How to choose the right provider for a penetration test?

Choosing the right provider for a penetration test has become much more difficult in recent years. Many companies from the IT industry have discovered this business area as potentially lucrative and have included the penetration testing service in their portfolio. Overall, this has significantly increased the quantity of service providers in the market, but it has become more difficult to find a high-quality provider.

When selecting a potential service provider, it is worth paying attention to the following aspects - and simply asking the following 3 questions - in order to find a pentesting company that delivers good quality:

1. Which tools are used in a pentest?

This question is actually slightly misleading since a penetration test is a manual task. A penetration tester uses tools, but they usually depend on the scope of the pentest. It is difficult to make general statements here. A potentially wrong answer from a provider for pentesting is e.g. Nessus or Greenbone. Here the service provider would try to sell an automated vulnerability scan as a penetration test. The false positive and especially false negative rate of automated vulnerability scanners is so high that they are not used in a professional penetration test.

2. What types of penetration testing are offered?

There are pentest service providers on the market who have primarily "specialized" in web applications or, for example, "only" try to hack the company, using automated vulnerability searches or social engineering. That sounds basically positive, but it is not. A good pentest provider has competent staff who have no problem familiarizing themselves with testing a REST API or testing an IoT device, for example. If the technical know-how limit of the penetration tester for the test is identifying an SQL injection using an automated tool, then it is the wrong penetrester and ultimately not the right company.

3. What percentage of revenue come from penetration testing?

In principle, this is a trick question in order to be able to remove providers from the list who only offer penetration testing as a service on the website "as a side business". Unfortunately, there are quite a few of these and the quality of a penetration test is usually better if penetration tests are carried out regularly and with a strong focus on the core business. If the provider's statement of turnover from penetration testing is less than a third of the total turnover, it would be advisable to select another. A value of 75% or more is certainly desirable. On the other hand, a figure of 100% is relatively unrealistic, because as a pentesting service provider, you always get classic consulting requests or are commissioned by customers to carry out forensic analyzes.

In the list of 3 questions, the two actually typical questions are explicitly missing:

• What certifications does the company have - is it ISO 27001 certified?
• What certifications do the penetration testers have - do you have the OSCP?

Both questions sound good and make sense. But they are not really. A company's certifications say nothing about the quality of the service, especially not when it comes to the typically requested ISO 27001. And personal certifications are a good argument if you want to boost your CV for the next application to impress the HR department. But they don't really say anything about the experience and quality in the end.