Finding the right penetration testing company for your organization is similar to how a prize-fighting boxer selects a sparring partner.
The boxer doesn’t necessarily want to spar with someone that they can beat up every time. Doing so doesn’t help prepare them – it only helps validate their skill set.
The prizefighter wants someone that helps expose their weaknesses so that they can improve them, or at the very least, be aware of them. They’ll select sparring partners that are extremely good at uncovering specific vulnerabilities (for example, defending against someone with longer arms).
When fighting day happens, the boxer is much better at protecting themselves from whatever attacks fly their way.
Similarly, every company needs to have at least one penetration testing sparring session. Penetration testing is a critical component of understanding how secure your organization’s systems really are.
However, there are many different criteria to consider when selecting the perfect penetration testing company for you.
1. The Penetration Testing Company Tests on Multiple Levels
Whether it’s a hacker that somehow finagled their way into your network or an employee willfully attempting to corrupt the system from the inside, you need to have confidence in your security.
Every security system often has various levels of protection, and you need to make sure that your penetration testing company tests the relevant entry points.
The first level of penetration testing is what most people have in mind: a malicious third-party breaching your network from the outside or within.
Beneath the immediate surface, second-level testing analyzes the various components inherent to your organization’s system architecture. The penetration testing company would understand how a hacker could break into your cloud database, secure WiFi network, or a web application, to name a few examples.
A skilled penetration testing company will be able to discover any potential weak points and reveal the cause, which could be anything from a slight technical oversight to years of accumulated technical debt.
The third level requires a mastery of the most dangerous element of them all: the human element. Your employees are wonderful gems that you’ve spent so much time and effort to recruit, but they can often be security monkey wrenches. All it takes is a single weak password or private key exposure to give hackers an open front door to your valuable information.
A penetration testing company worth its salt will help you to safeguard your internal security system with protocols that make sure that, even if an employee unknowingly gifts hackers access to their accounts, the whole kit and kaboodle doesn’t come down as well.
Partnering with a penetration testing company that can reproduce the full spectrum of attack vectors across all host-, network-, application-, and human layers is critical.
2. The Company Is Incentivized Correctly
Safeguarding your security systems isn’t as straightforward as signing a contract with a penetration testing company. You need to make sure its incentivized to exploit your weak points before a hacker does.
Most penetration testing companies charge either a flat rate or billable hours, but there typically isn’t a bonus or incentive for the number or severity of vulnerabilities found. This approach usually works fine, but it could leave some critical vulnerabilities under the rug.
While negotiating with a penetration testing company, look for ways to ensure the company is incentivized beyond just a fixed or hourly rate.
3. It’s Transparent and Provides Excellent Reporting
You’ve likely got a long priority list of items to get done, and finding a pen test company just so happens to be one of them. When you hire a pen test company, you’re going to want to understand exactly what they did without having to go through hours of work yourself.
Excellent reporting and communication not only gives you a better understanding of what types of testing was performed, but it also lets you understand your security systems from a more intimate angle. Additionally, you can use these reports to quickly share information with the rest of your team, as well as document that you took the necessary safety and security protocols should an event occur in the future.
4. The Penetration Testing Company Understands What Type of Test You Need
Prior to selecting a penetration testing company, you should understand what type of technical test you need. Different penetration tests require different skillsets, tools, and expertise, which also play a big role in the cost of your testing.
Once you’re aware of the type of penetration test you need, it’s helpful to define the pen testing environment:
Black box tests: executed without knowledge of the tested environment. The goal is to assess your level of security from the point of view of a third party connected to your internal network or through the internet, without any prior understanding of the environment.
Grey box tests: executed with standard user access or very basic knowledge of the environment. The goal is to assess your level of security from the point of view of a customer with an account, with a little bit of knowledge about the tested environment.
White box tests: executed with in-depth knowledge of the design, implementation, and internal structure of the tested environment.
Most penetration testing companies are able to execute all three, but there are some that have excellent track records at a particular testing phase. It helps to know what type of testing is most relevant to your project and contract a company that excels in that area.
5. The Team Has the Correct Certifications and Expertise to Back Them Up
You need to understand what sort of team will actually be doing your penetration testing.
For example, if a company seems glossy on the outside but is actually outsourcing their pen test activities to subpar contractors, you may end up with inadequate testing.
While there is nothing wrong with outsourcing or subcontracting, it’s important to know how qualified the eventual testing team is.
For example, university degrees that focus on information security are a good first sign. Pair those with some ethical hacking certifications such as the Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), or Offensive Security Certified Professional (OSCP), and you’ll enter into a higher degree of confidence.
Don’t be shy to ask for previous projects or case studies that can help demonstrate your penetration testing company’s expertise.
Choosing the right penetration testing company can make all the difference, even if it just brings more restful sleep at night. Schedule a free consultation with us today to find out if we’re the right penetration testing company for your organization.