❓ 10 Questions You Should Ask Your Pentesting Vendor

❓ 10 Questions You Should Ask Your Pentesting Vendor


❓10 Questions To Ask Your Pentesting Vendor

Author(s): Blake Shalem

It’s important to ensure you are on the same page as your pentesting vendor so your goals are in line with reality. When choosing a vendor the prices, level of effort and quality vary greatly. Take the time to read our guide below so you are better prepared and know what to expect in order to ensure a successful, productive assessment and that you receive a powerful deliverable.

🚀 ⚖️ What is your company’s mission, values and differentiators?

It’s important to know your goals are aligned with your pentesting vendor. Do you need an assessment done quickly to check a compliance check box, or are you actually looking to assess what is working, what is not working, and to outline improvement steps?

🤺 Who will be doing the actual testing for my project?

Don’t fall for the bait and switch! Some firms present their senior engineers, then have interns do the work. Also some firms utilize subcontractors. Businesses are asking for someone to “hack” them so the pentester should be a FTE (full time employee) that’s trusted and well-vetted. In a similar vein, ask how many pentesters will be assigned to your project. One tester working in a silo is not ideal.

🧓 What is the company’s and the tester’s relevant, recent experience?

Certifications are valuable, but the experience is far superior. Ask for examples of how the company has assisted a similar business and how the company assisted. Does the pentester have any relevant past experience as a systems engineer or developer? That expertise will lead to accurate remediation recommendations which will make the remediation process much faster and easier.

🧐 Can we review a recent sanitized report?

At the end of the engagement, the report is your main takeaway. Make sure it will be a valuable output for you to share with executive management and potential clients to either initiate change and progress or prove your safeguards are effective. Does the report just talk about vulnerabilities and risks or does it help identify areas of improvement for the organization's defense-in-depth architecture? Does the report clearly illustrate a kill chain and communicate what the actual impact to the organization is?

⏰ What is the total timeframe for the pentesting engagement?

Many cybersecurity companies try to cram in as many tests as possible to make the most money instead of putting in the time needed to ensure quality and a thorough assessment. Find a company that delivers in-depth assessments that actually provide insight and actionable guidance.

🥷 What are your penetration testing processes?

Many “pentest companies” use only automated vulnerability scanners in an effort to keep their costs down, and therefore their prices. Vulnerability scanning is an important aspect, however there are many open-source scanners available that can be set up with an hour or two of someone’s time. A company’s penetration testing budget should not be spent purchasing vulnerability assessments masked as penetration tests. What standards are followed? What tools are utilized? Is there anything proprietary used? (Proprietary tools are not ideal because it’s difficult to replicate the exploitation of a vulnerability)

🗣️ Ask for references.

Talk to previous clients who have worked with your vendor before and ask what the experience was like. What were their strengths and weaknesses?

🔍 Is a validation test or a full retest included or an option?

Depending on the driving reason behind your pentesting need (compliance check box vs insight), you may want to include validation testing or a full retest including a cleaner second standalone report. Beware of “Free Retests” that’s usually a sneaky marketing tactic - There is nothing free, it just means the cost for the time of the retesting is bundled into your SOW without giving you the option.

📝 Will I receive updates and be notified should any high or critical vulnerabilities are discovered?

If the answer is yes, how often and how will you receive an update? Pentesters that are able to join Slack and Teams are better than email for real-time collaboration.

👀 How detailed are the remediation suggestions and is the vendor’s team available for questions and guidance during the remediation process?

Check out the sample reports to see if the remediation suggestions are granular and specific, or vague. Find a group who understands your perspective as the client and who has an IT background. Ideally, they will help guide your team through the remediation process if help is needed and questions arise.

Fun Footer Stuff:

Copyright 2023 Enclave Regenerous. Unless otherwise stated, all of our work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Simply put, please share it, provide attribution and if you remix it then share generously with others. The work of others that is featured on this site is always provided with attribution and is not directly monetized.



The opinions expressed here are respectively our own and do not reflect the views of our organization or anyone else unless quoted verbatim.

We try our best to provide helpful insight to folks but there is no warranty to completeness of anything we create or post here; so please be sure to always do your own research.