If you’re thinking of hiring a Penetration Testing service, you definitely need to do your due diligence. There’s a wide range of services that penetration testing firms offer, ranging from cheap automated scans to manual expert exploit detection.
As part of your due diligence process, here are 14 questions that you should consider asking the references that your pen testing service provides.
Your goal in asking these questions is to go deeper than the “yeah, they’re great” or “no, they suck” level, and really determine whether the firm’s approach is a good fit for your project.
1) What was the scope of the penetration test that they did for you?
Before you ask anything else, first understand what the test was seeking to accomplish. Network intrusion pen tests are very different from social engineering pen tests are very different from web application pen tests. Make sure the reference’s experience is relevant to you.
2) What kind of system did they test (e.g., web-based, client server, etc.?)
Once you understand the scope, seek to understand the systems. Again, make sure that they’re directionally aligned with what you want to test.
3) What was the driver for your penetration test?
It helps to know whether this was requested by executive management, or was part of good cybersecurity hygiene, or was demanded by a customer.
4) What did you have to do to prepare for the penetration test?
Typical responses include identifying a list of assets and holding a pre-test scoping call, but it’s good to know if you and your team are going to have to do a lot of heavy lifting to get ready for the penetration test.
5) Were you happy with the engineer(s) who were assigned to your project?
Were they responsive? Friendly? Easy to understand? Was there one of them, or a ton of them?
6) Did the penetration test cause any unexpected service issues (e.g., outages)?
Some issues (like triggering your monitoring systems) are good. Some issues (like taking down your production server in the middle of the day) are bad.
7) How surprised were you by the findings?
This points to the value of using the penetration testing company vs. simply doing some simple scans on your own.
8) Were the recommendations mostly coding updates, or did they recommend other mitigating controls (like a WAF)?
The value of a pen test is not just in finding the results, but also in guiding you in how to fix non-obvious issues.
9) Was the documentation of the findings clear enough that your team knew what was needed to remediate them?
The penetration testing report you get will likely be reviewed by people who won’t have the benefit of getting on a call with the pen testing engineer. This can even include clients, so the clarity of reports is critical.
10) Did your developers need to work directly with the penetration testing team after the test? How did that process go?
If the team did need to give you guidance after the test, was it clear and helpful?
11) How was the penetration test report received internally by your executive management?
Always a good idea to get a sense about the reception of pen tests, especially if it’s your first one.
12) Did you do a rescan? How did that process go?
Many penetration testing services will offer a free or discounted rescan to determine whether you have fixed the issues discovered. Typically these are time-limited (e.g., within 60/90 days of the test).
13) Did the penetration testing company help you to prioritize the results? Did you agree with their prioritization recommendations?
The answer to this will almost always be “yes” as most pen testing companies are going to follow the CVSS vulnerability scoring model, but this may also give rise to some interesting conversations and stories.
14) Did they provide any logs of their activities during the pen test?
A good penetration testing service will be able to give you verbose details of every single action they performed during their test.
Need some help with compliance with cybersecurity regulations like HIPAA, SEC, NIST 800-171, and more?