When choosing a security testing company to perform penetration testing, red teaming, etc., there are a few things you should consider to guarantee that you find the optimal company for your situation.
Transparency: If you can’t answer all, or nearly all, of the following from the company’s website, they are not transparent.
Company Size: Size does not matter. Quality matters, and there is no correlation between the two. There are plenty of solo testers and small companies we would recommend over some of the largest firms in the industry. In fact, based on experience from past employers, and as a general rule, the larger the company, the less adequate the testing service. In addition to losing a more personal touch as compared to a smaller company, the client simply becomes another number.
Methodology: Determine the specific methodologies and techniques that will be used during testing. There are growing number of fly-by-night companies and unscrupulous vendors who perform rudimentary vulnerability scanning and assessments, however, they sell it to their clients as penetration testing. In other words, the client is paying penetration testing prices for a minimally effective vulnerability assessment service. Another common thing seen in the industry is time-based engagements. If the service details simply state something such as 40 hours of penetration testing before moving to assumed breach, they are not likely focused on completing a particular methodology, and thoroughness of testing will only be as good as the speed of the tester. This will almost certainly leave gaps in what is tested. To be clear, that is not to say the service details may not include a time component as precaution against unforeseen environment complexities discovered during testing. Just be aware of the implications going into one of those agreements and question them if they “run out of time”. An experienced and respectable company will adequately project time/costs ahead of time and absorb the extra costs if testing runs over some by no fault of the client. As an example, you can see the methodology details of all of our services here: https://penconsultants.com/services
Sample Report: Download, or request, a sample findings and recommendations report. Since this is typically the largest and most significant deliverable for a security testing engagement, you want to have a good idea of the level of detail and quality of the report. The key things you should look for are: (1) a prioritized risk rating for each finding to help you focus resources on what matters most, (2) enough details and explanation in the findings to understand the risks and reproduce the attack, and (3) various detailed mitigation options in the recommendation to have one or more solutions to mitigate the risks. As an example, you can see one of our sample reports here: https://penconsultants.com/report
Research: Review the testers’ resumes, social media profiles, code repositories, blog posts, etc. Although there will always be a mix of beginner and intermediate level testers with any firm, there should be at least one tester who will have oversight that has a wealth of education, training, and experience. Focusing on one thing for a metric of a good tester is a flawed approach. Some of the smartest professionals in this industry have no college degree. Others may have a solid college education, with minimal certifications, but a wealth of industry experience. The point is, if one of these things is missing or weak, consider their strengths in other areas. If there is sufficient evidence of their knowledge and skill, don’t get hung up on a box they don’t have checked.
Communication: Ask how you are kept informed during an engagement. For example, PEN Consultants provides the name, cell phone number, and email address of each tester that is involved in the engagement. We also provide real-time testing notes that allows our clients to see the tools and commands we are running, with timestamp, from what IP address, etc. See a sample of what we provide here: https://penconsultants.com/informed
Protection: Ask about how your sensitive data is protected during testing and afterwards. If the company is sending things such as vulnerability details, findings and recommendations reports, or even the contract and statement of work in most cases, over unencrypted email, you should seek a new vendor immediately. If the company cannot follow the most basic and trivial best security practices for such overt things such as email, how likely are they to be doing a good job behind the scenes with protecting your most sensitive information from exposure, which could lead to a breach of your environment?
Insurance: Ensure the company carries liability insurance with a reputable insurance company in order to protect your business in the rare event testing causes damages or outages in your environment. These policies are relatively inexpensive, so there is no reason they should not. PEN Consultants carries all policies and coverage amounts typical for this industry.
References: Call references. In this field, it’s hard to find clients who are willing to be public references in many cases due to compliance and regulatory concerns. When there are references given, be sure to call them. As an example, you can see our list of references here: https://penconsultants.com/testimonials
Interview: That’s right, you should interview a vendor just like you would interview a potential employee. Anyone can build a flashy website and marketing. How well do they actually know the field? Is their personality compatible with yours? Are they honest about deficiencies they may have when testing your unique environment, or are they excessively boastful? No one knows everything. You will never find someone with 100% of the needed knowledge from the get-go. A good security tester has a firm grasp on the basics, though, and the ability to quickly learn on-the-fly for the rest.
Shop Around: Don’t settle with the first company you connect with. Talk to a few companies before pulling the trigger on one. Even after you select a vendor and they perform testing, reevaluate before the next engagement. If your budget allows for it, maintain relationships with at least two vendors at any given time. There’s no better way to compare results like having two vendors, at different times, perform the same testing. Drop the least effective vendor and find a replacement.
SOW: Once you to commit to go with a particular vendor, ensure the statement of work (SOW) is detailed before signing the contract. The last thing you want to do is sign a contract with an extremely vague SOW that allows the testing provider to get by with a minimum amount of testing when you expected something much more.
Price: In some cases pricing may be of concern to you. The pricing in this industry varies greatly for comparable quality levels of work. At a minimum, a security testing company should publish their hourly rate. If they do not, seek out a more transparent vendor.
Although detailed scoping is necessary to give final/fixed pricing, many companies refuse to disclose estimated or ballpark pricing until you make contact with them. If the provider you’re considering does not provide estimated pricing, they are likely going to use high pressure sales tactics in order to close the deal at the highest price they feel they can get out of you. PEN Consultants does not take advantage of our clients. We charge a fair price for the scoped service, regardless of the revenue of a client. Our ballpark pricing can be seen here: https://penconsultants.com/services
On the flip side of this, if a security testing company gives you fixed pricing based on minimal information, they are either: (1) giving you a very rudimentary testing service, such as fully automated scanning with little, if any, manual testing, or (2) they have sufficiently padded the price to cover all situations. Security testing engagements are never a one-size-fits-all. Every engagement should be custom-tailored to a client’s needs, and, because of this, pricing will almost always be unique per client.
Unique to PEN Consultants is a guaranteed fair price on quality, standards-based testing. If you have a quote from another vendor, we guarantee to beat, or match, their price. We are committed to our vision of being the most highly skilled, ethical, effective, and biblically-centered security testing company in the industry, while remaining the most affordable.
Corporate Social Responsibility: When selecting a vendor, the social efforts a company supports may be of concern to you. PEN Consultants’ efforts can be seen here: https://penconsultants.com/CSR.