How Do I Select a Good Pentesting Company?

Frameworks, Credentials, and Certifications

These are vital indicators of the expertise and professionalism of a pentesting company. Professionals who hold recognized certifications demonstrate that they have met industry standards for ethical hacking. A reputable provider should have certified professionals who follow best practices.

Key Certifications to Look For:

• CREST (Council of Registered Ethical Security Testers): CREST is an international accreditation body for penetration testing organizations. CREST-certified companies follow strict ethical guidelines and quality assurance processes.

• OSCP (Offensive Security Certified Professional): OSCP is one of the most respected certifications in penetration testing. It certifies the ability to conduct thorough and effective testing and identifies real-world security issues.

• CEH (Certified Ethical Hacker): This certification indicates that an individual has a deep understanding of hacking techniques and legal frameworks for ethical hacking. It’s a solid indicator that the company’s staff can effectively identify and exploit vulnerabilities in a controlled manner.

Ensure that the pentesting company follows established frameworks like:

• OWASP (Open Web Application Security Project): OWASP is widely recognized for its guidelines for securing web applications. A pentest provider that uses OWASP standards is focused on addressing the most critical vulnerabilities in web apps.

• NIST (National Institute of Standards and Technology): NIST frameworks and guidelines (NIST SP 800-115 for technical guide on pentesting) are comprehensive standards for securing information systems. A company that adheres to NIST’s principles ensures a methodical and standardized approach to penetration testing.

Customized Scope of Work

A one-size-fits-all approach to penetration testing is insufficient and can lead to missed vulnerabilities specific to an organization’s infrastructure or industry. A reputable pentest provider will create a customized testing plan that is tailored to the unique needs facing your organization.

What to Look For:

• Understanding Your Business: A good provider will first seek to understand your business operations and unique risks. This includes understanding specific attack vectors, critical assets, and regulatory requirements.

• Tailored Methodology: They should design the scope of the pentest based on your company’s architecture, including web apps, mobile apps, network infrastructure, cloud services, IoT devices, and endpoints. They may also focus on social engineering techniques.

• Avoiding Generic Testing: Beware of companies offering basic vulnerability scans without a thorough assessment of your organization’s unique context. Generic approaches are less likely to uncover subtle or sector-specific risks.

Transparency and Communication

Clear communication and transparency are key to ensuring the penetration testing process is smooth, efficient, and actionable. A reliable provider will be open about the testing process, from initial engagement to final reporting, and will provide regular updates throughout the testing process.

• Clear Testing Methodology: The provider should define their testing methodology in detail, including the types of testing (black-box, white-box, or grey-box), tools, and techniques they will use.

• Defined Timelines: Clear timelines for testing and deliverables should be established upfront to prevent any misunderstandings or delays.

• Regular Updates: The provider should communicate progress and issues encountered, so your team is informed of any critical findings immediately.

• Actionable Reporting: After testing, the provider should deliver a comprehensive, well-structured report that explains findings, outlines the severity of vulnerabilities, and offers remediation guidance. Actionable insights are essential for effective risk management.

Experience and Industry Specialization

Some penetration testing companies specialize in specific industries or technology stacks, and this can be crucial for identifying risks that are unique to your organization. For instance, financial institutions or e-commerce platforms face distinct security challenges and regulatory compliance requirements.

• Sector-Specific Knowledge: A company experienced in your industry will better understand the specific threats and compliance requirements (HIPAA in healthcare, PCI DSS for payment card systems, GDPR in the EU). They can tailor their tests accordingly and provide more relevant insights and recommendations.

• Familiarity with Regulations: For example, if you are in the healthcare sector, ensure the provider understands HIPAA and the security practices necessary to protect sensitive health information. Likewise, for financial institutions, familiarity with FINRA or other financial regulations would be beneficial.

Ongoing Support and Retesting

Penetration testing is not a one-time activity but should be part of an ongoing security strategy. A good pentest provider will conduct the test and also offer retesting services to verify the effectiveness of the measures taken.

• Post-Test Support: Ensure that the provider offers post-test support, such as remediation advice, risk mitigation strategies, or consultations to help your organization address identified vulnerabilities.

• Retesting Services: Vulnerabilities may reemerge or new ones may arise. A provider that offers retesting can help ensure your systems remain secure over time.

In order to select a good pentest company, you should focus on looking at the provider’s credentials, customized scope, transparency, experience, and reputation. If you do this, you can select a pentest company that meets your organization’s security needs. The right provider will identify vulnerabilities and strengthen your overall security.