When you decide to execute a pen-test it’s important that the service is done right. A successful test will contribute to the overall security of your organization. A poorly done test not only fails to prevent threats, but may actually cause damage.
1. The Vendor’s Top Selling Point is their Proprietary Technology
Tools are important components to any pen test, but their role is limited to running searches for pre-identified vulnerabilities. What distinguishes penetration testing from simple vulnerability scanning is the human touch. Experienced technicians carefully review data from tools and use a ‘hacker mindset’ to identify the vulnerabilities in your specific deployment. A pen testing firm that doesn’t make the knowledge and experience of their technicians a central part of their marketing presents a red flag. Technology-agnostic firms, that aren’t tied to leveraging and up-selling their own proprietary tools, are often in a better position to expose threat actors that involve strategies that the proprietary technology alone my not be able to respond to efficiently.
2. Their sample reports are packed with technical jargon
The best penetration test vendors will create a tailored report for your unique environment. The report shouldn’t be wrought with technical jargon, undecipherable to leadership. Recommendations and vulnerabilities in the report should be described clearly enough that any technical experts can easily share the risk factors and needs with your management. The ability to truly overcome vulnerabilities, of course, includes technical needs, but a business case must also be apparent to properly advocate a priority and budgetary needs.
3. The company boasts about certifications, not real-world experience
When it comes to vetting the best penetration testing vendors, experience is key. Does this mean certifications? Yes. But, experience is just as important. Look for a firm staffed by technicians with a minimum of five years direct experience in the specialty relevant to your assessment.
No pen tester has experience working with every possible testing environment. There are hundreds of testing scenarios, so if a vendor attempts to convince you they do, be skeptical.
It’s important to understand your requirements and ensure your penetration test vendor is fully acquainted with all the technical requirements and programming languages needed for your engagement. For this, it’s a good idea to have a member of your IT team sit down with the provider for a discussion about the project. Choosing an experienced pen-tester over a novice could decide whether a test is successfully executed or crashes your network.