Pentesting Providers

How to Choose a Penetration Testing Provider

Selecting the right penetration testing provider is a decision that directly impacts your organisation's security posture. A good pen test uncovers vulnerabilities that automated tools miss, validates your defences against real-world attack techniques, and provides actionable remediation guidance. A poor one gives you a false sense of security.

This guide covers what to look for, what to ask, and what to avoid — based on our experience evaluating and ranking dozens of penetration testing providers across the industry.

Accreditations: The Most Reliable Quality Signal

Accreditations exist because penetration testing quality is otherwise difficult to evaluate upfront. Any firm can claim expertise, but accreditations require demonstrated competence verified by an independent body. Here are the ones that matter most:

CREST

The international standard for penetration testing. CREST member companies must employ certified testers who pass rigorous practical exams, and companies undergo regular audits. Widely recognised across the UK, Europe, APAC, and increasingly in North America.

CHECK

A UK government scheme operated by the NCSC (National Cyber Security Centre). CHECK-approved companies can test government systems. Requires CREST-level tester certifications. Essential for any UK public sector engagement.

CBEST

A Bank of England framework for threat intelligence-led penetration testing of financial institutions. Only the most capable providers hold CBEST status. Required for many UK financial services penetration tests.

ISO 27001

An information security management standard. While not specific to penetration testing, it demonstrates that the provider has mature information security processes — important when you're trusting them with access to your systems.

SOC 2

Relevant primarily in US markets. SOC 2 compliance demonstrates the provider handles data securely. Particularly important for SaaS and cloud-focused testing engagements.

Questions to Ask Before You Sign

A reputable provider will answer these questions transparently. Evasive or vague responses are a red flag.

  1. Who will actually perform the testing? Senior testers find more issues. Ask about their certifications (OSCP, CREST CRT/CCT, GPEN, GXPN) and years of experience. Some firms bid senior staff but deliver juniors.
  2. What methodology do you follow? Look for recognised frameworks: OWASP Testing Guide for web apps, PTES for general methodology, or CREST standards. Custom methodologies should be documented and available for review.
  3. What does the report include? You should receive an executive summary, detailed technical findings with evidence, risk ratings, and specific remediation steps. Ask for a sample report (redacted) before committing.
  4. Is re-testing included? After fixing vulnerabilities, you need verification that the fixes work. Some providers include one re-test; others charge separately. Factor this into your total cost comparison.
  5. How do you handle critical findings during testing? Good providers will notify you immediately of critical vulnerabilities rather than waiting for the final report. Agree on communication protocols upfront.
  6. Can you share references from similar engagements? Industry experience matters. A provider who regularly tests financial services applications will approach the work differently than one whose experience is primarily in retail.
  7. What's the split between manual and automated testing? Automated scanning alone is not a penetration test. A thorough engagement should be primarily manual with tools supporting the process, not the other way around.

Red Flags to Watch For

Not every provider delivers what they promise. These warning signs suggest you should look elsewhere:

  • No named testers or certifications. If the provider can't tell you who will test and what qualifications they hold, testing quality is a gamble.
  • Dramatically lower pricing. Penetration testing requires skilled human effort. Quotes 50%+ below market rate typically mean less time, junior testers, or heavy reliance on automated tools.
  • Reports that read like scanner output. If deliverables are mostly Nessus or Burp scan exports with a cover page, you're paying for a vulnerability scan, not a penetration test.
  • No clear scoping process. Good providers invest time in understanding your environment before quoting. A flat-rate quote without discovery calls suggests a one-size-fits-all approach.
  • Reluctance to share methodology. Reputable providers are transparent about how they test. Secrecy around methodology is a red flag, not a competitive advantage.
  • No re-testing option. A provider that doesn't offer re-testing may not be confident in the comprehensiveness of their initial findings.

What a Good Pen Test Report Looks Like

The report is the primary deliverable of a penetration test. A quality report should contain these sections:

Executive Summary

A 1-2 page non-technical overview for management and board-level stakeholders. Should clearly communicate overall risk posture, key findings, and recommended priorities.

Scope & Methodology

Detailed description of what was tested, what was excluded, the testing approach used, and any limitations encountered. This section establishes the boundaries and credibility of the engagement.

Technical Findings

Each vulnerability documented with: description, affected component, evidence (screenshots, request/response data), risk rating (typically CVSS), business impact, and specific remediation steps. Findings should be ordered by severity.

Remediation Guidance

Actionable, specific fix recommendations for each finding — not generic advice. A good report tells your developers exactly what to change, not just what's wrong.

Positive Findings

Controls that worked well and attacks that were successfully prevented. This helps stakeholders understand what's working and where investment has paid off.

Ready to find the right provider? Compare providers side by side or browse our full directory to evaluate providers by accreditations, services, pricing, and independent scores. You can also read our scoring methodology to understand how we evaluate providers.

Choosing a Provider — FAQs

What is the most important factor when choosing a pen testing provider?+

Accreditations are the single most reliable signal of quality. CREST certification, in particular, requires rigorous technical examination and ongoing oversight. Beyond accreditations, look for providers whose testing methodology, industry experience, and team qualifications align with your specific requirements.

Should I always choose a CREST-accredited provider?+

CREST accreditation is strongly recommended for regulated industries, financial services, and government work — and is often a procurement requirement. For lower-risk testing or internal applications, a non-CREST provider with strong individual certifications (OSCP, GPEN) and a solid track record can be a cost-effective alternative. Check your compliance requirements first.

How many quotes should I get for a penetration test?+

Request 2-3 quotes from providers at different tiers. This gives you a sense of the market rate for your scope and helps you evaluate what each provider includes. Be wary of quotes that are dramatically cheaper than others — they may reflect reduced scope, automated-only testing, or inexperienced testers.

What questions should I ask before hiring a pen testing company?+

Key questions include: What methodology do you follow (OWASP, PTES, CREST)? Who will perform the testing and what are their qualifications? What does the report include? Is re-testing included? Can you provide references from similar engagements? How do you handle critical findings discovered during testing? What's your approach to false positives?

How do I evaluate a penetration testing report?+

A good report should include an executive summary for non-technical stakeholders, detailed technical findings with evidence (screenshots, request/response data), a clear risk rating for each finding, specific and actionable remediation guidance, and information about methodology and scope. If a report reads like automated scanner output with no context, the testing likely lacked depth.