Choosing a penetration testing company is not like buying software. There’s no trial period, no feature matrix to compare, and the quality of the work won’t be obvious until it’s done — by which point you’ve already written the check and handed over access to your systems.

The market doesn’t make it easier. Every firm claims to be thorough, experienced, and certified. Most websites look similar. Proposals can be hard to compare when you don’t know what to look for.

But there are substantive differences between penetration testing providers — differences that affect whether you walk away with a document that checks a compliance box or a report that actually improves your security posture. This guide gives you eight specific questions to ask any firm you’re considering, and what good and bad answers look like.

Before You Start: Clarify What You Actually Need

Before you contact any vendor, get clear on your scope. Do you need:

  • A network penetration test — internal, external, or both?
  • A web application penetration test — one app, many apps, API-only?
  • A cloud configuration review?
  • A social engineering assessment — phishing simulation, vishing, physical?
  • A full red team engagement — multi-stage adversary simulation?
  • Compliance-driven testing — SOC 2, CMMC, HIPAA, PCI DSS?

    • If compliance requirements are driving your testing decision, our dedicated guides cover what’s actually required: CMMC penetration testing requirements and SOC 2 penetration testing requirements.

    The scope determines which firms you should be talking to. A boutique firm that excels at web application testing might not be the right call for a red team operation against your Active Directory environment. Get your scope defined in writing before you send a single RFP.

    The 8 Questions

    1. Who specifically will be doing the work?

    This is the most important question you can ask, and the answer will tell you a great deal about the firm’s culture.

    Many penetration testing firms have a small group of skilled testers and a much larger body of account managers, project coordinators, and junior staff. Your engagement proposal may come from someone impressive — but who is actually running commands against your systems?

    Ask:

  • Can you provide CVs or LinkedIn profiles for the testers assigned to this engagement?
  • What certifications do your lead testers hold?
  • Will I have a primary point of contact who is also a technical contributor?

    • What you want to hear: Names. Specific certifications. The firm should be comfortable telling you exactly who will be on your engagement. If they give you vague answers about “our team” without specifics, that’s a warning sign.

    Certifications to look for: OSCP (Offensive Security Certified Professional), OSCE3, CRTO (Certified Red Team Operator), GPEN, GXPN, CREST CRT (Certified Infrastructure Tester), CREST CCT. These are earned through hands-on technical examination — they aren’t study-and-sit certifications.

    2. What does your methodology look like?

    A penetration test isn’t just running automated scanning tools. A credible firm follows a structured methodology that covers reconnaissance, enumeration, exploitation, post-exploitation, and reporting. Ask how their process works.

    Ask:

  • Do you follow an established framework (PTES, OWASP Testing Guide, NIST 800-115)?
  • What’s the balance between automated tools and manual testing?
  • How do you handle out-of-scope findings or unexpected vulnerabilities you discover?

    • What you want to hear: The firm should be able to describe their methodology in clear terms without hedging. Automated tools are part of the process — but a firm that relies entirely on Nessus and Burp Suite running defaults isn’t providing penetration testing, they’re providing a vulnerability scan with better packaging.

    Red flag: “We use the latest tools and follow industry best practices” without any specifics. That’s a non-answer.

    3. What does the deliverable actually look like?

    This is where a lot of organizations get burned. They receive a 200-page PDF that lists vulnerabilities by CVE number and severity score — but provides no context about what’s actually exploitable in their environment, what the realistic impact is, or how to fix it.

    Ask:

  • Can you show me a sample report from a previous engagement (redacted)?
  • How do you structure findings — executive summary, technical detail, remediation guidance?
  • How do your findings map to risk, not just severity?
  • Do you provide a remediation roadmap or just a list of findings?

    • For an insider view of what findings typically look like — and why the most dangerous vulnerabilities are often structural rather than exotic — see Top 5 Vulnerabilities We Find in Every Penetration Test. Our 2026 Penetration Testing Buyer Guide also includes a red flags section on what low-quality reports look like and what to demand instead.

    What you want to hear: A sample report — without hesitation. Firms that have done this work aren’t cagey about showing what they deliver. A good report includes an executive summary a CISO can present to the board, technical findings a developer or sysadmin can act on, and prioritized remediation guidance based on actual exploitability and business impact.

    Red flag: Refusing to share samples. Deliverables that are vulnerability scanner output with a cover page.

    4. How do you handle findings during the engagement?

    Real penetration tests sometimes turn up critical findings mid-engagement — exposed credentials, active exploitation opportunities, or vulnerabilities that could cause significant damage if exploited further. How does the firm handle those situations?

    Ask:

  • Do you have a critical finding escalation process?
  • Will you notify us immediately if you discover a severity-one vulnerability?
  • What happens if you discover evidence of a pre-existing compromise?

    • What you want to hear: Yes — they will call you, not just note it in the report. Credible firms have clear escalation procedures and treat critical findings as requiring immediate communication, not just documentation.

    Red flag: “We note everything in the final report” with no mention of real-time communication. You don’t want to find out about an exploitable RCE vulnerability three weeks later when the report arrives.

    5. What’s your experience in our industry or technology stack?

    A penetration testing firm with deep experience in healthcare systems tests differently than one that primarily serves financial services clients. Technology stack matters too — cloud-native environments, legacy OT/SCADA systems, and modern microservices architectures each have different attack surfaces and require different expertise.

    Ask:

  • Have you tested organizations similar to ours in size or industry?
  • Do your testers have hands-on experience with [your specific technology stack]?
  • Can you provide a reference from a client in a comparable environment?

    • What you want to hear: Specific experience, not generic reassurances. A firm that has extensively tested AWS-hosted SaaS applications will bring different insights to your engagement than one whose portfolio is primarily on-prem Windows environments.

    Note on references: Penetration testing firms are bound by confidentiality with clients — but most can provide references if asked, with client permission.

    6. How do you scope engagements?

    Scoping is where a lot of value gets lost. A poorly scoped engagement can miss your highest-risk assets entirely, test systems that aren’t worth the time, or create compliance documentation that doesn’t align with what your auditors are actually asking for.

    Ask:

  • How do you work with us to define scope?
  • What’s included in the scoping call, and who attends from your side?
  • How do you handle scope creep if something relevant turns up outside the defined scope?
  • Do you offer retesting after remediation, and is it included in the price?

    • What you want to hear: A structured scoping process involving technical staff, not just account management. The firm should help you define scope intelligently — asking questions about your threat model, crown jewels, and compliance requirements — not just accepting whatever you hand them.

    Retesting: Many firms do not include retesting in base pricing. Know what you’re buying.

    7. What are your rules of engagement and safety procedures?

    Penetration testing carries risk. Poorly executed tests have taken down production systems, triggered real incident responses, and caused data loss. Understanding how a firm manages that risk matters.

    Ask:

  • What’s your process for rules of engagement documentation?
  • How do you handle sensitive systems or production environments where disruption must be avoided?
  • What notification do you require from us before the engagement starts?
  • How do you coordinate with our incident response team in case something triggers an alert?

    • What you want to hear: Clear, formalized rules of engagement that are agreed upon in writing before testing begins. The firm should have experience navigating the tension between realistic testing and operational stability — and should ask you about your environment before assuming anything.

    Red flag: Firms that treat rules of engagement as a formality rather than a technical conversation.

    8. What happens after the report is delivered?

    A penetration test isn’t finished when the report arrives. The real value comes from what you do with the findings — and a firm that disappears after delivery is leaving money on the table for you.

    Ask:

  • Do you offer a debrief call to walk through findings with our technical team?
  • Will you answer follow-up questions from our developers as they remediate?
  • What does your retesting process look like?
  • Do you offer any ongoing relationship or advisory support?

    • What you want to hear: At minimum, a debrief call is standard. The firm should be available to answer clarifying questions during remediation. The best firms treat the post-delivery period as part of the engagement, not an upsell opportunity. For a full walkthrough of how to run a successful engagement from pre-test prep through post-report remediation, see How to Prepare Your Team for a Penetration Test.

    What Sets Quality Firms Apart

    Beyond the specific questions above, a few qualities consistently distinguish firms that deliver real security value:

    They tell you what they found, not what you want to hear. A firm that completes an engagement and reports no critical findings when your environment has meaningful risk exposure is failing you. The best firms are direct about what they found — even when it’s uncomfortable.

    They distinguish between exploitable vulnerabilities and theoretical ones. CVE severity scores are a starting point, not a conclusion. A high-severity CVE on a system that isn’t internet-exposed and requires local access to exploit is a different risk than a medium-severity finding in a path that takes five minutes to chain into full compromise. Quality firms explain the difference.

    They understand your business context. A vulnerability in your customer-facing payment application matters more than the same vulnerability in an internal development sandbox. Good testers factor in business impact, not just technical severity.

    Their testers have done adversarial work. The best penetration testers think like attackers because they’ve studied how attackers operate — through CTF competitions, research, bug bounty programs, or direct engagement with offensive security communities. Ask about it.

    They’re transparent about limitations. No engagement is unlimited. A credible firm will tell you what they didn’t test and why — whether that’s time constraints, scope boundaries, or access limitations.

    If your organization runs penetration tests annually and considers that sufficient, Why Annual Penetration Tests Are Not Enough offers a useful perspective on what a mature continuous testing program looks like beyond the compliance minimum.

    Penetration Testing Vendor Evaluation Checklist

    Use this when comparing proposals:

    Technical Qualifications

  • ☐ Named testers with verifiable certifications provided
  • ☐ Sample report reviewed and quality confirmed
  • ☐ Methodology explained clearly (manual + automated balance)
  • ☐ Industry or technology stack experience confirmed

    • Engagement Process

  • ☐ Structured scoping process with technical stakeholders
  • ☐ Written rules of engagement included
  • ☐ Critical finding escalation process defined
  • ☐ Retesting policy confirmed (included or separate cost)

    • Deliverables & Support

  • ☐ Executive summary + technical findings + remediation guidance included
  • ☐ Debrief call included in scope
  • ☐ Post-delivery support during remediation confirmed
  • ☐ Findings mapped to your compliance framework (if applicable)

    • Business Fit

  • ☐ References available upon request
  • ☐ Clear project timeline and communication cadence defined
  • ☐ Contract terms reviewed (scope definition, IP ownership, confidentiality)

    • Ready to Evaluate StrikeHaven?

    If you’re in the process of selecting a penetration testing firm, we’d welcome the same scrutiny. Our team holds OffSec, CREST, INE, Zero Point Security, EC-Council, and MCSI certifications. We provide sample reports on request, name the testers on your engagement, and include a full debrief call as standard.

    We work across network penetration testing, web application testing, adversary simulation, social engineering, and AI/LLM security testing — and we specialize in compliance-aligned testing for CMMC, SOC 2, HIPAA, and PCI DSS environments.

    Contact us to discuss your engagement scope →

    >

    Tell us what you’re trying to accomplish. We’ll tell you honestly whether we’re the right fit.

    Questions about scoping your first penetration test? Our team is happy to talk through what a meaningful assessment looks like for your environment — no commitment required.