Penetration Testing for Compliance

How to Hire a Good Pen Testing Firm

By Vibha Puthran, ERMProtect Information Security Consultant

A study conducted in 2022 estimated that organizations would spend about $10.5 trillion dealing with cybersecurity incidents by the end of 2025. Prevention is a better cure, which is why evaluating the security of your firm is one of the important steps in improving the cybersecurity posture of your organization.

Penetration testing is a form of security assessment that assesses a computer system, network, or software application to find security vulnerabilities that an attacker could exploit. These are conducted on your organization by a pen testing firm, to prepare for the worst-case scenario of a cybersecurity incident. They simulate real-world attacks to show how an organization’s sensitive data, business systems, financial assets, and employees would fare in the event of the real thing.

Although internal pentesting is common in some larger companies, hiring an external pentesting firm helps eliminate bias and bring in new techniques from experienced professionals. Choosing a good outside pen testing firm is crucial to conducting penetration testing that uncovers hidden vulnerabilities in your infrastructure.

The following are some of the main considerations when choosing your penetration testing firm:

Well-Defined Approach of Penetration Tests

A well detailed outline of the entire approach toward the pen testing must be considered prior to choosing a pen testing services firm. This is essential as you would not want to hire a firm that is confused about their own process and does not have an effective methodology in place. Some companies are not very transparent about their process. It’s best to choose a firm that will give you a clear and transparent understanding of their methodologies and how they will help improve security. Knowing the nooks and crannies of the entire process will help you gauge whether all the devices in the scope of your environment are tested accurately.

Another aspect to keep in mind when choosing a pen testing firm is to ensure the company provides a very detailed report outlining vulnerabilities as well as the steps required to remediate them. The pen testing firm should  follow industry-recognized standards such as Open Web Application Security Project (OWASP) or Penetration Testing Execution Standard (PTES).

Knowledge and Certifications for Pentesting

Another important consideration is ensuring that your pen test firm employs penetration testers with relevant certifications in the field. Some of the common industry certifications include Licensed Penetration Tester Master, CompTIA PenTest+ , GIAC Penetration Tester Certification, Offensive Security Certified Professional etc. People with certifications such as these possess the necessary skills and expertise to conduct a penetration testing effectively.

Expertise and Experience in Pen Testing Firm

There are many firms that engage in penetration testing. But it’s important to pick a firm that has a lot of experience, has worked in a variety of industry verticals (including yours) and has tested organizations at the scale of your company. Depending on your needs, it’s also best to pick a company with specialized experience in Cloud Infrastructure, Web Applications, Wireless Infrastructure etc. Reviews and references should also be considered when making your decision.

Ethical Standards and Trustworthiness

As pentesting uncovers vulnerabilities in your infrastructure, it is important to make sure that your pentest firm adheres to the highest ethical standards. They will have access to sensitive information, personal data of customers, and details of open vulnerabilities in your infrastructure. These firms should maintain privacy and attest to non-disclosure of all their findings both during the engagement and at conclusion.

Additionally, it is also important to inquire about the data-handling procedures of the pen test firm, since any potential breach would impact your organization. Be sure you choose a firm that is compliant with relevant standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPPA) as applicable to your organization.

Cost and Value of Hiring a Pen Testing Firm

Avoid choosing a company based on only a low cost. They may not be good enough for your organization. At the same time, be sure to check your budgets, and estimate how much you are willing to spend on the pen test. Discuss your budget upfront with the pen testing firm: good firms will scope your environment free of charge and provide a budget estimate. Also, be sure the pen testing company is customizing their procedures based on your infrastructure, your data regulation requirements, and other business factors to maximize the value and outcome of the pen test. A cookie cutter approach from a low-cost provider may not benefit your firm.

Ongoing Support

Ensure that the pen test firm will provide continued ongoing support after the pen test is done. Do they provide prioritized recommendations? Provide tips on remediation? Re-test your environment as part of the scope? Answer questions after the engagement comes to an end?

ERMProtect is a Renowned Pen Testing Firm

Now that you know how to hire a pen test firm, you should start searching for the right one for you. You will quickly discover that ERMProtect is one of the pen testing firms that should be on your radar. Learn  more about our pen testing services here. For a free quote, please contact [email protected] or call 305.447-6750.

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …