Company Choosing A Pentesting Vendor

Experienced and Vetted Staff

A client’s network, services, and resources should not be used as a penetration tester(s) training ground. The penetration tester(s) should be knowledgeable and experienced with appropriate training and certifications for the types of testing being performed. Additionally, the penetration tester(s) should be adequately vetted, including background checks to help ensure the safety and security of the penetration testing company and their clients.

Penetration Testing Should Include Manual Testing

Automated scanners are valuable tools during a penetration test, but they can miss important findings and may also return false positives. A penetration tester should always perform manual testing and verify all findings to ensure that they are accurate and complete.

Detailed Scope and Rules of Engagement (RoE)

There should be a clear scope and rules of engagement (RoE) established and agreed upon before testing begins. This will help to detail and clarify what resources should be tested — web application pen tests, network penetration testing, physical pen testing, etc — and what methodologies and testing steps may be taken, and how and when those steps may be executed over the course of an engagement.

Consistent Penetration Testing Methodologies

The company should follow appropriate penetration testing methodologies and industry standards. This will help to ensure that a test is performed consistently and completely with repeatable results.

Specialization is Key

Information Security is an extremely broad field that changes every day. While there may be some overlapping skillsets among individuals in the industry, specialization can help to ensure expertise in specific service areas and may result in higher quality testing and results.

Communication and Reporting During A Pen Test

The penetration tester(s) should communicate clearly and often throughout the testing process. This helps to keep stakeholders up to date as testing is performed, and aware of any critical discoveries. When testing is complete, a clear report should be a requirement for any penetration test and should include details and evidence of the vulnerabilities discovered, how and where the vulnerabilities were discovered, and recommendations for remediation.

Reputation and Values

A penetration testing company should be professional and reputable within the industry, be willing to provide references and sample reports, and should always be respectful to the client.

Penetration Testing: Retesting

A penetration testing vendor should provide retesting services to ensure that a client’s remediation efforts are successful. Make sure that the company allows for retesting and understand what that retesting policy does or does not include.

Data Security

Make sure that the penetration testing company has controls in place to keep sensitive client data safe and secure before, during and after a test.

Liability Insurance

A penetration tester should always strive to do no harm to the network or services being tested. However, unexpected situations can occur which may result in unintended downtime. In the event that a disruption or data leak occurs as a result of testing, it is important to ensure that the penetration testing company is insured and can cover potential losses that may occur as a result.

Schedule your appointment online or contact us today at 612-234-7848. Connect with RedTeam Security today to ensure your company is doing everything it can to protect your computer systems and your business integrity.

Get a FREE security evaluation today and reduce your organization's security risk.
Schedule My Call

Featured On

National TV news and media outlets often consult with us for our expertise as a boutique, high-touch ethical hacking firm highly trained in a narrow field of cybersecurity. Please click on any logo below to view the featured story.

Get your FREE security evaluation today. Learn how our experts can reduce your organization's security risk

Test the effectiveness of your own security controls before malicious parties do it for you. Our security experts are here to help — schedule a call today.