Selecting a PenTest Provider – Making a Good Decision
Author: Akimbo_Ops Published: 28 October 2022 Last Updated: 03 November 2022
Choosing a PenTesting provider can be difficult, how do you know if they’re good at what they do and they’ll make working together easy? Perhaps you have a provider already, but they’ve not lived up to your expectations.
Since choosing a testing provider is a critical part of your cybersecurity strategy, we’ve added a few things to consider here. We’re also available for advice and help if you’ve got questions about testing in general or how to get started with your strategy.
The first thing to consider is the skill of the testers. Whilst their operations team might be great to work with, if their technical team don’t have the skills to deliver a complete security test, there may be gaps in your coverage. Additionally, it’s no good if the tester is the best hacker in the world if they can’t communicate their findings to you clearly.
Here at Akimbo Core we cover this in two ways – the first is that our testing team are highly certified. We hold certifications such as the CREST Certified Tester, as well as vendor specific certifications such as AWS Security Specialty – and even some niche ones like the AWS Machine Learning Specialty. This depth and breadth of certifications ensures that not only do we understand the technologies that you're using, but we’re intimately familiar with the security considerations too.
Secondly, we get our testers involved in the early stages of planning your assessment, so you're not guided by a friendly team and then dropped on a tester who lacks the communications skills required to get the job done. You’ll meet our operations and testing team from the very beginning, ensuring that we know what your goals are for the assessment and so you can get to know our team early.
Another consideration is company size; going with a larger security provider could on one hand mean that you have a range of professionals in their team to help you – but it could also mean that you’re just one small project across hundreds of projects. Bigger companies tend not to focus on one kind of service too, meaning that the service they deliver might be a little more commoditised and less tailored to your requirements.
When selecting a provider, it’s often better to go with a specialise penetration testing company who are more likely to offer a bespoke or tailored approach to your testing needs – and a smaller team doesn’t mean you’ll get less attention, often quite the opposite.
Choosing a PenTest provider by the size of their company is a bit like being weighed for your clothes. It doesn’t tell you anything about potential fit! My heart always sinks when I call a company and get put through to ‘sales’. Speaking to a sales person means targets, commission and pressure. It has very little to do with what would suit your company best. Smaller companies are often more focused and are closer to the customer and tend to care more about that organisation’s needs rather than sales targets.
Its important to ask the right questions here. Who will my contact be? Sales or technical? Will I be able to speak to the tester directly? How long will it take to provide my testing report? How can I clarify the things I don’t understand?
At Akimbo Core we work hard to get communications right from the very start. You’ll be assigned a technical and an operations contact – so you can avoid the salesperson for all of your technical questions, but you can still get dates in the diary quickly or handle things like having to reschedule your test efficiently, by directing your questions to the right contact. Once your test is complete the tester will provide a detailed report for the vulnerabilities and their remediation, but if you want something more – perhaps a presentation to your team, or a call to discuss the findings – we will tailor our deliverables to make sure you get the most out of your testing.