Some thoughts on how to find that first penetration testing provider, since it's not always clear on what to look for if you've never gone through it yourself.
Cybersecurity Consultant | Penetration Tester | Speaker | Trainer | Conference Organizer | Offering pragmatic advice and candid discussions about cybersecurity to Scale-ups and SMBs.
Looking to start a penetration test for the first time? It can be daunting, that's for sure, as you may not be sure where to start! If you have a security team, they may have past experience with some vendors, or you may have some leads in your own network <cough, cough!> that you could reach out to. But if those don't work out, then good 'ol Google can come to the rescue! You'll likely find a lot of different services out there, so you may go with the top 5, ask to get some quotes, and then proceed to have a few calls for some of them to get an accurate quote. Is this a pain? Yes, but the reality of the situation is that not all software is created equal, and there may be unique challenges for your particular situation. Is it a SaaS applicaiton? Are you testing cloud infrastructure? Internal network with social engineering/phishing testing? Mobile applications? API endpoints? There are multiple factors that makes a one-size-fits-all pricing model difficult. Most firms just want a quick chat to discuss scope and review any app/APIs that you want to have tested. At EliteSec Cyber Security Consultants, Inc., we use a standard questionnaire to gather information if we don't get enough detail from a short discussion with the prospect so that we can scope the level of effort appropriately. So quote in hand, you're ready to select, right? Not yet. At least you shouldn't pull the trigger yet. Have you asked about their process? Do you know what the final report will look like? Do they have a sample to share with you? Does the sample reflect the type of testing you need? Remember, you may be paying for a penetration test, but it's the final report that's the tangible deliverable you're going to get, so is it worth it? Some things to look for in a "good" report: - Is there an executive summary that outlines the risk to the company based on the results? - Are there sufficient technical details for technical staff to verify and replicate findings? - Are there recommendations on remediation steps for findings? - Is there a justifiable severity rating associated with the findings, or are these subjective based on the testers intuition without justification? - Any additional resources for findings? - Any recommendations on what should be addressed first versus what can wait? These are just some highlights to be aware of and look out for, but the point is that there is more to a successful pentest provider than just cost. Quality matters. Be honest with the companies you reach out to. If you have a fixed budget, let them know. Some firms can adjust pricing if competing firms are cheaper, but only to a point. There comes a point where the effort isn't worth the price, as there are costs involved for the testers as well. There are many more factors for sure, but hopefully this is a good starting point of things to consider if you're looking for someone to do a penetration test for your company.