Cyber Security Blog

Stay ahead of the curve with industry trends, cutting edge tech and inventive strategies.

Are you getting value from your current penetration testing partner? 7 tips for choosing a supplier

There are many companies that offer penetration testing services in the UK. How do you know which one to trust with the ‘keys to your kingdom’?

When it comes to selecting the best UK penetration testing companies, there are many elements to consider before making your decision.

The best penetration testing companies will understand your security concerns and provide helpful guidance throughout your testing journey. But with so many companies to choose from, the supplier selection process can be daunting.

Are you dissatisfied with the service from your current penetration testing supplier, or looking to implement a new testing strategy? 

Read on to find out how to choose a dependable penetration testing supplier, tailored to your company needs.

Before you get started you need to understand your requirement

You should start by establishing a baseline understanding of your needs, such as:

  1. Your security assessment requirements
  2. Budget
  3. Objectives

This will help you choose a penetration testing provider which is a good fit for you and your business goals.

Tip 1: Focus on the vendor’s real-world testing knowledge and not just their certifications

When it comes to choosing a top testing partner, don’t get too caught up on the number of certifications. 

If you focus too much on certifications and approved methodologies, you may eliminate some qualified penetration testers from your search.

A better way to measure capability, is to recognise real-world ethical-hacking experience. 

Have they worked with a varied range of businesses and had exposure to different pen testing scenarios? 

If your network testers don’t have experience with hands-on ethical hacking, it’s possible that serious weaknesses could be going undetected.

Some things to consider are:

  • Does your penetration tester have hands-on manual testing experience?
  • Can they provide example use cases for the kind of tests you require, which details their approach?
  • Can they share an example report?
  • How many years’ industry experience do they have?
  • Check out reviews, what do their customers say?

Tip 2: It’s not all about the cheapest price

Want to know your biggest security risks, and how your security strategy would hold up against a real-life hacking attempt? If you want reliable, expert insights, then going for the cheapest option is not the best idea.

Some companies may call their service “penetration testing,” but it is really just an automated vulnerability scan. It is important to remember that penetration tests require time, skill, and manual interpretation.

Beware of suppliers who propose a test that is much cheaper than expected and can be completed in a shorter timeframe. You may end up with a service that is not up to your standards.

Is penetration testing worth the investment? Although specialist pen tests may not be the cheapest option, they bring far more value to your business.

They help you:

  • Find your security weaknesses
  • Show you where you’re vulnerable
  • Give you ideas to improve your security controls

Tip 3: Check for industry approved certifications

Don’t worry, we aren’t back-tracking from what we said in ‘Tip 1’! Penetration Testing certifications are still important, but they’re not the only thing to consider when choosing a quality supplier.

Top security penetration testing companies will undergo independent verification to ensure they are following industry improved methodologies and approaches.

If you’re looking for approved companies in the UK for penetration testing services, you should check if they’re CREST Accredited. CREST is a not-for-profit information security standards authority. They check member companies every year to make sure they are using the right methods and following CREST approved standards.

There are also others to look out for such as companies who have Offensive Security Certified Professionals (OSCP). The OSCP examination process focuses on a red team penetration testing approach that mimics the methods of real-life adversaries. OSCP certified professionals are experts in finding and solving security problems. They must be able to think creatively to find solutions.

Tip 4: A vulnerability scan is not a penetration test

Vulnerability assessments are used to identify security holes in networks, application security, and other devices. They typically use automated tooling and can discover a list of known security weaknesses.

Point in time penetration testing is a more intensive process than vulnerability scanning, requiring more time and effort. It requires expertise in analysing and interpreting data, as well as an understanding of how real-life hackers operate.

Concerned you may be short-changed? Ask your potential supplier to explain their processes and to see a copy of their pen testing methodology. This will help you understand if you are purchasing a threat-based penetration rather than a vulnerability scan masquerading as one.

Tip 5: A top security testing provider will clearly define your scope

Top penetration testing companies will take time to understand your security concerns and objectives before providing a proposal or quote.

A scoping document should be shared alongside a discussion to gather the information needed to carry out a pen test.

This ensures that your objectives are established and understood by all parties before testing begins.

A scoping document should gather:

  • What you would like to test (For example: web applications, internal/ external network or physical access testing)
  • How it will be tested (is it white box, grey box or black box testing)?
  • The reason for the test
  • Who will be carrying out the test
  • When the test will take place

Cyber Security penetration testing companies require support from your technical teams to prepare your network for the upcoming test. These prerequisites should be shared with your IT team in advance.

The comprehensive document should outline the process step by step. The document will also include a list of access requirements, technical information, and key contacts needed. These preparations help to improve the chances of the test running without any hiccups.

Tip 6: Ensure your penetration testing report can be digested by all audiences (not just technical)

Request a sample copy of a penetration testing report. Is the document full of technical jargon, or is there a summary that non-technical teams can understand? This should summarise key findings and categorise security flaws.

A penetration test can have a big impact on a company’s visibility into cyber-risk. It can also help start a conversation about how risks can affect the company’s brand. You can then decide the fixes you need to prioritise and what security weaknesses you are prepared to tolerate.

On the other hand, some penetration testing reports lack the technical detail your IT teams need to remediate critical security issues. Consequently, they are unable to patch, remediate and strengthen defences where necessary.

Your IT teams need a comprehensive summary of vulnerabilities to prevent them from spending hours sifting through results. This summary should provide an overview of the vulnerability landscape and what needs to be done to improve it. The report needs to outline the level of risk and impact, and which fixes need to be prioritised. These can be presented in a red, amber, green system.

Tip 7: Find a long-term pen test supplier you can depend on

When searching for suppliers, you want to find a company you can trust and build a solid relationship with. After all, penetration tests should not be a tick-box exercise. To effectively reduce the risk of a data breach, you need a proactive approach to tackling threats.

To form a long-term partnership, you need a company with a breadth and depth of pen testing expertise. There are many different types of penetration tests. Save time and hassle by finding a partner who can support all your testing requirements.

However, finding a long-term supplier goes beyond penetration testing expertise. A true partner shouldn’t down tools when the test is finished, leaving you to pick up the pieces.

Look for a company who can not only find the security holes, but also help build and strengthen your security posture.

Cartoon hands shaking showing team of experts in cyber security and penetration testing

Do you want more confidence in your security strategy?

Our team are on hand to shine a light on all those deep, dark corners of your IT ecosystem. Find out more about our expert penetration testing services below, or call us on 0121 663 0055.

Ready to achieve your security goals? We’re at your service.

Whether you are a CISO, an IT Director or a business owner, Equilibrium has the
expertise to help you shape and deliver your security strategy.

Latest posts