Red Flags When Hiring a Pentest Provider (and What to Look for Instead)

The red flags that separate real pentest firms from compliance theater

The penetration testing market is flooded.

There are hundreds of firms selling "comprehensive penetration testing" — and a significant number of them are running automated scanners, slapping a logo on the PDF, and charging you $15,000 for what amounts to a Nessus report.

The problem isn't that these firms are dishonest. It's that they've successfully convinced the market that this is what a pentest looks like. You get a thick report, a clean-ish bill of health, and the false confidence to tell your board and your auditors that you've been tested.

Then a real attacker shows up.

Here are the most common red flags when evaluating a penetration testing provider — and what you should look for instead.

---

Red flag #1: They quote you a price without scoping calls

A serious penetration testing firm cannot give you an accurate price before understanding your environment.

How many applications? How complex is the authentication? Is it a single-tenant SaaS or multi-tenant? Are there APIs? Integrations? What's the testing window?

When a vendor quotes you a flat fee in the first email — "$4,500 for a web app pentest, all-in" — that's a signal they're selling a commodity service. Real testing is scoped, not packaged.

What to look for instead: A provider who insists on a scoping call before pricing. They should ask questions that make you think. "What's your authentication model?" "Do you have separate staging and production environments?" "What's your tech stack?" A good scoper is already thinking like an attacker.

---

Red flag #2: Turnaround is suspiciously fast

Manual penetration testing takes time. A thorough web application test of a mid-complexity SaaS product is typically three to five days of active testing, followed by one to two days of reporting. A comprehensive network assessment or cloud review often runs longer.

If a firm is promising a full report in 48 hours for a complex engagement, they're not doing manual testing. They're running a scanner, reviewing the output, and sending you a formatted dump.

Speed is a selling point for automated tools. It's a warning sign for manual human testing.

What to look for instead: Realistic timelines that match the scope. Ask them to walk you through their typical engagement cadence — discovery, active testing, reporting, debrief. A firm doing real work can describe exactly what happens during those days.

---

Red flag #3: The sample report is scanner output in a branded PDF

Ask every provider for a sample report before signing anything. This single request will tell you more than any sales call.

A bad report looks like this: 50–100 pages of findings listed by CVSS score, populated by a scanner, with generic remediation advice copied from a vulnerability database. There's no narrative. No exploitation chain. No evidence that a human ever tried to use these findings to actually get in.

A good report tells a story. Each finding explains what the tester did, what they found, how they proved it mattered (proof-of-concept code, screenshots, demonstrated impact), what an attacker could realistically do with it, and a specific, actionable remediation for your exact environment.

The executive summary should be a decision-making document — not a page count.

What to look for instead: Reports where findings have clear business context. "This SQL injection in your checkout flow could expose customer payment data and PII for all 40,000 users" is useful. "SQL Injection – CVSS 9.8 – Apply input validation" is not.

---

Red flag #4: They can't tell you who will actually test you

Some larger firms sell with senior talent and staff engagements with junior analysts. This is common, not always wrong — but it becomes a problem when the person who shows up has six months of experience and no relevant domain knowledge.

If you ask "who will be on our engagement?" and the answer is vague ("a team of certified professionals"), push harder. You have the right to know the credentials, relevant experience, and seniority of the people who will be probing your production environment.

What to look for instead: A named tester, or at minimum a clear description of the team structure, certifications, and the years of experience the lead tester brings. Firms that are proud of their talent will tell you. Firms who aren't will redirect.

---

Red flag #5: They lead with certifications, not findings

Certifications matter as a baseline signal — OSCP, BSCP, PNPT, GPEN are all reasonable indicators. But a firm that leads its pitch with a certification count is emphasizing inputs, not outputs.

What you actually care about is: have they found real vulnerabilities in real systems? Can they show you what that work looks like? Do they understand your industry, your stack, your threat model?

A wall of certs with no interesting war stories, no case study substance, and no curiosity about your environment is a flag.

What to look for instead: Firms that lead with findings, not credentials. "In a recent fintech engagement, we found a broken object-level authorization flaw that allowed any authenticated user to read another user's transaction history." That tells you something. "Our team holds 47 certifications" tells you almost nothing.

---

Red flag #6: No debrief or post-engagement support

The report is not the end of the engagement. Or it shouldn't be.

Real vulnerabilities require real remediation. And remediation requires context — context that doesn't always survive the trip from the testing team's working notes to the final PDF. If a firm delivers a report and goes dark, you're left with engineering teams trying to interpret security findings they may not fully understand.

A serious provider includes a debrief call: walking your team through the findings, answering questions, explaining the severity and exploitability in plain language, and helping prioritize what needs to get fixed first.

Some firms also offer a retest — verifying that the vulnerabilities they found have actually been remediated. That's not standard everywhere, but it's a sign of a firm that cares about actual security outcomes, not just deliverable completion.

What to look for instead: A defined post-engagement process. Ask specifically: "What happens after we receive the report?" and "Do you offer retests?" The answers reveal whether they're selling a document or a security outcome.

---

Red flag #7: Their scope is vague or unusually narrow

Legitimate testing requires a defined scope. But there's a difference between a scope that's carefully bounded to protect production systems — and a scope that's been deliberately narrowed to make the test easier to pass.

Watch for scopes that exclude the most sensitive parts of your environment, that leave out authenticated testing entirely, or that only cover surface-level endpoints. Watch for firms who don't push back when you tell them you'd prefer they skip certain areas.

A good tester wants to probe your actual risk. They may accept constraints for practical reasons — time, production risk, out-of-scope third-party services — but they'll tell you what those constraints mean for your results.

What to look for instead: A scoping conversation that surfaces tradeoffs. "If we skip authenticated testing, here's what we won't be able to assess." "Excluding your API layer means we can't test X." Transparency about scope limitations is a sign of integrity.

---

Red flag #8: The price is dramatically below market

The penetration testing market has a floor. A legitimate manual web application assessment, done by experienced testers, priced competitively, runs in the range of $8,000–$20,000+ depending on complexity. A comprehensive network and infrastructure test, more.

If you're seeing quotes well below that — $2,000 for a "full web application pentest" — something is being compromised. Either the testing is automated, the testers are inexperienced, the scope has been stripped to almost nothing, or some combination of all three.

This is not snobbery about price. It's math. Real manual testing has a real labor cost.

What to look for instead: Transparent pricing that correlates with scope and effort. If a quote is low, ask exactly what's being included — and what isn't. A cheap pentest that gives you false confidence is more dangerous than no pentest at all.

---

What a good pentest provider actually looks like

To summarize the other side of each flag: a strong penetration testing partner scopes before pricing, moves at the pace of real manual work, produces reports that tell stories and demonstrate impact, brings named and credentialed testers to your engagement, leads with findings and threat context, supports you through remediation, and is honest about what their scope does and doesn't cover.

They also ask good questions before the work begins. Curiosity about your environment is a proxy for curiosity during testing.

The checklist is simple: ask for a sample report, ask for a scoping call, ask who specifically will test you, and ask what happens after the PDF arrives. Four questions will cut most bad providers from your shortlist before you've spent a dollar.

---

Candela provides manual penetration testing for software companies and security-conscious teams. If you're evaluating providers and want a no-pressure conversation about what good looks like, get in touch.