When choosing a product or service, we all want to ensure that we are getting the best possible deal. It is no different when choosing a penetration testing company for your business. After all, you’re about to entrust them with your most sensitive data and allow them access to your systems.
You want to ensure that you are working with a reputable, certified cyber security company that will be able to provide you with the right level of security assessment and advice.
So, how do you choose the right penetration testing company for your business?
Let’s take a look.
Define your needs
Before you start looking up pen testing companies, you first need to define what your needs are. What type of assessment do you need? What are your business goals? What do you hope to achieve from the assessment?
Without knowing all this beforehand, it will be difficult to determine which company is right for you. Even the companies you do contact will have a hard time quoting an accurate price or providing an objective assessment without this information.
So make sure that you are clear on what you need before proceeding any further.
Look for creativity
Checklists are an important part of every pen test. Checklists ensure that every step of the process is followed and that no stone is left unturned. However, a truly effective penetration testing company will also be creative in its approach.
They will not simply rely on checklists to get the job done; they will use their experience and expertise to think outside the box and find new ways to attack your systems. The provider you intend to work with has to make an effort to truly understand your business and the software (and hardware) you are using. Only by grasping the very core of your systems can they be effective in their manual vulnerability assessment.
Automated testing has a time and a place, but make sure that the company you choose is not too reliant on it.
Check certifications and experience
When looking for a penetration testing company, you want to ensure that they have the relevant certifications and experience. The Certified Information Systems Security Professional (CISSP) certification is a good place to start. It is recognized globally and demonstrates that the company has a high level of expertise in the field.
Other relevant certifications include the GIAC Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP), and PECB Lead Penetration Test Professional.
Experience is also important, as it shows that the company has been in business for a while and has a good understanding of how to perform a penetration test.
During your first call with your potential pen tester, the conversation should be a two-way street. For example, say that your software is hosted on AWS (Amazon Web Services). The tester should be able to ask pertinent questions about your infrastructure, such as whether you leverage s3 for storage, if your authentication is backed by Cognito, and similar.
Typical scoping questions, such as how many lines of code you have, are a good start, but they shouldn’t be the only questions the tester is asking.
Ask about reporting
One crucial thing to remember is that a pen test report shouldn’t just detail the areas of your system that were found to be vulnerable to a potential cyber-attack. It should also include suggested mitigations and solutions so that you can fix the issues that were discovered.
Make sure that the company you choose can provide you with a detailed report that is easy to understand. The information should also be updated as your systems change so that you always have a record of the latest tests performed.
During your initial call, you could ask for examples of sample reports to get a better idea of what to expect.
Look for a good reputation
A good reputation is essential for any company, especially true for penetration testing companies.
Make sure to do your research and read reviews from past clients. This will give you a good idea of what to expect from the company and whether they are a good fit for your business.
Don’t forget to ask your business partners, colleagues, and friends if they have any experience with penetration testing companies. They may be able to recommend someone reputable and trustworthy.
Be prepared to pay
Penetration testing is not a cheap endeavor, and you should expect to pay a fair price for the services you receive.
However, this does not mean that you should choose the first penetration testing vendor that you come across. Take the time to compare quotes from several companies and ensure that you are getting good value for your money.
Think long term
Finally, remember that you want to choose a company that you can work with long term. A single penetration test will tell you only so much about your systems, and you will likely need to work with the company on an ongoing basis to ensure that your systems are always secure.
Consider the factors that are important for a long-term business relationship, such as trust, communication, and a shared understanding of your security goals.
You want to be comfortable with the company you choose, and you should feel confident that they are the right partner for your business.
One tester vs. a group of testers
In recent years, there has been a rise in the popularity of different kinds of penetration testing companies.
Rather than contracting a single pen tester, businesses are now choosing to work with a team of penetration testers. This has several advantages over working with a single tester:
- The team is able to work faster, as they can divide the work among themselves.
- There is less chance of human error, as the team is able to check each other’s work.
- The team has a broader range of skills and experience, which allows them to cover more ground.
But this model does not come without certain fundamental flaws. The sole fact that the payment has to be divided among a group of testers often means that the testers working in a team are not the best of the best. Furthermore, a team is only as strong as its weakest member, so if one team member is not up to par, it can hurt the entire project.
If you’re weighing your options between a single ethical hacker and a team of testers, it’s important to consider the pros and cons of each option. Evaluate the testers you will be working with and whether or not they’re trustworthy, qualified, and have a good reputation. And most importantly, be sure to ask the right questions during your first call to get a good understanding of what to expect from the tester(s).
Can I do my own penetration tests?
If you’re not sure whether you need a penetration testing provider, you might be wondering if you can perform your own tests.
The answer is yes, you can, in theory. But it’s important to note that this is not a simple process. It takes a lot of time and effort to learn how to perform a penetration test and even more time and effort to keep up with the latest security trends.
In addition, unless you’re an expert in cyber security testing, you’re likely to miss some of the more subtle vulnerabilities that can be exploited.
This is why it’s often better to leave the job to the professionals and focus on your business instead. After all, your time is best spent running your business, not trying to learn how to hack it.
Final tips & tricks
- Don’t expect to find the right company via email only. To truly get a feel for a company, you need to have at least one conversation with them, typically an introductory meeting.
- Don’t be afraid to ask questions. The more you know about a company, the better you’ll be able to judge if they’re right for you.
- Be prepared to discuss project details. This may be sensitive information for your business, so ensure that a mutual NDA is in place before discussing anything in detail.
- Don’t be afraid to ask for references. A good company will be happy to provide them.
Conclusion
Choosing the right company to perform penetration testing for your business can be daunting. But by following the simple advice outlined in this article, you can make sure that you’re choosing a company that is reputable, trustworthy, and fits well with your business needs.
Remember to ask the right questions during your first call with the company, and be prepared to pay a fair price for their services. You are building a long-term relationship with this company, so do your due diligence and choose wisely.
And lastly, remember that you don’t have to do it alone – if you’re not sure whether pen tests are the right step for your business, consult with a professional.
We would be more than happy to help you out – contact us today for a consultation and ask us any questions you might have!