Should You Vet Penetration Testing Companies Via References?

We often get asked for references for our work. As you would expect, if you are hiring someone to hack your company or determine where your security vulnerabilities lie, you want to make sure they can be trusted. As part of the screening process, we highly recommend that you vet penetration testing partners via professional references for the specific type of work that you are looking to have completed. Below, we detail how we recommend you approach the reference process.

Reference Vetting Process:

  1. Request References – The first step in the vetting process is to ask for references if they have not been  provided yet. In the event a company is not willing to provide any references, this should raise a red flag. With that being said, keep in mind that some organizations are very wary about disclosing who their penetration testing firm is, and many don’t want their name to be used at all, much less as a professional reference for other organizations. This can limit the options of references for penetration testing firms.
  2. Ensure References are Applicable – Where possible, request that at least one of the references provided have had a similar project performed to what you are looking to complete. A Best Practice Gap Analysis is completely different assessment than an External Penetration Test, each requiring a completely different set of skills. Overall, references should be used to confirm quality of work, professionalism, communication, responsiveness, etc. regardless of specific task, but it always helps to compare apples to apples.
  3. Engage References – Ask for a general overview or prepare a more specific list of questions that you would like to get addressed. Email is often the easiest method of communication for initial contact so you don’t have to worry about playing phone tag, but you can always request a follow-up call to ensure clear lines of communication. Below is a sample of possible questions:
  • How responsive were they throughout the process?
  • Were they professional throughout the engagement?
  • Do you feel that you received value for the price that you paid?
  • Did they meet the deadlines laid out at the beginning of the project?
  • Did they try to sell you unnecessary products?
  • Do you feel the engineers were qualified to conduct the testing you hired them for?
  • How was the technical writing in the final reports? How was the final presentation?
  • Would you hire that firm again? Would you recommend that firm?

Odds are that you are looking to spend at least a few thousand dollars for a security assessment, so you want to ensure you have conducted your due diligence. At the end of the day, taking 5-10 minutes for a few simple phone calls to properly vet your penetration testing firm can save you from hours of headache down the road if you wind up with a bad fit. The vetting process can pay dividends in the quality of work that you ultimately receive at the end of the project, maybe driving you to pay a little extra for a better fit or help you narrow down a close competition between firms.