As penetration testing continues to grow in popularity and more companies are either required to have it or are doing it as part of best practice, people are running into the problem of how to shop for penetration testing. But what makes a good penetration testing company and how do you compare companies? What should you even be looking for when you talk to penetration testing companies? We’re going to talk through some of the core differentiators we’ve seen between your different options and talk through our perspective.
What To Look For?
It’s hard to gauge a penetration testing company from their website and limited interactions when going through the sales cycle. You’re trying to guess what kind of service your going to get, are your goals for the project going to be met, and are you ultimately going to be happy with the process and the end product. Some key things to look for might be:
- Communication – It may sound silly, but one of the thematic problems we’ve heard from clients is a lack of timely communication from penetration firms they are engaging. If you’re not getting response from sales reps or engineers in the pre-sales process, it’s probably not a good sign that you’re going to get steady communication throughout the rest of the process. Additionally, if you’re having to wait a long time just to get a proposal for penetration testing services, it shouldn’t give you the warm and fuzzy feeling that you’re being prioritized as a customer.
- Scope/Proposal Confusion – Another thing to look for during the sales process is that your conversations and expected services are making it into the proposal with the scope you are expecting. If you are confused about what is included in the price you are being quoted or if there aren’t enough details on the scope you discussed in the proposal, this could be cause for concern that you are either being overcharged or something is being lost in translation. There should be no ambiguity about what you are getting from a penetration test before you sign up for the process.
- Expertise/Bait and Switch – A key difference between some firms in the penetration testing space is the expertise of the engineer you are going to have assigned to your project. Are you going to speak with a senior engineer during pre-sales but actually have a brand new penetration tester assigned during execution? Or maybe your project is going to get passed off to an off-shore penetration testing asset so the firm can offer a cheaper price. Either way, you want to ask and understand what level of expertise you’re going to get and who exactly you’ll be working with.
- Price – Of course money is a factor in these kind of decisions. But when you’re looking at cost, this is generally not a scenario where you want to go with the cheapest option. Be way of costs that are significantly lower than the average quotes you’re getting as these are oftentimes nothing more than a vulnerability scan or getting farmed out to off-shore assets. Similarly, prices that are extremely high should be a cause for concern. A lot of times, larger firms will have much higher starting prices or whoever is providing the quote has the scope wrong.
Obviously, there are many different factors when trying to determine if a penetration testing firm is the right fit for you. These are just a few considerations when trying to figure out what makes a good penetration testing company. If you feel like you’re having trouble comparing quotes or just want to talk more about these factors, please reach out and we’d be happy to discuss.