Choosing a Testing Firm

Considerations when looking for a quality firm:

• Transparency: With the company's website, team, qualifications, expertise, services, estimated pricing, communications, quotes, SOWs, methodologies, objectives, fees, contracts, testing preparation, real-time progress during testing, and so on. Look for someone who is open, honest, and prioritizes transparency above intellectual property and time and cost concerns. We are committed to transparency as discussed in this video: https://www.youtube.com/watch?v=sALegq1-PDs
• Experience: Evaluate testers based on resumes, social media, code repositories, blogs, education, training, and experience. Look for diverse skills and experience in cybersecurity, ensuring high testing standards, meticulous quality assurance, and compliance with rigorous testing standards. You can learn more about our team here: https://penconsultants.com/team
• Company Size: Size does not matter. Quality matters, and there does not appear to be any correlation between the two. There are plenty of solo testers and small companies that we would recommend over some of the largest firms in the industry.
• Sample Report: Evaluate a sample findings and recommendations report. Analyze the quality of the findings and recommendations, prioritized risk ratings, detailed explanations, screenshots, communication of risks, replicability, and comprehensive mitigation options. Be on the lookout for phrases such as “the scanner identified”, “you should determine if this is a false positive”, “address only medium level risks as higher”, etc., all actual quotes from less than reputable firms. As an example, you can see one of our sample reports here: https://penconsultants.com/report
• Price: Thorough scoping is crucial for determining final pricing. However, if estimated costs are not disclosed upfront, it may signal aggressive sales tactics. Conversely, fixed pricing without tailoring it to your environment likely means basic automated scanning or excessive charges. As an example, we provide estimated costs for all of our common services here: https://penconsultants.com/pricing
• Methodology: Choose reputable firms that provide comprehensive insights into their methodology and a contractual commitment to outlined processes in the SOW. Avoid vague, unqualified descriptions like "penetration test", automated scans sold as pentesting, and time-based engagements, potentially leaving gaps in testing coverage. If the service details simply state something such as 40 hours of penetration testing before moving to assumed breach, they are not likely focused on completing a particular methodology, and thoroughness of testing will only be as good as the speed of the tester and will almost certainly leave gaps in what is tested. As an example, you can see the methodology details of all of our services here: https://penconsultants.com/services
• Communication: Inquire about communication methods and updates provided during testing, including tester contacts, real-time notes, tools used, timestamped activity, IP addresses and so on to keep you informed throughout testing. See a sample of what we provide here: https://penconsultants.com/realtimeTransparency
• Education: Pentests involve many variables. Ensure your firm has an in-depth discussion of options and the pros/cons of each; otherwise, it may not be tailored to your needs.
• Protection: Ask about how your data is protected during and after testing. If a company sends vulnerability details, reports, contracts, or statements of work over unencrypted email, it's a red flag. A summary of how PEN Consultants protects client data during an engagement can be viewed here: https://youtu.be/QI7TrYFiqZc
• SOW: Ask for a sample Statement of Work (SOW) for a common test, such as a network penetration test, to ensure thoroughness and clear terms that might lead to minimal testing. You may be required to sign an NDA, but this could be worth it.
• Value: Pricing significantly below average can signal deceptive marketing, and above average could be from inefficiencies or markups. For example, an external network vulnerability scan should start around $2,500, an assessment at $5,000, and a pentest at $10,000, with internal tests costing about 50% more. Part of our mission and vision statements, as well as a core value, is to be the highest quality security testing firm, while remaining the most affordable. You can view more on that here: https://www.youtube.com/watch?v=ETCDd4r7vrw
• Insurance: Verify the company has liability insurance for potential damages or outages resulting from testing. PEN Consultants carries all policies and coverage amounts typical for this industry.
• References: Reach out to provided references for insights on their experience with the firm, although finding public references in cybersecurity may be challenging. As an example, we have many clients whom we can connect you with, and some have even publicly listed their references here: https://penconsultants.com/testimonials
• Interview: Interview vendors as thoroughly as you would a job candidate. Assess their knowledge, compatibility with your team, honesty about limitations, humility, etc.
• CSR: Company values, alignment, and philanthropy may be noteworthy to you. PEN Consultants’ efforts can be seen here: https://penconsultants.com/CSR.