If you're thinking of hiring a Penetration Testing service, you definitely need to do your due diligence. There's a wide range of services that penetration testing firms offer, ranging from cheap automated scans to manual expert exploit detection.
As part of your due diligence process, here are 14 questions that you should consider asking the references that your pen testing service provides.
Your goal in asking these questions is to go deeper than the "yeah, they're great" or "no, they suck" level, and really determine whether the firm's approach is a good fit for your project.
Before you ask anything else, first understand what the test was seeking to accomplish. Network intrusion pen tests are very different from social engineering pen tests are very different from web application pen tests. Make sure the reference's experience is relevant to you.
Once you understand the scope, seek to understand the systems. Again, make sure that they're directionally aligned with what you want to test.
It helps to know whether this was requested by executive management, or was part of good cybersecurity hygiene, or was demanded by a customer.
Typical responses include identifying a list of assets and holding a pre-test scoping call, but it's good to know if you and your team are going to have to do a lot of heavy lifting to get ready for the penetration test.
Were they responsive? Friendly? Easy to understand? Was there one of them, or a ton of them?
Some issues (like triggering your monitoring systems) are good. Some issues (like taking down your production server in the middle of the day) are bad.
This points to the value of using the penetration testing company vs. simply doing some simple scans on your own.
The value of a pen test is not just in finding the results, but also in guiding you in how to fix non-obvious issues.
The penetration testing report you get will likely be reviewed by people who won't have the benefit of getting on a call with the pen testing engineer. This can even include clients, so the clarity of reports is critical.
If the team did need to give you guidance after the test, was it clear and helpful?
Always a good idea to get a sense about the reception of pen tests, especially if it's your first one.
Many penetration testing services will offer a free or discounted rescan to determine whether you have fixed the issues discovered. Typically these are time-limited (e.g., within 60/90 days of the test).
The answer to this will almost always be "yes" as most pen testing companies are going to follow the CVSS vulnerability scoring model, but this may also give rise to some interesting conversations and stories.
A good penetration testing service will be able to give you verbose details of every single action they performed during their test.
Need some help with compliance with cybersecurity regulations like HIPAA, SEC, NIST 800-171, and more?