How We Rank Companies
Transparency matters. Every provider listed on Pentesting Providers is scored using a consistent, repeatable methodology. We combine publicly verifiable data points into a composite score from 0 to 100.
No provider can pay for a higher ranking. Scores are calculated algorithmically at build time, with optional editorial overrides that are clearly marked. Below is the full breakdown of how scores are determined.
Scoring Overview
Each provider receives a composite score made up of five weighted categories. These weights reflect what matters most when evaluating a penetration testing company: professional accreditations carry the highest weight because they represent independently verified competence.
Client reviews come second, followed by three equally weighted categories covering team activity, company experience, and the breadth of services offered.
Accreditations & Certifications
30%Professional accreditations such as CREST, CHECK, CBEST, and ISO 27001. Each accreditation is individually weighted based on rigour and industry recognition. Team certifications (OSCP, CREST CRT/CCT, GPEN, etc.) provide additional bonus points.
Client Reviews
25%Average review rating (out of 5) accounts for 80% of this category. A volume bonus rewards providers with more reviews, reflecting broader market validation. Volume bonuses scale from 5 points (1 review) up to 20 points (10+ reviews).
Team Activity
15%Evidence of active research and community engagement. This includes CTF participation, industry awards, open-source security tools, conference speaking, and published research such as CVE disclosures, whitepapers, and blog posts.
Experience
15%Company track record based on years in business and team size. Providers operating for 16+ years receive the maximum base score. Larger teams earn a bonus, reflecting capacity and depth of expertise.
Service Breadth
15%Range of penetration testing services offered and testing methodologies followed. The first five services each contribute 12 points. Beyond that, diminishing returns apply (4 points each) to prevent gaming through service inflation. Following recognised methodologies (OWASP, PTES, CREST, etc.) adds up to 20 bonus points.
Accreditation Weights
Not all accreditations are equal. A CREST certification requires rigorous technical examination and ongoing oversight, while Cyber Essentials is a self-assessment baseline. Our weighting reflects this difference.
The table below shows how each recognised accreditation contributes to a provider's accreditation score.
| Accreditation | Region | Weight |
|---|---|---|
| CRESTCouncil for Registered Ethical Security Testers | Global | 25 |
| CBESTCBEST Threat Intelligence-Led Penetration Testing | UK | 22 |
| CHECKCHECK - IT Health Check Service | UK | 20 |
| STARSimulated Targeted Attack and Response | Global | 20 |
| NCSC AssuredNCSC Assured Service Provider | UK | 18 |
| ISO 27001ISO/IEC 27001 Certified Organisation | Global | 15 |
| FedRAMP 3PAOFedRAMP Third Party Assessment Organisation | North America | 15 |
| SOC 2SOC 2 Type II Compliant | North America | 12 |
| PCI QSAPCI Qualified Security Assessor | Global | 12 |
| CREST MemberCouncil of Registered Ethical Security Testers Member Company | Global | 10 |
| Cyber Essentials PlusCyber Essentials Plus Certified | UK | 8 |
| OSCP EmployerEmploys OSCP-Certified Penetration Testers | Global | 8 |
| Cyber EssentialsCyber Essentials Certified | UK | 5 |
Experience Brackets
Years in business is a proxy for institutional knowledge and operational maturity. Newer firms can still score well overall through strong accreditations and team activity, but longevity provides a baseline of trust.
Team size adds a modest bonus. Larger teams generally mean more specialist expertise across different testing domains, but team size alone does not determine rank.
| Years in Business | Base Score |
|---|---|
| 0 – 2 years | 20 |
| 3 – 5 years | 40 |
| 6 – 10 years | 60 |
| 11 – 15 years | 80 |
| 16+ years | 100 |
Editorial Overrides
In rare cases, our editorial team may apply a manual score override. This happens when we have direct, first-hand knowledge of a provider's quality that isn't fully captured by public data points alone.
Overridden scores are flagged in our system. Editorial overrides are never sold and are always based on genuine assessment. If you believe a score is inaccurate, you can submit updated information and we will review it.
Data Verification
Every provider profile includes a sources section linking to verifiable references. We cross-check accreditations against official registries (CREST member directory, NCSC assured service provider lists, etc.) and only display claims we can verify.
Pricing information is only shown when backed by a published reference. We do not display unverified pricing estimates.
Reviews undergo editorial approval before being published. We do not accept anonymous reviews and require a company name and role for accountability.
Listing & Inclusion
Any penetration testing provider can be listed on Pentesting Providers. We actively research and add providers, and companies can also submit themselves for inclusion.
To be listed, a provider must offer penetration testing as a core service (not a bolt-on to managed IT), have a publicly accessible website, and operate as a registered business.
We do not charge for listings. Featured and Editor's Pick designations are editorial decisions based on quality and differentiation, not payment.
Questions?
If you have questions about our ranking methodology, want to dispute a score, or believe provider information is inaccurate, please reach out via our provider submission form. We review every submission and update listings regularly.