10 Questions to Ask Before Hiring a Penetration Testing Firm

Questions to ask any penetration testing company — before you buy

Most companies spend more time choosing a coffee machine than vetting a penetration testing firm.

That's a problem, because the wrong firm doesn't just waste your budget — it gives you false confidence. You get a thick PDF, a clean bill of health, and a real attacker walks straight through six months later.

Knowing the right questions to ask a penetration testing company before you hire them is the difference between a security investment and a compliance checkbox. Before you sign anything, work through these 10 questions. The answers will tell you everything you need to know.

---

1. Do your testers test manually, or mostly run automated tools?

This is the most important question on the list.

A lot of firms run an automated vulnerability scanner — Nessus, Qualys, OpenVAS — generate a report, and hand it to you. That's not a penetration test. That's a vulnerability scan with a markup.

A real pentest involves a human attacker chaining vulnerabilities together, testing business logic, and looking for flaws that no automated tool would ever catch. Things like: broken access controls that only appear under a specific user role, custom authentication bypasses, or the combination of three "medium" findings that together unlock admin access.

Ask for specifics. "What percentage of the engagement is manual testing?" If they can't answer clearly, or they talk vaguely about "a combination of automated and manual methods," push harder. Good firms are proud of their manual work.

---

2. What certifications do your testers hold?

Certifications aren't everything. An OSCP (Offensive Security Certified Professional) with three years of real-world testing is worth more than a wall of certs from someone who's never been near a live engagement.

But certifications do tell you something. They show a tester took the time to prove their skills under pressure, not just pass a multiple-choice exam. Certs to look for:

• OSCP (OffSec Certified Professional) — highly respected, requires hands-on exploitation
• PNPT (Practical Network Penetration Tester) — newer but rigorous, practical exam
• BSCP (Burp Suite Certified Practitioner) — strong signal for web app testers
• GPEN / GWAPT — SANS-issued, solid for network and web app testing
• CRTO (Certified Red Team Operator) — relevant for more advanced red team work

CEH (Certified Ethical Hacker) is the least meaningful. It's multiple-choice, widely criticized, and treated as a minimum bar at best.

Ask who will actually be on your engagement. Some firms sell with senior staff and deliver with juniors. You want to know the team before you sign.

---

3. Have you tested systems like ours before?

A web app pentest for a fintech startup is very different from a cloud infrastructure assessment for a healthcare provider. The attack surfaces, the compliance requirements, the most likely threat actors — all different.

Ask about relevant experience. If you're running AWS-heavy infrastructure, ask how many cloud pentests they've done and whether they've worked with your specific stack. If you're in healthcare, ask about HIPAA experience. If you're a payments company, ask about PCI DSS scoping.

You don't need the firm that has done everything. You need the firm that has done your thing — and done it enough times to know where the bodies are usually buried.

References matter here too. Ask for two or three clients in a similar industry or tech stack who you can speak to.

---

4. Can I see a sample report?

This one separates real firms from noise almost immediately.

A good pentest report has two layers: a technical section for your engineering team (with exact vulnerability details, reproduction steps, proof-of-concept evidence), and an executive summary for your board or senior leadership (plain-language risk ratings, business impact, what needs fixing first).

What a bad report looks like: 80 pages of scanner output with CVSS scores, minimal context, no clear prioritization, and remediation advice like "apply vendor patches."

What a good report looks like: each finding tells a story — what it is, how it was found, what an attacker could do with it, and specifically how to fix it. The executive summary is a decision-making document, not an afterthought.

Ask for a sample (redacted is fine). If they hesitate or say they can't share any samples, that's a flag.

---

5. What's your scoping process?

Scoping is where most engagements succeed or fail before they even start.

A thorough scoping process protects both sides. It defines what's in scope (which domains, IPs, applications, APIs, environments), what's explicitly out of scope, the testing window, and any systems that are too critical to touch during production hours.

Bad scoping leads to: overly broad engagements that run out of time before covering everything important, or overly narrow scopes that leave your most vulnerable systems untouched.

Ask how they approach scoping. Do they send you a questionnaire and call it a day, or do they get on a call with your team to understand your architecture? Do they flag when a proposed scope seems insufficient for your risk profile?

A firm that pushes back on a scope they think is too small is a firm you want working for you.

---

6. What happens if something breaks during the test?

It doesn't happen often, but it happens. A test against a production environment can occasionally cause unexpected outages, data corruption, or service disruption — especially during aggressive testing.

Ask how they handle it. Specifically:

• Do they have a point of contact available during testing hours to pause or stop an engagement instantly?
• What's the escalation procedure if something goes wrong?
• Do they carry cyber liability insurance that covers damages to clients?
• Will they test production, staging, or both — and what's their approach to each?

Any firm that's been doing this long enough has a war story. That's not disqualifying. What's disqualifying is not having a clear answer about what happens when things go sideways.

---

7. How do you handle our data during the engagement?

During a pentest, the testing firm will have access to your systems, potentially including sensitive data, credentials, customer records, or proprietary code.

Ask how they handle what they find. Specifically:

• Where are testing notes and captured data stored? (Client-dedicated environments, not shared)
• Are communications encrypted?
• What's the data retention and destruction policy after the engagement ends?
• Do they have their own security certifications — ISO 27001, SOC 2 — that govern how they operate internally?

A firm that sells security but has no demonstrable controls over their own environment is a problem. You're handing them the keys to your house. Make sure they treat them accordingly.

---

8. Do you include retesting in the engagement?

Finding vulnerabilities is only half the job.

Once your team remediates the findings, you want to know the fixes actually work. A retest — where the firm goes back and verifies each remediation — closes the loop and gives you documented evidence that vulnerabilities have been addressed.

Some firms include retesting in the base price. Others charge separately. A few don't offer it at all.

Ask upfront. And if it's a paid add-on, ask what the process looks like. You want written confirmation that critical and high findings have been verified as fixed — not just your team's word that they patched something.

This is particularly important for compliance purposes. SOC 2 auditors and enterprise procurement teams increasingly ask for evidence of remediation, not just evidence of testing.

---

9. How will you communicate during the engagement?

A pentest shouldn't be a black box.

The best firms provide updates throughout the engagement — typically a daily or mid-point check-in for longer engagements, plus real-time escalation if they find a critical vulnerability.

Why does this matter? If a tester finds a critical RCE (Remote Code Execution) vulnerability on day two of a five-day engagement, you want to know immediately — not at the debrief a week later.

Ask: Do you notify us immediately if you find something critical? How often do we get status updates? Is there a debrief call at the end of the engagement, and who attends?

The debrief is particularly undervalued. A one-hour call with the actual testers — not a sales rep — where you can ask questions about every finding is often more valuable than the report itself.

---

10. What does success look like to you?

This is the question most buyers don't think to ask, and it's revealing.

A firm that answers "success means delivering a comprehensive report on time" is technically correct but tells you nothing. A firm that says "success means your team understands every finding, has a clear remediation roadmap, and is measurably more secure afterward" is thinking about the right things.

You're not buying a document. You're buying a process that results in a more secure organization. The best firms understand that. They stay engaged after delivery, answer follow-up questions from your engineers, and treat the end of the engagement as the beginning of the remediation work — not the end of the relationship.

If they seem like they're sprinting for the exit the moment they hand over the report, that tells you something.

---

A quick note on price

Cheap pentests are almost always a false economy.

A pentest priced significantly under market rate ($5,000-$8,000 for a web app, for instance) is almost certainly cutting corners somewhere — on tester experience, on manual testing time, or on report quality. You get what you pay for, and in security, what you pay for matters.

That said, expensive doesn't automatically mean good. Use these questions to evaluate quality independent of price. Price should be one factor in your decision, not the primary one.

How to use these questions in practice

Don't send them as a form. Schedule a 30-minute call with each firm you're evaluating and ask them conversationally. The goal isn't to catch them out — it's to understand how they think.

Pay attention to how quickly they answer. Firms that do this work every day have instant, specific answers to questions about methodology, data handling, and reporting. Firms that are winging it will stall, hedge, or give you generic marketing language.

If you're evaluating multiple providers, use the same questions with each one so you can compare directly. A simple scoring matrix — 1 to 5 on each dimension — will surface the right choice quickly.

For a broader framework on choosing the right security partner, see our guide to choosing a penetration testing company — it covers the full evaluation process from initial shortlisting to contract negotiation.

---

Evaluating pentest providers and not sure where to start? Book a free consultation with our team and we'll walk you through what a quality engagement looks like — and what questions matter most for your specific stack.