To choose a penetration testing company, ask seven questions before signing anything: Do they document and explain their methodology? Who specifically will conduct the test, and what are their credentials? How thorough is their scoping process? Will they show you a sample report? Do they provide remediation support after delivery? Have they tested environments in your industry? And do they carry professional liability and cyber insurance? The firm that handles these questions well is demonstrating exactly the kind of rigor you want applied to your network.
A penetration testing firm is a company that employs security professionals who conduct authorized, simulated cyberattacks against a client's systems, networks, and applications to find exploitable vulnerabilities before real attackers do. Unlike a vulnerability scanner — which checks for known CVE signatures — a penetration tester chains findings together, tests business logic, and demonstrates real-world exploitability. The difference matters: a scanner might report 200 low-severity findings you'll never remediate; a good penetration tester might show you the three-step path from your public-facing web server to your finance database.
The market for penetration testing has expanded fast. That's largely good news, but it also means the quality gap between firms is wide. Some teams are genuinely skilled and will stress-test your environment the way a real attacker would. Others run an automated scanner, export the results to a PDF, and call it a penetration test. The seven questions below will help you tell the difference — before you hand over network access credentials and sign a statement of work.
Why the Selection Process Matters as Much as the Test Itself
Most breaches don't happen because a company skipped its penetration test. According to the 2025 Verizon Data Breach Investigations Report, over 60% of breaches involved stolen credentials or exploitation of known vulnerabilities — the kind of findings a competent penetration test would have surfaced. The gap isn't always in testing frequency. It's often in test quality: organizations conduct annual tests but receive deliverables that don't reflect their actual risk exposure, and nothing meaningful changes.
The firm you select shapes everything — what gets tested, what gets reported, and how actionable the results are. Asking the right questions before hiring isn't gatekeeping; it's how you distinguish a firm that will improve your security posture from one that will give you a compliance artifact to file away.
The 7 Questions to Ask Any Penetration Testing Firm
Can you walk me through your testing methodology?
A capable firm should be able to describe their approach to your engagement in plain language — not just hand you a list of tool names or certification logos. Ask them to explain their attack phases: how they approach reconnaissance and enumeration, how they move from external access to internal compromise, how they handle post-exploitation, and how they document their work as they go.
Reputable firms align their methodology with recognized frameworks. NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, provides the federal baseline for penetration testing methodology. The Penetration Testing Execution Standard (PTES) and OWASP Testing Guide are also commonly referenced. You don't need to be fluent in these frameworks — just ask whether the firm uses one, and whether they can point to where their methodology aligns with it.
Who specifically will be conducting our test, and what are their credentials?
This is the question that separates legitimate firms from marketing fronts. Many firms advertise team credentials at the company level — "our team holds OSCP, CREST, and GPEN" — without committing to which individuals will be on your engagement. That's a problem, because certifications don't transfer between people.
Ask for the names of the specific testers assigned to your engagement and the certifications they personally hold. OSCP (Offensive Security Certified Professional) is the practical baseline — it requires passing a 24-hour live exploitation exam with no internet access. OSEP and OSWE indicate advanced capability in evasion and web exploitation. GPEN (GIAC Penetration Tester) is well-regarded in enterprise and compliance contexts. For highly regulated industries, ask about CREST or CHECK accreditation.
Be cautious of firms whose only listed credentials are CompTIA Security+ or CEH (Certified Ethical Hacker). Both are legitimate knowledge-based certifications, but neither requires passing a practical exploitation exercise. They tell you someone studied security; they don't tell you someone can break into your network.
How do you approach the scoping process?
Pay close attention to what happens before a firm sends you a proposal. A skilled firm will ask a lot of questions first: What's your environment — on-premises, cloud, hybrid? Do you have an IT team that will be notified during testing, or do you want a completely blind test? What compliance frameworks apply to you? Have you had a previous penetration test, and what did it find? Are there systems that are explicitly off-limits — production databases, SCADA equipment, third-party-managed infrastructure?
A firm that sends a quote within 24 hours of your first inquiry, with no scoping call, is pricing from a template. That template might cover your environment adequately — or it might miss your most critical assets entirely. Rushed scoping is one of the most common reasons penetration test results fail to reflect actual organizational risk.
We've seen engagements where the client assumed their cloud infrastructure was included in scope; the tester assumed it wasn't. The on-premises network got tested thoroughly. The AWS environment — where 90% of the sensitive data lived — was never touched. Both parties signed off on the final report, and the client left believing they had a clean bill of health.
Can I see a sample report from a previous engagement?
Every reputable firm should be willing to share a redacted sample report from a similar engagement. This is your most reliable preview of what you're actually buying. Read it carefully — not just for completeness, but for quality.
A strong report includes an executive summary written for non-technical leadership (not a CVSS score table), an attack narrative that describes what the tester did and how far they got, per-finding details with proof of exploitation (screenshots or command output), business impact described in plain language, and specific remediation steps — not "apply vendor patches," but the actual configuration change, policy path, or code fix.
A weak report reads like a Nessus export with a cover page. If the sample shows 47 CVEs with severity ratings and generic remediation categories, that's a vulnerability scan result delivered with penetration testing pricing. Real pentest reports describe the attack path: "we gained initial access via a default credential on the management interface, used that foothold to enumerate the internal network, discovered an unpatched SMB service on the finance server, and achieved domain administrator access within six hours." That narrative tells you something actionable about your actual risk.
What remediation support do you provide after the report is delivered?
A penetration test that delivers a report and disappears is only half an engagement. The report is a list of problems; fixing those problems is where the security value is actually realized. Ask specifically what happens after delivery.
The most important element is a re-test — a targeted follow-up to confirm that critical and high findings were actually fixed, not just marked resolved in a spreadsheet. PCI DSS v4.0 requires annual penetration testing and targeted re-testing of all failed controls. Even if you're not subject to PCI DSS, the re-test standard makes sense for any organization: the original test finds the problem; the re-test confirms the fix. Without it, you're trusting your IT team's self-assessment of whether their own remediation worked.
Beyond re-testing, ask whether the team is available to answer technical questions from your IT staff during the remediation window. In practice, many findings require back-and-forth between the tester and the team fixing the issue — particularly for complex configuration problems or findings that touch third-party systems. Firms that close the ticket on report delivery are optimizing for throughput, not outcomes.
Have you tested environments in our industry?
Penetration testing is not a purely generic discipline. Healthcare networks have specific risks — HL7 interfaces, medical device management systems, HIPAA-governed data stores — that a tester without healthcare experience may simply overlook. Law firms have document management systems and client portal architectures with business logic vulnerabilities that don't appear in generic methodology checklists. Manufacturing environments may include OT networks where standard exploitation techniques would cause operational disruption that needs to be avoided.
Ask the firm to describe a previous engagement in your industry or a similar one. What did they find? What did the environment look like? What were the most common weaknesses? You don't need a case study naming a specific client — you need evidence that the tester has a mental model of your environment before they start. A tester who has never worked in a professional services environment and doesn't understand how legal document management systems are typically architected is going to test what they recognize, not what's actually most at risk in your organization.
We've found that in many SMB engagements, the highest-risk findings are not glamorous exploits — they're default credentials on network switches, flat network architectures that allow any workstation to reach any server, unmonitored management interfaces accessible from employee desktops, and IT vendors with persistent remote access tools that haven't been audited in years. These findings require industry context to prioritize correctly.
What insurance and liability coverage do you carry?
Penetration testing involves authorized access to sensitive systems. If a tester causes service disruption, triggers a security alert that results in incident response costs, or inadvertently corrupts data during exploitation, you need to know who is responsible and whether there is coverage to make it right.
Ask specifically for professional liability (errors and omissions) insurance and cyber liability coverage. A reputable firm will disclose coverage limits without hesitation. For engagements that touch production systems or involve significant scope, ask to be named as an additional insured on the policy during the engagement window — this is standard practice in formal procurement and not an unusual request.
Also ask whether the firm has ever experienced a security incident involving client data, and how they handled it. Evasive answers here are meaningful. A firm that handles privileged access to dozens of client networks is itself a high-value target. You want to know they take their own security posture seriously.
What the Selection Process Itself Tells You
The way a firm behaves before you hire them is a direct preview of how they'll behave once they have access to your network. Observe the signals:
Warning Signs
- Generic proposal with no evidence they read your inquiry
- Can't name the testers assigned to your engagement
- Declines to show a sample report
- Price is suspiciously low with no scope questions
- Methodology section reads like marketing copy
- No professional liability insurance disclosed
- No re-test in base scope; pushes back when asked
Positive Signals
- Asks clarifying questions before pricing
- Names specific testers with verifiable credentials
- Provides a readable redacted sample report
- Explains methodology in plain language
- Addresses rules of engagement proactively
- Re-test included in base proposal
- Discloses insurance and data handling policies clearly
A firm worth hiring will ask you questions you didn't think to ask yourself. They'll probe your network architecture, your remediation capacity, your compliance obligations, and your prior test history — because that context shapes where they look and how they prioritize findings. If you get through the pre-engagement process without anyone asking you a difficult question, the test itself probably won't either.
The goal is not to find a firm that checks the most boxes on a credential list. The goal is to find a firm that will spend several days thinking like your adversary and then tell you, clearly and specifically, what they found and how to fix it.
For more on what you should receive at the end of the engagement, see our guide to what a penetration test report should actually contain. If you're earlier in the process and not yet certain whether a full penetration test is the right fit for your current risk posture, our comparison of penetration testing versus vulnerability scanning may help clarify which engagement type fits your needs. And if you're building a formal procurement process, the step-by-step framework in our penetration testing RFP guide covers scope language, rules of engagement, and vendor qualification questions in detail.
Frequently Asked Questions
To choose a penetration testing company, evaluate seven factors: methodology transparency, individual tester credentials (OSCP, GPEN, or OSEP — not just company-level certifications), scoping rigor (do they ask detailed questions before pricing?), report quality (will they show you a sample report?), remediation support including a re-test, industry experience in your sector, and professional liability and cyber insurance coverage. The best signal is often the scoping process itself — a firm that asks smart questions before quoting understands your environment; one that quotes in 24 hours without questions is working from a template.
Look for OSCP (Offensive Security Certified Professional) as the practical baseline — it requires passing a 24-hour live exploitation exam with no internet access, not a knowledge-based multiple-choice test. OSEP and OSWE indicate advanced specialization in evasion and web exploitation. GPEN (GIAC Penetration Tester) and GWAPT are also well-regarded. For regulated industries, ask whether testers hold CREST or CHECK accreditation. Be cautious of firms whose only cited credentials are CompTIA Security+ or CEH, which test knowledge but require no practical exploitation to pass.
A penetration testing firm is a company that employs security professionals who conduct authorized, simulated cyberattacks against a client's systems, networks, or applications to identify exploitable vulnerabilities before real attackers do. Unlike automated vulnerability scanners, penetration testers chain findings together, test business logic, and demonstrate real-world exploitability — producing evidence that a vulnerability is genuinely dangerous rather than theoretically possible.
A penetration testing report should include an executive summary written for non-technical leadership, an attack narrative that describes what the tester did and how far they got, per-finding details with proof of exploitation, business impact described in plain language, and specific remediation steps for each finding — not generic patch guidance. Ask to see a sample report before hiring — a report that reads like a scanner output dump is a red flag that the engagement was not a true penetration test.
Ready to Find the Right Firm for Your Engagement?
We'll answer every one of these questions directly, show you a sample report, and walk you through what a scoped engagement looks like for your environment — no pressure, no commitment required.
Book a Scoping Call