Now that Cole Stafford has discussed what a penetration test is (not a vulnerability scan) and the types of tests available, I’ll take a look at choosing the best penetration testing company for your needs. Choosing the right pentest company can be daunting, but it doesn’t need to be once you have a clear idea of your organization’s needs and the types of options available.
Expertise, Credentials & Reputation
When it comes to choosing a penetration testing company, think of it like picking a locksmith for your digital fortress. You want someone with the right keys, the know-how, and a reputation that precedes them. There are companies out there that try to pass off automated testing as true manual penetration testing and also ones that use inexperienced testers in order to say that they manually test scan results.
Expertise is key; you need a team that’s not only familiar with the latest cyber threats but also understands how they apply to different networks and applications and can exploit them in order to discover your organization’s gaps. Look for certifications like OSCP, OSEP, and PNPT, which show they’ve got the chops to handle your security needs.
On the mundane, but important, side of things, be sure the company you choose has the appropriate liability insurance. The reputable ones will already have this in place and will be able to send you their Certificate of Insurance (COI).
And finally don’t forget reputation – a company with a solid track record and glowing reviews is like a trusted friend who’s always got your back. So, when you’re on the hunt for a pentest partner, make sure they’ve got the experience, the credentials, and the street cred to keep your digital doors locked tight.
Testing Approach and Methodology
Look for a company that will work with your team to scope the best penetration test for your organization’s needs. While some companies may try to sell you services you don’t need to get the highest sale, a respectable penetration testing company will work with you to understand your needs and to help you scope tests that meet your budget while still covering key areas.
If your organization is in a specialized industry, it’s also crucial that the penetration testing company has experience testing in that area. From critical infrastructure, such as Energy, Telecommunications, Transportation, and Water, to Finance and Banking, Healthcare, Manufacturing, and Education you’ll want to find a company that understands your industry, its systems, and the threats it faces. Government Agencies and Contractors have very specific needs, often including frameworks like NIST 800-171, CMMC, DFARS, and ITAR. Companies in the technology sector, including Blockchain and Cryptocurrency, Technology and Software Development, Media and Entertainment, and Social Media face constantly changing threats as well.
Check that the company uses methodologies, such as OWASP for web application and API testing and proposes to perform manual testing of all critical areas. Take a look at my recent post on scoping penetration tests to take a more detailed look.
Compliance and Regulatory Knowledge
Choosing a pentest company with a deep understanding of the compliance and regulatory frameworks that affect your organization is also important. Industry-specific regulations like GDPR, HIPAA, and PCI DSS have highly specific rules, and your penetration testing company should guide you through those while scoping and performing your compliance penetration test.
A vulnerability scan does not count as a penetration test for regulations such as PCI DSS, which require attempted exploits. Network segmentation testing to show that your PCI network is properly segmented is also a key part of the PCI DSS regulations.
With a trusted penetration testing company helping you through the process, you’ll not only tick the boxes for compliance, but also you’ll fortify your defenses against real-world threats.
Reporting
While often an afterthought during the initial penetration test process, in the end, (unless you choose a continual PTaaS option like Raxis Attack) you’ll end up with a report in hand after your pentester has completed testing, and you’ll need that report to clearly and understandably prioritize and explain the gaps in your systems so that your team can get to work correcting them to keep malicious hackers out.
Look for a company that provides compliant reports that include proofs of concept that clearly explain what your pentester did, including tools and commands used and readable screenshots to help your team follow along as they correct the issues. Raxis Strike, our traditional penetration testing offering, includes all of the above along with an explanation of what each finding is, remediation tips, and references to give your team a running start when correcting vulnerabilities. We also include a storyboard explaining the testing process, so you understand the areas covered even if your team had things locked down so tight that our pentester had no findings in certain areas.
Trustworthy companies will be happy to show you a sample report to give you an idea of what your final product will look like.
Costs and Pricing Structure
The price always plays a factor in every decision, but a manual human penetration test that fully tests your systems or applications will come at a cost. As the saying goes, if the price seems too good to be true, it likely is. During my time at Raxis I’ve seen customers choose a different vendor because the price was better only to come back the following year and say they learned why and budgeted for our test this time around.
The high cost comes from paying highly qualified pentesters well. Inexperienced pentesters may be the reason for a lower cost. Other companies pass off automated scans and exploit tools as a true penetration test to lower prices even further. Request a demo and ask to see pentester certifications in order to get an idea of whether the company you’re looking at uses those tactics.
With that said, reputable penetration testing companies can often meet organization’s budgets by working with them to find the best scope (maybe only an external network test this year). I discuss penetration test pricing in this blog if you’d like to delve in more deeply.
Scalability and Long-Term Relationship
Finally, I recommend finding a company that offers the types of penetration tests your company needs now… and those it may need in the future. This allows you to build a relationship with a trusted vendor that learns your organization’s goals and scoping. When you have changes to your environment, they will work with you to increase your scope as needed.
At Raxis, our PTaaS model, Raxis Attack, also keeps track of your assets over time and allows you to go back in time to see changes in assets, vulnerabilities, and remediations within our Raxis One portal. As with many things, it helps to have all of this information at your fingertips in one place.
Check Out the Other Posts in the Series
If you haven’t already taken a look at Cole Stafford’s first post in this series explaining what a penetration test is and the types of tests, I hope you’ll take a look.
And, you may have noticed above that I mentioned Raxis Attack and how you have access to more than just a report with it. Keep an eye out for the final post in this series where Caroline Kelly will compare PTaaS options, such as Raxis Attack, to traditional penetration tests like Raxis Strike.
