Choosing a penetration testing company directly impacts your organization’s security. The market is full of providers with varying competence levels – from elite teams with decades of experience to firms that sell automated vulnerability scans under the “pentest” label.
This guide will help you ask the right questions and recognize warning signs before signing a contract.
Questions to Ask Before Choosing a Provider
About the Team and Competencies
1. Who will perform the tests?
- Are they full-time employees or subcontractors?
- What certifications do they hold (OSCP, OSCE, GPEN, CREST)?
- How many years of experience does the team have?
Certifications like CEH or GPEN are basic. OSCP and OSCE require practical skills. If a company can’t present their pentesters’ certifications, that’s a serious red flag.
2. Can I see the pentesters’ CVs? Professional firms provide anonymized profiles of their specialists. You should know who will have access to your infrastructure.
3. What is your pentester hiring process? Companies serious about quality have rigorous verification processes – practical tests, reference checks, background verification.
About Methodology and Approach
4. What methodology do you use? Expect references to recognized standards: OWASP Testing Guide, PTES, NIST SP 800-115. The company should be able to explain how they adapt these methodologies to your environment.
5. What is the ratio of manual to automated testing? A professional pentest is primarily manual work. Automated scanners help but don’t replace human analysis. If a company talks about “fully automated pentesting” – that’s not a pentest, it’s a vulnerability scan.
6. How do you validate discovered vulnerabilities? Every vulnerability should be verified with proof-of-concept. A report based solely on scanner output is not a pentest.
7. How do you handle discovering a critical vulnerability during testing? A professional firm has an immediate escalation procedure. They don’t wait until the final report to inform you about a critical flaw.
About Industry Experience
8. Do you have experience in my industry? Testing a bank differs from testing e-commerce or OT. Knowledge of industry specifics, regulations (PCI-DSS, NIS2, DORA), and typical architectures matters.
9. Can you provide references from similar clients? Trusted providers share references. If a firm refuses or claims “all clients are confidential” – keep asking.
About Deliverables and Support
10. What does a sample report look like? Request an anonymized sample report. Evaluate:
- Does it include an executive summary understandable to management?
- Are findings clearly described with proof-of-concept?
- Are there specific remediation recommendations?
- Is there risk prioritization?
11. What does post-test support include?
- Is results consultation available?
- Do you offer retesting after fixes?
- What is the cost of retests?
12. How long are you available after delivering the report? Questions arise weeks after testing. A good firm offers support for a defined period.
📚 Read the complete guide: NIS2: Kompletny przewodnik po dyrektywie NIS2 - obowiązki, kary, terminy
Elements of a Professional RFP
Scope and Objectives
- Exact description of in-scope systems (IPs, domains, applications)
- Test objectives (compliance, risk assessment, control validation)
- Test type (black box, grey box, white box)
- Exclusions (production systems during specific hours, etc.)
Technical Requirements
- Required methodologies and standards
- Expected depth of testing
- Escalation procedures for critical findings
- Documentation requirements
Provider Requirements
- Minimum team certifications
- Industry experience
- Liability insurance
- Security procedures (how do they protect client data?)
- Employee background checks
Deliverables
- Report format and structure
- Delivery timelines
- Results presentation (for IT, for management)
- Retest included or separate?
Commercial Terms
- Billing model (fixed price, T&M, retainer)
- Scope change procedures
- Confidentiality terms (NDA)
- Liability and insurance
Red Flags – When to Walk Away
1. Price Significantly Below Market
If an offer is 3x cheaper than competitors, likely:
- Testing will be mostly automated
- The team is inexperienced
- Scope will be “optimized”
A professional web application pentest requires at least several days of experienced specialist work. You can’t do it for $500.
2. No Specifics About the Team
“We have experienced pentesters” without ability to verify certifications and experience is a red flag.
3. Promises of “100% Security”
No pentest guarantees detecting all vulnerabilities. A company promising “complete security” either doesn’t understand the nature of testing or is deliberately misleading.
4. No Methodology
“We test everything” without reference to recognized methodologies suggests a chaotic approach.
5. Report as “Scanner Output”
If the sample report is mainly screenshots from Nessus or Burp Suite without context analysis – that’s not a pentest.
6. No Escalation Procedure
A company that doesn’t know how they’ll handle discovering a critical vulnerability on Friday evening isn’t prepared for professional testing.
7. Insisting on Full Payment Upfront
Standard is deposit + payment after report delivery. 100% upfront on first engagement is risky.
8. No Liability Insurance
Professional pentesting firms have professional liability insurance. Testing without insurance is risky for both parties.
Comparing Offers – What to Look For
Don’t Compare Just Price
Two offers for “web application pentest” can mean completely different scopes:
- 3 days vs 10 days of work
- 1 pentester vs team
- OWASP Top 10 only vs full business logic analysis
- Without retests vs with retests
Compare Person-Day Scope
Ask for an offer breakdown by person-days. This allows comparing actual work effort, not just final price.
Check What’s Included
- Technical report and executive summary?
- Results presentation?
- Post-test consultations?
- Retest?
Evaluate Flexibility
How does the firm respond to questions about scope modification? Are they open to discussion or rigidly sticking to the offer?
Building a Long-term Relationship
Benefits of a Regular Partner
- Familiarity with your environment shortens reconnaissance time
- Ability to compare results between tests
- Better understanding of business context
- Often better terms with a retainer
When to Change Providers
- Report quality declining
- Lack of innovation in approach
- Communication problems
- Conflicts of interest (e.g., selling security products)
Rotation for Fresh Perspective
Even with a good partner, it’s worth conducting a test with a different firm every 2-3 years. A fresh perspective may detect what the regular partner missed.
Summary
Choosing a pentesting company is an investment in security. Key criteria:
- Team competencies – verifiable certifications and experience
- Methodology – reference to recognized standards
- Deliverables quality – professional reports with specific recommendations
- Support – post-test availability, retests
- Transparency – clear communication, no hidden costs
Don’t choose the cheapest offer. A pentest that doesn’t detect real vulnerabilities is more expensive than no pentest – it gives a false sense of security.
Looking for a reliable penetration testing partner? Contact us – we’re happy to answer all the questions from this list.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- IT Infrastructure Penetration Testing — IT infrastructure penetration testing is a controlled and ethical process of…
- Wi-Fi Network Penetration Testing — Wi-Fi network penetration testing is the process of assessing the security of…
- Penetration Testing — Penetration testing, also known as pentesting, is a controlled process of…
- OSINT — OSINT, or Open Source Intelligence, is the process of collecting, analyzing,…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
Learn More
Explore related articles in our knowledge base:
- How to Prepare Your Company for Penetration Testing?
- Benefits of Regular Penetration Testing for Medium Enterprises
- Cloud Penetration Testing: Challenges and Best Practices
- DORA compliance: the role of penetration testing and advanced TLPT testing
- How does penetration testing strengthen the trust of customers and business partners?
Explore Our Services
Need cybersecurity support? Check out:
- Penetration Testing - identify vulnerabilities in your infrastructure
- Red Team - advanced attack simulations
