How do you choose the right penetration testing company for your organization?
Whether you're concerned about the security of your organization's most sensitive information, are looking to fulfil your PCI DSS requirements, lower your cyber insurance premium, or are a MSP who is seeking a pentesting vendor to partner with, it's likely that you're plagued with all the common questions:
"Where do I start looking for a penetration testing company?"
"Which pentesting services should we opt for?"
"What determines pentesting prices?"
"What are the questions I should be asking a penetration testing vendor?"
In today's blog, our team of ethical hackers answers all of these FAQs... and so much more.
Let's jump right in:
Let’s start by differentiating an actual “penetration test” from some commonly confused alternatives: vulnerability scans, compliance audits, or security assessments. These services identify vulnerabilities in your systems, often with the help of automated tools, but do not consider the actual significance of these findings and how they may lead to a compromise.
Instead, penetration testing goes several steps beyond these services:
Automated tools are simply a starting point for a pentest. Afterwards, an ethical hacker will manually attempt to identify and exploit vulnerabilities through various techniques.
Because there is a human factor involved, penetration testing offers a more realistic “real-world” simulation of an attempted attack.
Automated tools check for vulnerabilities in individual systems, but an ethical hacker can chain vulnerabilities from multiple systems in order to compromise your overall security.
Upon uncovering potential weaknesses in your information security controls, an ethical hacker will thoroughly document steps to compromising your systems, often in a narrative format, and provide recommendations for enhancing security within your environment.
At Packetlabs, there are four main types of pentesting that we offer in order to best suit your organization's cybersecurity needs: infrastructure penetration testing, which finds weaknesses others overlook; ransomware penetration testing, which tests your preparedness in case of a malicious attack; cloud penetration testing, which enhances the security of your cloud networks; and objective-based penetration testing, which simulates real-world attacks.
When engaging a pentesting company, you are essentially granting them a license to attempt to obtain access to your sensitive information. So the first rule is simple: trust the company you select. Before anything, you must entirely trust the resource or company you hire with access to the most sensitive information in your company.
Secondly, ensure that you are working with an experienced team; someone who goes beyond a VA scan. There is a large selection of companies offering penetration testing services that lack the general knowledge or expertise to deliver; this is why certification plays a significant part in establishing that a resource has skill. Practical certifications such as OSCP, OSCE, GPEN, GWAPT, and GXPN are a must for any credible penetration testing resource. CEH is not a practical certification.
Beyond this, a penetration test is only as good as the actionable solutions that come out of it; it’s not just about finding out what the problem is, but also the solution. Ensure that the team you hire has defined processes and documents and are able to clearly explain how they develop their test plan, rules of engagement, and the final report. You should feel confident that you understand what you are hiring them to do, how they will do it, and what the deliverables are.
As a foundation, you must understand your requirements for a penetration test: most commonly, these include complying with regulatory requirements, testing a new application, and protecting trade secrets.
From there the team you hire should assist you by providing options to achieve your set goals and assisting in scoping out the project. Some details that should be discussed are:
Scope: The scope should not be so broad that the project can’t be completed in a timely, efficient manor, and should not be so narrow that it limits the consultant’s ability to simulate a realistic cyber-attack.
Blackbox vs. Whitebox: This determines what information the consultant will know at the beginning of the test. Blackbox means that the consultant does not have access to any information and must perform additional reconnaissance to obtain the necessary information to proceed; this type of testing is the most realistic but also the most time consuming. Whitebox means the tester will have complete access to any and all information they require all the way down to the source-code level meaning they spend less time performing reconnaissance and more time focused on exploiting vulnerabilities. Greybox is a blend of Blackbox and Whitebox and is the most cost-effective approach.
Recommendations: Before beginning an engagement, clearly define if recommendations will be provided, and to what degree of detail. Consider asking for a sample of recommendations, to ensure you're happy with the level of description and guidance provided.
Scheduling: As with any type of testing, there is a potential impact to the availability of the systems in scope of test during penetration testing, so you must discuss what time penetration testing should be executed. During working hours? After hours? The answer is unique to each company and can assist with reducing the potential impact of testing.
Did you know? Ahead of the end of 2026, around 50% of C-level executives will build performance requirements related to cybersecurity risk into their employment contracts.
Beyond that:
In over 39% of healthcare organizations, awareness of a breach only occurred months after the initial incident
82% of university representatives say that more funding is required to bolster their cybersecurity
Web attacks have made up almost 50% of the attacks launched on fintech organizations
Cybersecurity breaches in smaller firms (under 50 employees) have doubled since 2019
And 4 out of 5 SMBs state that their antivirus software has not stopped malware
Don't see your industry listed here? Don't think you're exempt from these ever-increasing cybersecurity threats: every 39 seconds, a threat actor targets an organization’s cybersecurity infrastructure. And that includes yours.
That means that the best time to invest in your organization's cybersecurity was years ago; the next best time is today. Claim your free, zero-obligation quote today by reaching out to our team, or download our complimentary Buyer's Guide below.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.