Lies You’ve been told about Picking a Pentesting Company

I’ll say it… every article I’ve read about how to choose the right network penetration testing company for your firm provides misguided information. The articles usually recommend asking about methodologies, certifications, references, liability insurance, and cost. Unfortunately, none of these provide insight into their penetration testing efficacy, nor do they differentiate competency between one company or another.

Here's a better list of what you should ask:

• How familiar are your pentesters with our type of network architecture?
• How do you assign consultants to projects? Is it whomever is available is placed on the project, or do you assign the most qualified for the project even if that means you have people sitting on the bench?
• How many junior consultants do you have? What’s the proportion of Senior to Junior consultants within your organization?
• Do you charge less when you use Junior consultants?
• Can I see the resume of the person that will be working on my project?
• Can I interview the person that will be working on my project to make sure they are a good fit?

The farther down that list you go when talking with a pentesting company, you’ll find most of them will become more and more uncomfortable. Here’s the problem – larger pentesting companies are often driven to maximize profits. Which means at the most basic level, they need to charge premium prices for work performed, even if it’s performed by junior consultants. You’ll also find the industry is littered with “job title inflation,” which is basically when the pentesting company calls someone a senior consultant, when in reality they should be given a junior consulting title instead. Job title inflation is rampant because pentesting companies can say they are placing a senior consultant on your project to convince you to believe you’re getting higher quality work.

What should your Budget be?

Let’s have a quick conversation about cost – I’m going to let you in on a secret…  Almost all penetration testing companies use the same hourly rate when building a quote. This means each pentesting firm should be presenting the same quote to you when you provide them with the scope of your project. An organization that reduces their rate to win your business is not going to cut their profit margin, but rather reduce either the quality or length of the engagement. Quality can be reduced either through using less qualified (and lower paid) consultants or leveraging automation to reduce manhours. Either way, your risk posture is less accurate. This is why you hear nightmare stories of companies paying for a pentest but instead receiving something equivalent to a vulnerability scan. So, my suggestion, when discussing price, is to make sure to compare apples to apples, which includes:

• Length of the engagement – specifically man hours assigned, not just engagement length.
• Quality of the pentesting consultant assigned to your project.
• Ensuring the scope is identical, and not heavily weighted away from manual testing in favor of automated testing.

Summary

Without a true comparison, you risk exposing your company to a lower-quality engagement, which nobody wants. I’ll let you in on another secret – small, boutique pentesting companies or freelance consultants provide your organization with the best value for professional penetration testing services. I won’t get into the reasons with this blog post, but I wanted to drop that nugget since we were talking about cost. If you want to understand why, check out my next blog post.

Hope this blog helps you understand why almost everything you’ve been told about how to pick a pentesting company isn’t relevant and provides a different way to approach the subject. For organizations that are just starting to request penetration testing services, it can seem daunting to navigate the different sales pitches and drill down to the facts that provide a way to differentiate consulting firms.  Thanks for reading, and if you have any questions about this topic or anything related to professional penetration testing, make sure to reach out to us at Redstone Security – we’re more than happy to answer any of your questions, and believe is supporting the community by helping companies understand the offensive / defensive security domains, even if you don’t end up hire us for any of your security needs. Be safe out there!

Learn More About Redstone Offensive Security Services

About the Author

Thomas Wilhelm has been involved in Information Security since 1990, where he served in the U.S. Army for 8 years as a Signals Intelligence Analyst, Russian Linguist, and a Cryptanalyst. His expertise in the field of Information Security has led him to speak at prominent security conferences across the United States, including DefCon, HOPE, and CSI.

Thomas has contributed significantly to the field of professional penetration testing and information security. In his capacity as both a practice director and a managing director, he has played a pivotal role in executing offensive and defensive security initiatives for Fortune 100 companies and leading research and tool development that has influenced the security industry. Presently, he serves as a managing director at Redstone Securities and possesses master’s degrees in both Computer Science and Management.

His influence also extends to education where he formally held the position of Associate Professor at Colorado Technical University. Thomas has also written various publications, including magazines and books. Through Pentest.TV, he continues to provide advanced security training and has obtained numerous certifications over the years, including the ISSMP, CISSP, CCNP Security, AWS Cloud Solutions Architect, AWS Cloud Security Specialist, and multiple Solaris certifications as well.