Top Questions to Ask Before Hiring a Penetration Testing Provider

Written By Midhlaj

June 23rd,2024

Which certifications are held by your specialists?

Before choosing a pentesting provider, ask about their specialists' certifications (e.g., CEH, CISSP, OSCP) to gauge their expertise.

1

What is your own internal security like?

Ensure the pentest report's confidentiality and security by asking about data protection measures and preferred delivery methods.

2

Will your tests impact our usual operations?

Choose a pentest provider that mitigates testing impacts, avoids disruptions, and safely exploits vulnerabilities without harming your system.

3

Do you outsource your projects?

Choose a pentesting company that does not outsource work to ensure confidentiality, accountability, and consistency in handling sensitive data.

4

What does your report cover?

A thorough pentest report includes an executive summary, detailed vulnerabilities with replication steps, recommendations, and risk scores for prioritization.

5

Will you help me fix my vulnerabilities?

Hire a pentesting company that offers actionable recommendations, post-test support, and re-tests to ensure vulnerabilities are fixed.

6

How much of your testing is manual versus automated?

Choose pentesters with 80% manual testing for deep, creative vulnerability assessment. Look for enthusiastic experts who ask insightful questions.

7

What tools will you be using?

Choose pentesters who focus on the process, not just tools. Look for detailed answers about tools like BurpSuite, Nmap, or MetaSploit, showing deep understanding.

8

How do you approach a penetration test?

Choose a firm with a clear methodology: reconnaissance, scanning, exploitation, and post-exploitation. Look for intelligence-driven processes.

9

How will you be reporting your findings?

A mature security practice requests emergency contacts, sets communication frequency, uses secure methods like encrypted email, and  executive-level reports.

10

Use this guide to ask the right questions when choosing a penetration testing provider.