How to choose a penetration testing company

Every penetration testing company will tell you they find vulnerabilities, write reports, and help you stay secure. The marketing reads the same. The work behind it ranges from a senior engineer chaining flaws into a real breach to a junior running a scanner and reformatting the output. This guide helps you tell the two apart before you sign.

Start with the outcome you need

Before you compare vendors, get clear on why you are testing. The answer changes who you should hire. A test for a SOC 2 report has different evidence needs than a red team exercise to test detection, which is different again from a deep review before a product launch. A good provider asks this question first. A weak one sends a quote.

What to look for

• Senior people on the keyboard. Ask who actually runs the test, not who sells it. The seniority of the tester sets the ceiling on what they find.
• Depth beyond tooling. The flaws that cause breaches, broken authorization and business logic, are invisible to scanners. Confirm the work goes further.
• Clear scoping. A serious provider scopes carefully and agrees rules in writing. Vague scope means surprises later.
• Reproducible reporting. Findings should come with proof of concept and steps to reproduce, so your engineers can verify and fix.
• A retest included. Fixing is half the job. A provider that retests the fixes stands behind the work.
• Relevant context. Experience with your sector and stack means less ramp-up and sharper findings.
• Communication. You want critical findings the moment they are found, not buried in a report three weeks later.

Credentials that signal competence

Certifications are not everything, but they are a useful filter. Industry credentials like OSCP, OSCE, and CREST show the testers have proven hands-on skill, not just theory. Methodology references such as the OWASP Testing Guide, the PTES, and MITRE ATT&CK show the provider works to a recognized standard rather than improvising.

Red flags

• Price is the only thing they lead with. Cheap and shallow is the most expensive option once you are breached.
• The work is fully automated. If no human tests the logic, it is a scan, not a penetration test. See a scan is not a pentest.
• No retest is included. The fixes are where risk actually closes.
• Scope is vague or fixed before any conversation. Real scoping needs a conversation.
• They cannot show a sample report. You are buying the report. Ask to see one with client details removed.
• They promise to make you secure. Honest providers reduce risk and prove it. Nobody makes you breach-proof.

Questions to put in your RFP

• Who runs the engagement, and what are their credentials?
• What share of the work is manual versus automated?
• What methodology do you follow?
• What does the report include, and can we see a sample?
• Is a retest included, and within what window?
• How and when do you communicate critical findings mid-engagement?
• How do you handle our data, and is it deleted after the engagement?

Independence and trust

A penetration test gives an outsider deep access to your systems and produces evidence of your weaknesses. Trust matters as much as skill. Look for clear data handling, a willingness to sign an NDA, and a provider whose incentive is to find problems, not to upsell a product they happen to sell.

Buy the engineer and the report, not the logo on the cover page.

We staff every engagement with senior engineers, scope it with you directly, and include a retest. See how we work on our offensive security page, or book a scoping call.