Criteria for choosing the right pentest provider
In the digital age, the annual penetration test is the absolute minimum to ensure the IT security of the company or a specific system. Choosing the right pentest provider for this is not that easy. We would like to give you some criteria and tips here.
Team & Experience
An experienced pentest provider should have several years of experience in the industry. Most providers have an "About us" page where you can find out more about the pentester. Certificates, such as OSCP or CISSP, are also a good indication - but not everything. Hacking is a creative process. Be cautious when it comes to CEH - it is not a good indicator of quality.
Testimonials
References and customer testimonials are an important indicator of the quality of a provider - especially in IT security, however, it is often not so easy to show who you have worked with (NDA,...). This is especially true if you have worked in the critical infrastructure sector or for large corporations in the past. It's worth asking! We have some impressive customers!
Communications
A good pentest provider should be able to explain complex issues simply. Communication should be clear and understandable. The chemistry should also be right. A phone call or a personal meeting can help here.
Services
Are you looking for someone who can do everything (and maybe nothing really well) or are you looking for a service provider who primarily offers penetration tests and, like DSecured, specializes in offensive IT security and penetration tests?
Flexibility
There is nothing strict about IT security. The requirements for a penetration test vary greatly from customer to customer. A good pentest provider should be able to respond to individual requirements and adapt their own services so that a customer gets the maximum result for their budget. At DSecured, this is possible with every service.
Pricing structure
A penetration testing service provider should offer transparent pricing. You should understand the pricing. The daily rate itself is also a good indicator of the quality of the provider. A daily rate of 1000,00 to 2000,00 USD is common. If the rate is significantly lower or higher, you should be skeptical. It is not uncommon for penetration tests to be carried out by people from the Far East with little experience and sold at a high price.
Processes
Penetration tests usually follow fixed processes. A good provider should at least be able to tell you how they work. In the best case, this will be clearly communicated in advance on the website or in a conversation.
Company structure
Is it important to you that the provider is a LLC? You have to understand that good penetration testers are generally reluctant to be hired. It is more profitable to work as a freelancer or in a team. DSecured is such a case.
Insurance
If you work in the field of IT security and specifically in the field of penetration testing, the pentest provider should have adequate insurance. For example, we have a special IT insurance policy that places a strong focus on offensive activities - worldwide.
Reporting
Ask to see a real penetration test report. A good provider usually has usually has a sample report for this case to hand. In addition to the technical part, the report should technical part, the report should also include a summary for management. It should also be clearly legible and the recipients should be able to make sense of the information.
Penetration test: manual or automated?
As silly as it sounds. Time and again we get requests for us to review or explain the results of a pentest because the customer doesn't understand what they are looking at. These are often long, automatically created reports generated by tools such as Nessus, Qualys or OpenVAS. If a pentest provider sells something like this as a complete penetration test, you should be skeptical. A penetration test should be a manual test - an automated scan can only be a part of it. Make sure you ask here!
DSecured: Your honest pentest provider
Just as we at DSecured know what we can do really well, we know just as well what we can't do or where there is currently no one in the team for. We are honest here, we want to deliver the highest quality and bullshitting our way through is not conducive to this. In IT security, there is already enough snake oil and nonsense that is pushed on the C-Suite and some VPs. We are different, write to us and we will see if we can find a common ground or if another pentest provider might be a better alternative. We are also happy to make recommendations - both for companies and freelancers.
Damian Strobel
Founder and CEO
"I'm always amazed at how many companies refer to an automatic scan with Nessus or Qualys as a real penetration test."
Get a pentest offer