Choosing a pentest vendor is trickier than it looks — quality is hard to judge in advance, and prices vary widely. This isn’t a pitch for any one vendor; it’s a checklist offered in the hope it helps you make a good choice, wherever you go.
What to look at before the price list
Price is easy to compare, so it draws the eye first. But under the same word “pentest,” depth can differ greatly, so price alone isn’t a fair comparison. These questions reveal the texture.
Questions worth asking
Methodology — “Beyond an automated scanner, what do you check manually? How do you verify authorization, business logic, chaining?”
Depth — “Do you look at known component/library flaws (1-day) or even 0-days?” (the heart of APT-perspective testing)
People — “Who actually does the testing? Any certifications or discovered CVEs?”
Report — “Can we see a sample? Are reproduction steps and fix guidance concrete?”
Re-test — “Is post-fix re-verification included?”
Safety — “How do you control production impact? What’s the contact path on an incident?”
Signs worth a second look
If the answer is… | Check once more |
|---|---|
“We run a scanner and hand you a report” | Whether there’s manual testing and chaining |
“We’ll find hundreds of findings” | Priority, reproduction, remediation (quality over count) |
“We’ll block everything, guaranteed” | Whether they’re honest about scope and limits |
A good report is evidence of a good vendor
Personally, the surest signal is the report. Whether it’s written so a developer can fix it right away, whether reproduction steps are followable, whether the “context” of risk is explained — that shows how a vendor works. We’d suggest asking for a sample report.
Field note: honestly, one sample report says far more than “we’re the best.” Whichever vendor you choose, start with the report.
FAQ
Do more certifications mean a better vendor?
Certifications are a good reference for fundamentals — but weigh them alongside actual test depth and report quality for a balanced view.
Is a bigger company safer?
More than size, it’s “expertise and methodology that fit your target.” Small teams are often deeper in a specific area.
Closing
Choosing well comes down to confirming “what they look at, and how.” We hope these questions help wherever you go. If you’d like to talk with us, reach out at penetration testing — we’ll show you samples and methodology, transparently, from the start.