10 Questions to Ask Penetration Testing Companies Before You Buy

Choosing the best pentesting company for your organization is not a simple decision given the hundreds of providers vying for your business, each offering varying levels of expertise, testing methodologies, and technologies to perform penetration tests.

To help you identify the best penetration testing companies for your needs, it is important to ask the right questions. To get started, here are 10 essential questions to ask potential pentesting companies during the RFP process – and what to look for in their responses.

  1. Are your resources contracted resources?  If not, what are your hiring practices?  
    Ask this question to understand how a company sources its pentesters, project managers, and other day-to-day practitioners working on your assessment. Would you prefer working with a team that works together often or a team of outsourced experts? The answer should also provide insight into the effort an employer puts into finding the best talent. It is especially necessary for you to understand how the company trains and ensures the resources have the expertise needed for your testing.
  1. Which regulatory bodies and compliance frameworks does my organization need to be aware of?
    Test the industry knowledge of the pentest companies you are evaluating. Learn how well they understand the external pressures your organization is facing and the additional expertise they can bring to the table.
  1. Can you share a breakdown of the tool-based vs. manual effort that goes into a typical penetration testing engagement?
    Find the right balance between automated scanning and manual testing based on the requirements of your organization. The answer should also reveal the company’s testing methodology and give you an understanding of the vulnerability management tools they use. Remember, to find critical business logic vulnerabilities, manual testing is required. 
  1. How do you ensure your team is up to date on the latest certifications and training? 
    The answer to this question will be an indicator of how much the company values its employees continued education and advancement. A company that strives for innovation will have a long list of processes, checklists, peer reviews, and more. Beyond external trainings and certifications, be sure to ask about the technology the organization is leveraging to ensure that the product of an assessment isn’t directly related to the tenure of the individual assessor. 
  1. How do you ensure return on investment (ROI) from each engagement?
    Ensure your testing partner is maximizing your investments to find business impactful vulnerabilities, not focusing on administrative tasks. ROI for security initiatives can be difficult to measure – and pentesting is no exception. Pentest efficiency is a great place to start. Ask the prospective companies how they reduce or eliminate the administrative burden of de-duplication and vulnerability tracking, how they enable multiple testers to work simultaneously, and learn about the automated processes they have in place to enable their pentesters to perform a test efficiently and thoroughly.
  1. How do you contribute to the greater security community?
    Instead of asking an organization to, “Describe your culture” ask this question. Explore the various ways a pentest company participates in the security community to gauge its drive to innovate. Review its open source tools, GitHub repository, public trainings, conference participation, community involvement, and more. This will specifically ensure their mission/vision statement is actually being delivered in their day-to-day efforts. 
  1. What do you consider your specific focus areas?
    A straightforward question that can reveal a lot about a pentest company. Which types of pentesting (application, infrastructure, cloud, mobile, red teaming, etc.) are they hired for most? Do they have specific industry niches What types of companies do they work with and in what industries? Which technologies enable their services?
  1. How do you ensure consistency and repeatability across all engagements? 
    Consistency is key in penetration testing. How can you ensure that your results don’t vary by tester? In this response, look for how they maintain centralized communication, repeatable processes, validate vulnerabilities, and track the progress of each test.
  1. How do you plan to grow with my organization over time? 
    Maintaining a relationship with one pentest company over time has its benefits, but only if that company can scale with your business. Talk about the plans for your organization and learn how each company can support you at every part of your growth journey. 
  1. What areas are not addressed within this RFP?
    A key benefit of working with a third-party penetration testing company is that it should be able to look at your security program holistically. Ask this question to explore other possible areas of risk and, as a bonus, learn how the company delivers its recommendations.
Download our 4-part guide: How to Choose the Best Penetration Testing Company

Is your organization prepared for a ransomware attack? Explore our Ransomware Attack Simulation service.