By: Rob Hughes and Keith Sharp
It can be difficult to know what to look for when searching for a strategic partner to assist you with your security and risk management processes. More specifically, understanding what makes a good penetration testing company can be difficult without a pre-existing familiarity of the industry. In this blog we are going to discuss the key factors that can help identify a good penetration testing company.
A company or organisation can have many reasons for conducting a penetration
- Gaining a better understanding of the effectiveness of their security
- Ascertain risk levels of business critical systems and their related
- To meet strict compliance requirements.
There can be many reasons as to why an organisation looks to utilise a
penetration test, however, enabling better security awareness and assurance
through remediating security weaknesses, are key goals all organisations should
be aspiring too.
Unfortunately, as with any industry, there are good and there are not so
good security testing organisations out there selling services. Therefore, InteliSecure
have put together an overview on the main areas that should be considered when
selecting a security testing company as a strategic partner.
The following three commonly raised questions, will be our starting
point for this discussion:
- How do you find a good
Penetration testing Company?
- What should you consider
before engaging a Penetration testing Company?
- How can you ensure that a
Penetration Testing provider can perform the engagement to your requirements
and meet your business needs?
Therefore, in order for an organisation to be able to answer these
questions, InteliSecure have put together a high level overview of what to look
out for and how to engage with the many organisations that are providing
penetration testing services:
- Understanding what type of testing you require
- Ensuring the skill set of the third party consultants can meet your
- Understanding the company’s processes and procedures, for example are
these documented and aligned to any standard (ISO 27001 etc).
Let’s look a bit more closely into a few of these specific areas.
- Understand the type of testing you require.
Penetration testing, in its true form, can be performed across many
different technologies and is usually performed across either an external or
internal network infrastructure, which can include physical or virtual servers,
workstations, firewalls, network switches, routers and many IP based devices
Once the scope of the assessment has been defined, you will have to
indicate how you want the assessment to be performed. A penetration test in its
most basic description is the simulation of an attacker attempting to ascertain
and then exploit weaknesses of networked computer systems. The classic
categories of the attacker perspective that can be applied to a pen test are
known as black box, grey box and white box, these are defined in their basic
tests are performed without any knowledge of the tested environment. The objective
of a black box assessment is to assess the level of security as seen by a third
party connected to the internal network or the internet, without any prior
knowledge of the environment.
tests are performed with standard access or with only limited knowledge of
the tested environment. The objective of a grey box assessment is to assess the
level of security as seen by a legitimate user of the customer who has an
account, along with general information about the tested environment.
tests are performed with knowledge of the internal structure/ design/
implementation of the tested environment.
Penetration testing is an offensive methodology aimed at replicating a
typical attacker, which could be scoped to focus on multiple areas of an
organisation, including web applications. Generally, the methodology is better
applied through a black box testing perspective, which is unauthenticated and
with limited knowledge of the system. The concept is enumerate the information
or attempt to bypass / brute force authentication in order to gain an initial foothold.
Typically, a penetration test is completed under a set methodology and
resembles the basic principles of the open source security testing methodology
manual (OSSTMM) and is scoped to include the subnet ranges, devices or IP
addresses, and/or URL’s that are to be included in the assessment.
A myriad of factors can come into play on deciding which attacker
perspective to assume for a penetration test and these ultimately depend on the
complexity, criticality and management of the systems that are going to be targeted
for attack. For example, an organisation may outsource web application
development and have limited access or perspective with respect to the detailed
hosting information or prior penetration testing assurance of the third party, and
so a black box test may be the natural or only choice to assess the solution.
Attacker perspective becomes very important with regards to certain
types of penetration testing, such as red team penetration testing exercises.
Red team penetration tests, by their nature, are almost always performed on
live systems and can include social engineering tactics against company
employees and have less restrictions than other types of security assessment. The
flow of red team penetration tests is typically goal based, in that a
penetration testing team have been given challenges to, for example, gain
access to a specific system, or retrieve a password for a specific type of user
within the network environment, from a specific starting point (and level of
knowledge about the environment that may map to i) a standard employee, ii) an
employee in the IT department etc). Red team exercises must be pre-planned in
agreement with IT security managers to avoid risk and preserve the integrity of
the assessment (i.e. only select employees knowing that attacks are taking
place) so genuine defensive responses can be gauged in their effectiveness
during the assessment (reviewing intrusion/security monitoring alerts) and
thereafter (log analysis etc). Therefore, to facilitate successful red team
exercises, both black box and white box perspectives may have to exist in
parallel to achieve the goals of the testing safely.
Ultimately a good penetration testing company will always guide a client
to the right choices for the environments that are to be tested and should
consider the requirements and constraints of the targeted systems when aligning
the best choice of attacker perspectives with the target(s) involved. Defense
in depth can often be more efficiently scoped and scrutinised by a penetration
testing company depending on what background information they have from the
outset. Attack perspectives can change depending on the information available,
so the above categories are not necessarily rigid and all good penetration
testing companies will recognise and highlight any relevant issues when such
perspectives are not clear or have to change to best facilitate the proposed
The main objective of penetration testing is to essentially ascertain to
what extent the issues and vulnerabilities discovered within a specific
environment can be exploited by an attacker and what systems can be breached
and how (i.e. can certain vulnerabilities be combined and therefore pose additional
or greater risks)
Penetration testing of specific types of network technology can have
their own overarching standards and methodologies, a prime example being network
applications. Focused application testing differs slightly from a true form
penetration test, as this is usually completed using multiple sets of
credentials covering multiple roles (i.e. different levels of trust/access are
assigned to the attacker perspective to align with the potential threats the
application could pose). The principles in focused application testing are
usually aligned to the Open Web Application Security Project (OWASP) and can
cover web applications, mobile applications and thick client or Desktop
applications. This type of testing aligns
with “grey box as a minimum set of information is required to successfully
cover the test cases the application naturally presents.
Most penetration testing companies also offer a compliance and auditing
type of assessment, which can include authenticated build reviews or servers,
workstations, firewall’s and other network security devices, mobile devices etc
etc. This type of testing isn’t essentially penetration testing per say, but
can be used alongside the typical testing in order to gain a more thorough and
comprehensive overview of risk within the environment. When these types of
services are combined in this way, the term “Health Check” is usually used to
describe the process.
Therefore, it is essentially that you fully understand the type of
testing that you require as some compliance requirements, such as the PCI and
the Cyber Essentials scheme in the UK, require a combined “Health Check”
The penetration company will usually ask whether the penetration testing
is required to meet specific compliance requirements, either through an initial
meeting or via a scoping questionnaire, therefore it is essential that you
understand the type of testing you require before engaging with the third party.
This will allow you to gauge if the company can provide the type of testing you
require and the skill set required within its organisation, which leads us onto
the next area.
- Ensuring the skill sets of the penetration test consultants can meet
In addition to evaluating the penetration testing company as a whole,
you should also take a close look at the actual consultants who will perform
the engagement. A good penetration testing company will be able to instantly provide
details of their consultant’s professional backgrounds, along with any relevant
qualifications or professional certification they may hold individually. Penetration
testing, as a specialism, has now become better known in the IT security industry,
with many organisations offering different types of certification to assess an
individual’s competence in the subject. Certifications offer a way to ensure a
baseline level of technical competence and knowledge and understanding of the
profession. However, a consultant who can study a subject and pass an exam, may
not have the expertise or experience to competently complete the penetration
test to your unique requirements. Limitations of experience can exist within a
pen testing company and so it should be expected that availability of
individuals with niche skills may not always exist across the board. However
good penetration testing companies will conduct training or in-house research
to push the skill sets of their consultant’s forward to align with advances in
technologies and/or tools or to allow their consultant’s to be able to upskill
Within a quote or proposal for penetration testing services from the
third-party (which would be derived following the scoping phase), a good
penetration testing company would include information on the consultant’s
likely to be involved in the assessment.
The following areas should be investigated about each consultant,
usually a search on LinkedIn or Google would return valuable results.
Most penetration testing Consultant’s would have graduated from
University with some form of Computer security or science degree, however, this
may not always be the case. Also, there are many Industry certifications that
can be much more focused in penetration testing than a generic degree.
Some of today’s most commonly-recognized certifications include
Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit
Researcher & Advanced Penetration Tester (GXPN), or Offensive Security
Certified Professional (OSCP). In the UK there are Crest Certifications, Tigerscheme
and Cyber Scheme which are aligned to the UK National Cyber Security Centre (NCSC)
CHECK program, which deals with Government, Police and other potentially
When it comes to continuous education, the SANS Institute is a private
company that also offers high quality information security and cybersecurity
training including penetration testing courses to hone ethical hacking skills,
including web application security assessments, social engineering, red team
operations, wireless penetration testing and more.
Most competent penetration testing consultant’s would have at least one
focused industry standard certification which would be focused on a specific
area of penetration testing, therefore it is important to review the consultant’s
detailed resume to confirm.
Experience within the penetration testing industry can be extremely
broad, with many consultant’s coming into the industry directly from either
University or from another profession. However, it is essential that in a
focused penetration testing role, experience in different areas such as network
infrastructure, application and compliance auditing has been gained by the consultant
throughout their careers.
Most senior level penetration testers in the industry, who are likely to
be the ones who initial scope the penetration test and then lead the
assignment, have at least five years dedicated experience and are certified to
the senior level qualifications.
Specialist consultant’s would also be required to complete testing
across more advanced or lesser known types of security assessment such as red teaming
or mobile application testing.
It is therefore vital to ensure the penetration testing company has consultant’s
with the right skill set available for your assignment, therefore it is
advisable to review any resumes or LinkedIn
profiles for the consultant’s being potentially involved in the project,
to ensure they have the relevant skills and experience.
- Understanding the Companies processes and procedures
All good companies document all of their processes and procedures, some
of which are usually available to their clients if requested. Typically, a
penetration testing company should be able to provide the following
- Methodologies (covering the different type of testing)
- Client Engagement Process
- Data Handling and Retention Policies
- Complaints and Escalation Procedure
- Standard Operating Procedures (Covering Penetration Testing Execution)
- Quality Assurance Policies
- Information Security Policies
- Liability Insurance Certificates
This level of documentation should be mature, with policies and
procedures being adhered to within the organisation, therefore, it would be
wise to work with companies that do have their internal policies and procedure
Also, if an organisation utilises sub-contractors or works with
contractors when fulfilling a penetration test, then the procedures for
ensuring standardisation across contractors should also be documented. If a
client handles sensitive information, the data handing and retention policies
may have to align to certain requirements for such data.
Fortunately, most of the established companies working within the
industry are dedicated to providing quality assurance for their services. Some companies
go a step further and are measured in providing penetration testing services to
a set standard, through being aligned to organisations such as CREST (The
Council of Registered Ethical Security Testers) in the UK and globally, which
has effective and comprehensive testing standards and methodologies in place. This
standard could be considered similar to an organisation that has adopted the
ISO27001 standard, but is more closely focused on the type of security services
a company can offer, be it Penetration testing, incident response etc.
In order to achieved company status to the CREST standard, all policies,
methodologies and processes are individually evaluated and have to confirm to a
rigorous standard. These companies must also employ consultants who are
security cleared to at least UK SC level and have been assessed and accredited
to the highest standards of security testing. They can be trusted in order to
ethically replicate the threat actors and provide pragmatic advice and
direction on how to protect yourself against the constantly evolving threat
Conclusion In conclusion,
when selecting a partner to provide penetration testing services, researching
the company is a vital step in ensuring they are competent and experienced to
provide you with the information security assurance you are hoping to achieve.