Does the Location of My Penetration Testing Firm Matter?

Should I go with a local testing company or someone outside of my geographical area? As with most things, the answer is “it depends”, however, the majority of assessments can be tackled remotely. By allowing penetration testing firms outside of your immediate location the opportunity to win your business, you can potentially open the door for testing firms that are a better fit and ensure you are receiving the most competitive pricing. On the flip side, penetration testing firms that operate in your local area can provide reduced travel costs when onsite time is required and in-person presentations of findings, which are more effective for some organizations. Either way, the following pros/cons should be considered:

Benefits of Remote Assessments

  • Cheaper – Without having to consider travel reimbursements, which can vary widely from firm to firm, you’re already saving money on an assessment. Additionally, with more flexibility in scheduling and timing, and less overall time needed for project management and travel, the bottom-line assessment price should be lower in many cases.
  • Flexibility – No one likes schedule changes, whether planned or emergency, but they can be especially inconvenient when they impact testing schedules for onsite work. This will often cost your company more money in re-booking fees and project management costs. With remote assessment work, schedule changes or minor delays will have less of an impact on your bottom line and create fewer problems for your testing firm.
  • Options – Without having to worry about travel, it gives your organization options as far as which penetration testing firm you want to go with. You can evaluate based on more important criteria, such as references, experience, and professionalism.

Almost any assessment can be performed remotely these days. We have even worked with clients in the past to perform wireless assessments, remotely (although we wouldn’t recommend it). Much of this can be accomplished by sending a laptop to you to plug into your network which the testing team can then remotely access, without any configuration changes on your end.

Benefits of Onsite Assessments

  • Get to know your penetration tester or testing team – Call it old-fashioned, but some people really like to meet face-to-face and get to know the people that are hacking their network. We love to meet our customers too, so if you are using a local firm or if cost is less of a concern, most assessments can be performed at least partially onsite.
  • More context – Your penetration tester or assessor gets more context around your organization, your business, and how you work. Some things don’t transfer well over the phone when assessments include interviews (e.g. Gap Assessments, Compliance Assessments, or Best Practice Assessments), and these conversations are often a great learning experience for you and your employees.

Even if you’d prefer onsite work, we’d highly recommend at least considering or vetting companies outside of your local area. Travel costs are generally negligible compared to the overall cost of the assessment and this will allow you to consider the expertise of other companies. We use strict guidelines based on the GSA Travel allowances to ensure we provide reasonable travel estimates and expenditures for our clients.

With advanced technology, there is no longer a need for a physical presence in most instances, so the location of your penetration testing firm doesn’t make as much of a difference as it would in other industries. And if you request that an engineer be on-site for any or all portions of an assessment, we are happy to accommodate. We would also love the opportunity to travel to your location in order to provide the final presentation of findings for an assessment, regardless of whether it was conducted onsite or remotely.