Mitnick Security Blog - Cybersecurity News and Articles

5 Questions To Ask When Evaluating a Penetration Testing Company

Written by Mitnick Security | Jul 27, 2023 3:14:16 PM

Whether your organization has been the victim of a recent data breach or has never had expert penetration testing done before, it’s probably time to call in cybersecurity experts. The right cybersecurity company can help you identify the strengths and weaknesses of your networks and systems so you can improve your security posture and stay ahead of threat actors. 

One way they can help is through penetration testing. A penetration test can identify your network vulnerabilities and remediate them to decrease risks — but which cybersecurity expert should you hire to run it? Below, we’ll discuss the five questions to ask (and what answers to look for) when evaluating a penetration testing company.

 

5 Questions To Ask Penetration Testing Companies

When vetting pentesters to uncover your enterprise’s weaknesses, whittle down your list by asking these questions:

1. What Type of Penetration Testing Do You Specialize In?

Not every penetration testing company has the experience and knowledge to handle all types of penetration tests, which means it’s crucial to ask each cybersecurity vendor what types of pentesting they do and identify what strategy you need for your business.

Some penetration testing types include:

 

While some pentesters only focus on your external network — and search for open source intelligence (OSINT) to find a way in — others will focus on your internal network, such as utilizing social engineering tactics to execute an attack from the inside.

You should look for a vendor that not only offers the right pentest(s) you need for your business, but also one that’s highly qualified and experienced to perform pentesting services.

2. How Much Do Penetration Tests Cost?

There are a lot of variables that can impact the cost of penetration testing including the size of your company, the company’s experience, and the scope of the test.

When choosing the right penetration testing company for you, ensure you establish the correct budget that works for your specific company. It should be noted, however, that cybersecurity is not an area to pinch pennies. In fact, in 2022 alone, over 8 million phishing attacks were launched on companies worldwide with the estimated cost of hacking equating to over $8 trillion

While you should have a set budget, you shouldn't skimp on what pentesting service you choose. “You get what you pay for” couldn’t be a more relevant adage, and by underspending for vital cybersecurity services, you could be paying a lot more for remediation and recovery, not just an upfront cost for pentesting services.

3. What Certifications Does Your Company Hold?

There are many cybersecurity certifications that can help show you the level of professionalism and experience you can expect from the penetration testing company when looking for the right vendor. 

Respectable certifications include:

  • EC-Council’s Certified Ethical Hacker (CEH)
  • GIAC’s (Global Information Assurance Certification) Penetration Tester Certification (GPEN)
  • CompTIA’s PenTest+ 
  • Offensive Security Certified Professional (OCSP)

 

While the CEH and GPEN certifications are entry-level, CompTIA’s PenTest+ is considered an intermediate certification. Only the more experienced companies will have the advanced certification — OCSP. If a newer company is just starting out and doesn’t yet have higher-level certifications, it may not yet be able to handle the cybersecurity needs of larger companies.

You should also look for a vendor who has 100% success rates for their types of pentesting methods. A penetration testing company that has a high success rate in their tactics will give you the most bang for your buck and ensure every cybersecurity box is checked during the pentest.

4. What Does Your Penetration Testing Process Look Like?

The penetration testing process looks different for every company, and it’s crucial to identify initial needs for your cybersecurity. Understanding how a company conducts its test will help you determine if they are the right fit for your organization.

While the pentest process will have differing details, they should include the following: 

  • Planning Phase: This is when the scope of your pentesting assessment will be defined, including the timeline of the assessment, how many servers and devices will be involved, the types of tactics that will be used, and more.
  • Pre-attack Phase: During this phase, your pentesting provider will discuss details, such as the pentesting engagement process, what you should expect, and the parameters and rules of engagement to not disrupt your operations.
  • Penetration Attack: Based on the established rules of engagement, your organization will undergo a simulated attack by the pentest provider during the penetration attack phase.
  • Penetration Testing Report: After the pentest, you should receive a report that explains any gaps in your security posture and what remediations are recommended to give you the best next steps.

5. What Does Your Penetration Testing Report Include?

A detailed report with actionable steps is the most important step in the penetration test. That’s because a comprehensive penetration report should include:

  • A summary of the penetration test
  • A detailed walkthrough of the engagement
  • A list of recommendations that to mitigate risks

 

When choosing the right vendor for your business, it’s vital that they provide this info to you. Without this info, you’ll have little to no insight into improving your cybersecurity or what preventatives can help you avoid devastating damage to your company. Ask vendors what their pentesting report includes and if they provide their findings to you after the test is complete.

 

Identify Risks, Avoid the Consequences With the Top Pentesting Service

Penetration testing can be one of the most beneficial components of your cybersecurity protocol — if you work with an experienced penetration testing company that puts your organization’s needs first.

Mitnick Security has a 100% success rate when it comes to utilizing social engineering for pentesting and has the top cybersecurity team in the entire world — The Global Ghost Team™.

Find out how the right penetration tests can keep threat actors out and your private data safe by exploring more about pentesting services at Mitnick Security.