6 Questions to Help Pick Your Penetration Testing Provider

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

You know that penetration testing is an important part of ensuring the security of your organization, allowing you to protect vital customer information and secure your systems from attackers. Choosing the right penetration tester, therefore, is paramount. You want a penetration tester who will uncover critical vulnerabilities in your system and provide you with the information you need to increase your overall security.

Here are 5 key questions to ask your penetration testing provider:

1. Which certifications are held by your specialists?

There are many pentesting certifications that specialists can use to refine their skills. Whether it’s CEH (Certified Ethical Hacker), CISSP (Certified Information Systems Security Professional), CCSP (Certified Cloud Security Professional), OSCP (Offensive Security Certified Professional), LPT (Licensed Penetration Tester), every certification brings a new set of skills and techniques to help testers in their assessment. Before choosing your penetration testing service provider, you should ask what certifications their specialists hold. This will give you a better idea of the expertise they bring to the table, as well as the cybersecurity standards they chiefly use as a company. You may also want to ask who will be conducting your test and what certifications are held, for example, by junior members of their team.

2. Which penetration testing methodologies do you leverage?

When you pick a penetration testing service provider, you want to be sure they’ll deliver concrete, actionable results. In order to get a glimpse of the quality of their tests, you should inquire regarding their testing methodologies. Picking the right provider comes down to two key elements :

  1. The company has a structured approach to penetration testing. They have well-established and documented practices to effectively and consistently identify vulnerabilities in any given test. You also want to know that the penetration testing service provider will not mistakenly crash your systems by running their scans without precaution or using tools that pollute your database and cause denial of service.
  2. The company uses a fair mix of automated tools and manual methods. If the company only uses automated tools, you’re actually paying for a test your IT team could have done themselves — and make no mistake: They will miss high-severity vulnerabilities hackers could readily exploit. Learn more about how automated tools miss critical vulnerabilities identified by manual tests.

You also want to understand how the company approaches penetration testing as a whole. They might, for example, use the OSSTMM (Open Source Security Testing Methodology Manual) methodology: A peer-reviewed security manual that provides best practices for network security assessments. They might choose to use OWASP (the Open Web Application Security Project) methodology, the most recognized framework for application security as a whole. Learn more about the top penetration testing methodologies and why they are important. In order to get the most out of your test, you should make sure they leverage recognized methodologies.

Want to know how Vumetric has helped 1,000+ organizations improve their cybersecurity?

No matter the size of your business or your industry, our experts understand the most intricate risks you face on a daily basis that could potentially be disastrous if a hacker exploited them.

3. Will your tests impact our usual operations?

Penetration tests, in spite of their necessity, are still a simulation of a cyberattack on your systems and applications. Depending on how rigorous or experienced your provider is, penetration tests can cause numerous inconveniences for your team and service disruptions for your customers. You want to work with a company that understands the potential hazards, has the necessary measures in place to mitigate any testing impacts, and will work with you to ensure that no down times or inconveniences occur during the test. You may also want to take this opportunity to advise your penetration tester about any sensitive areas that could disrupt your business. An experienced pentester is expected to identify and safely exploit vulnerabilities within your system without causing any harm or denial of services.

4. Do you outsource your projects?

When you work with a penetration testing company, you want to know who you’re working with. It is highly recommended to look for a company that does the work themselves, rather than outsourcing it to contractors. Over the course of the test, the specialists in charge may stumble upon highly sensitive data or identify vulnerabilities that could have a severe impact on your business. When projects are outsourced, many challenges arise when it comes to confidentiality and accountability. Trusted providers and experienced companies vetting their candidates require a thorough background check for each of their testers; they also use various measures to ensure the confidentiality of your data, the consistency of their deliverables, and the documentation of each step taken by the specialist.

5. What does your report cover?

The penetration testing report is the most important part of the assessment. To ensure that you are getting the most out of your investment, you need to be certain that it will allow you to fix any vulnerabilities that are identified. Among the various items you should find in a pentest report, you should expect an executive summary of the report for less tech-savvy stakeholders as well as a technical section detailing the extent of each vulnerability, steps for your team to replicate them, and adapted recommendations to fix them. A solid report also includes a risk assessment score so you can prioritize each vulnerability and put together an action plan.

6. Will you help me fix my vulnerabilities?

Finding vulnerabilities is only one portion of what you’re looking to accomplish with a penetration test. When you’re hiring a plumber, you’re expecting more than a report explaining how your pipes are clogged. For pentesting, you should hire a company that not only presents their findings and lists actionable recommendations with external references, but also provides post-test support to help your team fix these vulnerabilities. This includes re-testing any critical/high-severity vulnerabilities to validate the implementation of the recommended corrective measures. As you’re looking for a penetration tester, be sure to ask how they will help fix your vulnerabilities.

In Conclusion

When you’re ready to hire a penetration tester, make sure you’re asking the right questions to pick a reliable provider. By including these questions as part of your screening process, you will choose a company that delivers a sound return on your investment.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.

A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.

These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:

  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.

All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Related Vumetric Blog Posts

Cyberattack impact

How Cyberattacks Impact Your Organization

A cyberattack is a malicious assault by cybercriminals aiming to damage a computer network or …

Read The Article
penetration test vs bug bounty

Penetration Testing vs Bug Bounty

Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering …

Read The Article
How Wordpress Gets Hacked and How to Prevent

How WordPress Sites Get Hacked And Fixes to Prevent it

WordPress sites get hacked on a regular basis, as it is by far the most …

Read The Article


We've Earned Internationally-Recognized Certifications

Contact a Certified Expert

Talk with a real expert. No engagement. We answer within 24h.
penetration testing provider

Stay Updated on Cyber Risks!

Subscribe to the Vumetric Monthly Bulletin to keep up with breaking news in the cybersecurity industry.

Any Questions Regarding Our Penetration Testing Services?

or give us a call directly at: