project management capabilities
Just like any other vendor you engage with, a part of the success of the project will depend on their project management capabilities.
Ask your penetration testing company what kind of processes and methodologies they have in place to ensure that your pentest project is executed smoothly and on schedule, e.g. based on the teachings of the Project Management Institute (PMI).
In addition to asking for the resumes of the pentesting team, make sure to also ask about the qualifications and experience of the assigned Project Managers. Have they dealt with similar pentesting projects before? Do they have appropriate credentials, such as the Project Management Professional (PMP)® certification? Sound project management capabilities will help keep your pentest on track and within budget, manage expectations and ensure quality deliverables at the end of the project.
8. Clarify the methodology and process
When choosing your penetration testing company, make sure to validate that your candidate follows an industry-recognized pentesting methodology and process. You will need to know exactly how the pentest will be performed, which steps will be followed, which tools will be used and how the exploits will be evaluated exactly.
Normally, this level of detail is included in the sales proposal or in the statement of work. If not, don’t be shy to ask the pentesting company how they will proceed and what methodology they follow during the ethical hacking process. If they follow a similar methodology for all their pentesting engagements, chances are that this will improve the quality of their work and their level of thoroughness in the engagement.
9. Ask about options for retesting
If you’re on the lookout for a long-term pentesting partner, make sure to discuss the possibility of doing a retesting exercise after the initial pentest has been performed. Retesting is a critical element in a continuous penetration testing practices because it validates if the remediation steps that were proposed by the pentesters have actually been put in place by your IT team.
Any pentesting company interested in improving your cybersecurity posture effectively and sustainably will likely include an option for retesting in their sales proposal, not only to facilitate a long-term partnership and more business, but also to help you strengthen your defenses against cyberattacks.
10. Get to know the pentesting vendor
Lastly, you should be getting to know your pentesting vendor and take the time to chat with key resources who will be involved in the project delivery. To get started, ask yourself some basic questions:
- Does the pentesting vendor seem credible?
- Does the reputation of the pentesting vendor hold true?
- Is the communication between you and the pentesting vendor easy and straightforward?
- Do you feel like you can trust the pentesting vendor to perform the pentest according to what was agreed upon?
- Would you recommend this pentesting vendor to your network?
If you’ve answered “no” to any of the above questions, you may want to dig in a little deeper before conducting the pentest. Don’t forget that you are about to entrust an external entity with the crown jewels of your business, so you better make sure that you get along with the main contact people involved in the pentest and can start building a trusted relationship for future engagements. Especially when it comes to security, you need to have a good “gut feeling” when outsourcing certain projects to a third party.
When evaluating a penetration testing company, there are several best practices that you should keep in mind other than how much the pentest actually costs.
At minimum, make sure that you thoroughly evaluate your potential pentesting vendor and validate their methodology and deliverables, data security practices and project management capabilities. You may also want to enquire about the credentials of the pentesters who will perform the job – the more experience they have on their resumes for organizations similar to yours or for similar projects, the better!
Reaching out to a couple of references can be helpful to get a feel for how the pentesting company conducts similar pentests and whether their pentests are professional and on target. Lastly, remember to take the time to get to know your pentesting vendor candidate. A quick conversation with the vendor’s key resources can help you make the right choice and build a long-term business partnership that is based on trust and mutual understanding.
Are you looking for a penetration testing company and need some practical guidance about what to look for? We’ve put together a 1-page checklist for how to choose a pentesting vendor that may come in handy for you. Good luck!