There is no trial period for penetration testing: once the engagement ends, the quality of the work is what it is. Every firm’s proposal uses the same language, but how you choose a penetration testing provider before you sign the contract is the only leverage you have. This guide gives you ten questions that separate firms that improve your security posture from firms that hand you a report and move on.
What you may not have is a reliable way to compare providers. Every firm’s website looks professional. Every proposal uses similar language. And unlike buying software, you cannot trial a penetration test before committing to it.
This guide gives you a structured framework for evaluation: ten specific questions to ask any provider you are considering, what strong and weak answers look like, and a comparison checklist you can use across proposals. If you want broader context on why penetration testing matters and how to scope your assessment, start with our cornerstone guide: Why Penetration Testing Matters: A Guide for Business Leaders.
—
Why Provider Selection Matters More Than Most Buyers Realize
Two penetration tests can produce wildly different results against the same environment, depending entirely on who is doing the work. A firm with junior staff running automated tools through a predefined checklist will find a different set of issues than an experienced practitioner who thinks like an attacker, chains findings together, and understands the business context of what they are testing.
The difference shows up in the report. It also shows up in what does not get found.
Choosing a provider is a risk decision. The wrong choice does not just waste budget. It creates false confidence.
—
The 10 Questions
1. What certifications do your testers hold?
Certifications are not the only measure of practitioner quality, but they are a meaningful signal. The gold standard credentials in offensive security are:
- – **OSCP (Offensive Security Certified Professional):** OffSec’s hands-on certification requiring real exploitation in a timed exam. This is widely recognized as evidence that a tester can operate in realistic conditions.
- – **CREST:** A UK-based accreditation body whose certifications (CPSA, CRT, CCT) are widely accepted by financial regulators and government agencies.
- – **GPEN / GWAPT (GIAC):** Recognized certifications for network and web application penetration testing.
- – **CRTO / CRTE (Zero Point Security):** Advanced red team and Active Directory-focused credentials increasingly required for sophisticated engagements.
Ask which specific certifications the testers assigned to your engagement hold, not the firm in aggregate. A firm can list ten certifications on its website while assigning an uncertified junior to your engagement.
Red flag: Vague answers like “our team is highly certified” without specifics, or reliance on vendor-specific certifications rather than practitioner credentials.
—
2. Who will actually do the work?
Penetration testing firms often have a gap between who sells the engagement and who delivers it. Your proposal may come from an experienced principal, but the testing may be performed by a junior practitioner under minimal supervision.
Ask for the CVs or LinkedIn profiles of the specific testers assigned to your scope. Ask how many active engagements each tester is running simultaneously. Ask whether the person who scoped your engagement will also be involved in testing.
Red flag: Inability or unwillingness to identify testers by name before contract signing.
—
3. What methodology do you follow?
Legitimate penetration testing firms align their work to recognized frameworks. The most common are:
- – **PTES (Penetration Testing Execution Standard):** Covers pre-engagement, intelligence gathering, threat modeling, exploitation, and reporting.
- – **OWASP Testing Guide:** The standard reference for web application security testing.
- – **NIST SP 800-115:** The federal government’s technical guide to information security testing.
- – **MITRE ATT&CK:** An adversary behavior framework increasingly used in red team scoping and reporting.
A strong answer describes which frameworks the firm uses, how they adapt methodology to your specific scope, and what distinguishes their approach beyond running standard tools. Be skeptical of firms that cannot articulate how they would test your environment specifically.
Red flag: Methodology described only in marketing terms (“comprehensive,” “industry-leading”) with no technical specifics.
—
4. What does your report look like?
The deliverable is the product. Before you hire any firm, ask to see a sample report with client details redacted. A strong penetration testing report includes:
- – An executive summary written for non-technical leadership
- – A technical findings section with severity ratings (CVSS scores or equivalent)
- – Detailed reproduction steps for each finding
- – Clear remediation guidance, prioritized by risk
- – Evidence (screenshots, logs, payloads) supporting each finding
- – A risk score or overall posture assessment
Reports that are 40 pages of output from automated tools with minimal practitioner commentary do not help your team remediate anything. Reports that exist only as a PDF delivered at engagement close with no debrief call are not worth what you paid for them.
Red flag: Refusal to share a sample report, or a sample that reads like a vulnerability scanner export.
—
5. Do you offer a retest after remediation?
Penetration testing without remediation validation is an incomplete exercise. After your team fixes the findings, you need confirmation that the fixes work and that no new issues were introduced.
Ask whether a retest is included in the engagement price or available at reduced cost. Ask how quickly the firm can turn around a retest after you notify them of remediation completion. Some firms include one free retest within 60-90 days; others charge separately.
Red flag: Firms that do not offer retesting at all, or that treat it as a fully separate engagement at full price.
—
6. How do you handle sensitive data encountered during testing?
During a penetration test, testers may encounter real credentials, personally identifiable information, protected health information, or proprietary business data. How a firm handles this exposure matters for both security and compliance.
Ask for their formal data handling policy. Ask whether test artifacts (credentials, session tokens, captured data) are deleted after the engagement and how that deletion is documented. Ask who on their team has access to your environment during and after testing.
Red flag: No documented data handling or retention policy, or hesitation when asked about it.
—
7. Have you tested environments like ours before?
Industry-specific experience is not always required, but it can meaningfully improve test quality. A firm that has tested hospitals, financial institutions, or defense contractors understands the regulatory context, the common architecture patterns, and the attacker profiles most likely to target your sector.
For compliance-driven engagements (HIPAA, PCI DSS, CMMC), experience with those specific frameworks matters. A tester who has never read CMMC Level 2 requirements may not design scope that satisfies them.
Ask for references or case studies from similar environments. Ask whether the firm has relationships with the relevant compliance bodies or assessors.
Red flag: Claims of universal experience without any sector-specific examples.
—
8. What are your pricing models?
Penetration testing is typically priced in one of two ways:
- – **Fixed-scope / fixed-price:** You define the scope, the firm assesses it and prices accordingly. Most common for straightforward engagements.
- – **Time and materials:** You purchase a block of practitioner hours and direct the testing within that block. Offers more flexibility but requires you to manage scope carefully.
Understand what is included in the quoted price: scoping calls, the test itself, the report, a debrief call, and the retest. Get this in writing. Some firms quote attractive headline numbers but charge separately for items most buyers assume are included.
Red flag: Price quotes without a clear scope definition, or significant variability in pricing without explanation.
—
9. What does your engagement process look like?
A professional penetration testing engagement has defined phases: scoping and rules of engagement, pre-engagement legal documentation (Master Services Agreement, Statement of Work, authorization letters), active testing, reporting, debrief, and remediation support.
Ask for a sample timeline and what documentation you will receive before testing begins. Authorization documentation in particular is important: your team needs to know exactly what is being tested, when, and by whom, so that any incidents during the test are not mistaken for actual attacks.
Red flag: Firms that want to begin testing without a signed rules of engagement document or formal authorization letter.
—
10. What happens if you find a critical issue during the test?
Most penetration testing contracts define an escalation protocol for critical findings: vulnerabilities so severe that your team needs to know about them immediately rather than waiting for the final report.
Ask whether the firm has a defined critical-finding escalation process, how quickly they will notify you, and through what channel. Ask whether they will pause testing if they discover something that could cause operational disruption.
Red flag: No escalation protocol, or a firm that plans to document critical findings in the final report without immediate notification.
—
Vendor Comparison Checklist
Use this checklist when evaluating proposals side by side.
Credentials and Team
- – [ ] Testers hold OSCP, CREST, GPEN, CRTO, or equivalent practitioner certifications
- – [ ] Firm can name specific testers assigned to your engagement before signing
- – [ ] Testers’ experience aligns with your scope (web apps, network, cloud, red team)
- – [ ] Firm can provide references from similar environments or industries
Methodology
- – [ ] Firm references specific frameworks (PTES, OWASP, NIST, MITRE ATT&CK)
- – [ ] Methodology is described in technical terms relevant to your scope
- – [ ] Firm explains how they will tailor testing to your specific environment
Reporting
- – [ ] Sample report reviewed and includes executive summary, technical findings, remediation guidance, and evidence
- – [ ] Report is clearly authored by practitioners, not generated by automated tools
- – [ ] Debrief call is included in the engagement
Engagement Process
- – [ ] Formal authorization documentation provided before testing begins
- – [ ] Rules of engagement define scope boundaries, timing, and emergency contacts
- – [ ] Critical-finding escalation protocol is documented
- – [ ] Data handling and retention policy is documented in writing
Pricing and Terms
- – [ ] Scope is clearly defined in the Statement of Work
- – [ ] Quote includes scoping, testing, report, debrief, and retest terms
- – [ ] No significant scope ambiguity that could result in change orders
Post-Engagement
- – [ ] Retest option is available within a reasonable timeframe
- – [ ] Remediation guidance is prioritized by risk, not just severity score
- – [ ] Firm offers ongoing support questions after report delivery
—
Red Flags That Should End the Conversation
These are disqualifying signals regardless of price or credentials:
- – Cannot identify testers by name before contract signing
- – Refuses to share a sample report
- – No formal authorization documentation process
- – No data handling or retention policy
- – Critical findings go into the report with no escalation protocol
- – Methodology is described only in marketing terms
—
Where StrikeHaven Fits
StrikeHaven is a US-based offensive security firm. Our testers hold OSCP, CREST, and Zero Point Security credentials. Every engagement includes a documented rules-of-engagement process, a practitioner-authored report with a debrief call, and a retest option within 90 days.
We specialize in network penetration testing, web application testing, red team operations, and compliance-driven assessments for healthcare, financial services, defense contractors, and technology organizations.
If you are ready to scope an engagement or want to discuss your requirements before committing, contact our team. If you are still in the research phase, our full service breakdown is at /services.
—
For more on the fundamentals of penetration testing and how to think about scope and frequency, see Why Penetration Testing Matters: A Guide for Business Leaders.