Byte Optimizer

How to Choose a Penetration Testing Company (What Actually Matters)

TL;DR

Choosing a penetration testing company comes down to evidence, not marketing: proof that humans do the testing, proof-of-exploit on critical findings, a report your engineers can act on, and a retest that closes the loop. The scoping call is your best preview of the engagement, because a vendor that quotes without questions will test without curiosity.

  • Ask for a sanitized sample report before signing anything; it is the single most revealing artifact a vendor can show you.
  • Confirm the retest policy in writing: included, billed separately, or missing changes both the true cost and the value.
  • If the test feeds a SOC 2 or ISO 27001 audit, verify the evidence will map to your controls before you buy.

Every penetration testing company's website says roughly the same thing: experienced testers, deep expertise, actionable reports. The websites will not help you choose. What separates a strong firm from a scan reseller shows up in the artifacts and the process: the sample report, the scoping call, the retest terms, and how findings are proven. This guide gives you the criteria that actually predict a good engagement, and a table of red flags worth walking away from.

Is the testing actually manual?

This is the most important question, because the bottom of the market is automated scans resold as penetration tests. Automation is genuinely useful for breadth and frequency, but it cannot find business-logic flaws, chain small weaknesses into an account takeover, or exercise judgment about your specific application. That difference is the entire reason you are paying for a pentest, and we unpack it in automated scanning vs manual penetration testing.

How to tell: ask what portion of the engagement is hands-on-keyboard, ask who specifically performs the testing, and ask the vendor to point to findings in their own sample report that a tool could not have produced. Vague answers to concrete questions are themselves an answer, and rarely a reassuring one.

Do critical findings come with proof-of-exploit?

A finding asserted is a debate; a finding demonstrated is a work item. Good vendors prove critical findings with reproduction steps, request and response evidence, and a record of exactly what data or functionality was reached. Without that proof, your team must re-verify every claim before acting, which quietly transfers the vendor's job onto your engineers. Ask directly: does every critical finding ship with proof-of-exploit, and do only verified findings make it into the report?

What does the sample report look like?

The report is the product you are actually buying, so ask for a sanitized sample before signing. Look for three layers: an executive summary a non-technical leader can read, a technical body with severity scoring such as CVSS and CWE, and line-by-line remediation guidance a developer can act on without a follow-up meeting. A report that reads like a tool export is a tool export. We walk through the full anatomy in what's inside a penetration test report.

What retest policy should you expect?

A test that ends at report delivery is half finished, because nobody has verified that your fixes actually closed the holes. Vendors differ widely here: some include the retest, some bill it as a separate line item, and some do not offer one at all. Confirm in writing whether the retest is included, what window it covers, and whether you receive a remediation letter documenting closure. Byte Optimizer includes the retest and remediation letter in every manual penetration testing engagement. Retest terms also change the real price of the engagement, which we cover in how much a penetration test costs.

What does the scoping call tell you?

The scoping call is a free preview of the engagement. A serious firm asks about your architecture, user roles, integrations, crown jewels, environments, and any compliance deadline, and it offers a mutual NDA before you share anything sensitive. An NDA should be standard practice, not something you have to request awkwardly. A vendor that produces a price without asking questions is pricing a package, not your application, and the testing will be equally generic.

How will the vendor communicate during testing?

Testing happens against live or staging systems over days or weeks, so communication is an operational matter, not a courtesy. Expect a named point of contact, agreed check-ins during the window, and immediate escalation if a critical vulnerability is found mid-engagement rather than a surprise in the final report. Ask two questions before signing: what happens when you find something severe on day two, and what happens if testing disrupts a production system? Good firms have practiced answers to both.

Will the evidence satisfy your auditor?

For many buyers the trigger is a SOC 2 or ISO 27001 audit, or an enterprise customer's security review. In that case the report has a second job: audit evidence. It needs documented scope, standardized severity scoring, remediation records, a retest, and an attestation letter you can share with customers without exposing technical detail. Ask the vendor how their deliverables map to your framework; firms that also do compliance work can map findings directly to your controls. We cover the mechanics in does SOC 2 require a penetration test.

Do certifications and team background matter?

Buyers commonly ask about industry certifications, and it is a reasonable screening question. But a certificate held somewhere in the company tells you less than the artifacts do: insist on knowing who will actually perform your test, and judge their work through the sample report and the scoping conversation. A brilliant firm where your engagement lands on an overloaded junior tester is not a brilliant engagement.

What are the red flags, side by side?

Red flagWhat good looks like
Package priced before any scoping questionsA fixed quote produced after a real scoping call about your systems
Sample report reads like a scanner exportFindings with reproduction steps, proof-of-exploit, and specific remediation guidance
Retest missing or billed as a surprise extraRetest and remediation letter included and confirmed in writing
"Proprietary methodology" with no detailTesting aligned with recognized frameworks plus written rules of engagement
Silence between kickoff and report deliveryNamed contact, agreed check-ins, immediate escalation of critical findings
No NDA offered before sensitive details are sharedMutual NDA signed before any artifact changes hands

Frequently asked questions

What should I ask a penetration testing company before hiring them?

Five questions do most of the work: who exactly will perform the testing, what portion of the work is manual, can you see a sanitized sample report, is the retest included in writing, and how are critical findings escalated mid-engagement. The answers, and how concretely they are given, predict the engagement better than any brochure.

How do I know if a sample pentest report is good?

Check for three layers: a plain-language executive summary, technical findings with CVSS and CWE scoring, and remediation guidance specific enough that a developer could start fixing without a meeting. Then look for proof-of-exploit on the serious findings. Generic descriptions and boilerplate risk text with no evidence of manual exploitation mean you are reading a tool export.

Should the vendor sign an NDA before scoping?

Yes, and a good vendor offers one unprompted. Scoping requires you to describe your architecture, user roles, and weak points, which is exactly the information you least want circulating. A mutual NDA before any artifact is shared should be the default. A vendor that hesitates over routine confidentiality is telling you how they will treat your findings.

Does the cheapest quote ever make sense?

Occasionally, when the scope is genuinely tiny, but treat a large gap between quotes as a signal that vendors are pricing different products. One is scoping days of manual effort; another is scheduling a scan. Compare what each quote includes, especially manual depth, proof-of-exploit, and the retest, before comparing the numbers themselves.

Was this useful?
Loves help us write more like this.

Comments

0 discussions
Be kind. Cite sources. No spam.

No comments yet. Be the first to share your thoughts.