What to Look For in a Penetration Testing Proposal?

A penetration testing proposal or quote for penetration testing services serves two primary purposes. The first, obviously, is to provide a price for the requested services and clearly define the scope that those services will cover. Second, and maybe less obvious, is that a proposal acts as your first chance to begin vetting the penetration testing company in question. Today we discuss some of the key elements that you should look for in a penetration testing proposal to ensure the candidate organization is qualified and will be the best fit to perform these services for you.

Key Items to Look For in a Penetration Testing Proposal:

  1. Scope – Ensure that the scope of the proposed project has been captured accurately, including key information such as the number of IP addresses, testing restrictions (time windows), key delivery dates, any travel requirements, etc. All of these items will usually factor into the price so as the buyer, you want to be sure that the firm correctly scoped the project so that you’re not paying too much and they’re planning to test your entire scope.
  2. Deliverables – At the end of the day, the key pieces of any penetration testing project are the final reports. Be sure that the proposal clearly articulates exactly what documents you will receive. At a minimum, this should generally include an executive summary and a technical findings report. This is also a great time to request a sample deliverable set if you want to make sure the format of the documents is going to meet your internal needs and match your reporting requirements.
  3. Price – This goes without saying, but the proposal should have a fixed price for the requested assessment services. If you are receiving a number of different quotes, odds are the prices could vary significantly. You should ensure that the price provided is exactly what you are looking for and ask questions of the firm if something seems off. We would also caution going with the cheapest quote, especially if it is significantly cheaper than the other quotes you’re receiving, as this could be a red flag that the scope is incorrect or the organization is not going to use a reasonable level-of-effort.
  4. Engineer Biographies – This is something you’re not always going to see in a proposal but we feel it’s important. You want to know the expertise and experience level of the engineers assigned to your project. After all, you are paying someone to hack into your company so you want to make sure they are qualified and they are going to conduct a quality assessment. This should be something that, even if it’s not included in the proposal, you could request from a penetration testing firm.
  5. Methodology & Tools – Another item that is often not included but should be available upon request is the penetration testing company’s testing methodology. Similarly to the engineer biographies, you are about to pay a decent sum of money for someone to perform a highly specialized assessment, and you have the right to know how they plan to execute the testing required.

A proposal is a representation of the company you are looking to hire and may be an early indication of the type of service you will receive. If something within a proposal seems off or looks like a red flag, proceed with caution. Do not be afraid to ask for references or any additional information you need in order to determine if a penetration testing company is a good fit for your organization and aligns with your ultimate goals.