HOW TO CHOOSE A PENETRATION TESTER OR PENETRATION TESTING COMPANY?

How do you choose penetration tester or penetration testing company? Is it by his/her certification or by his/her experience? 

We bet you'll choose both. But how do we differentiate a good pentester and a bad pentester? We would like to discuss this and do leave us a comment below. Experience is needed in any industry especially in IT security field. Nowadays, a lot of platforms are given to the hackers to test their ability in a safe environment and helps an organization to secure their organization. These hackers can make millions of dollars even without any certificate at their hands!" link..." 

Certificates are indeed important. They're the standard and a quality control method in selecting your IT security consultant vendor. "link" But to get the best service, there is much more to look at beyond that fancy certificates, marketing, ads etc as a famous quote saying: "don't judge a book by its cover"

Here are our steps to help you to get the best out of the penetration testing service: 

1. Get to know your pentester 
You don't know how good they are until you meet them personally. Client should do some research and prepare a set of both technical and soft skills related pre-questionnaires relevant to your project prior to meeting the penetration tester. The important key here is to check the balance between the technical skill and soft skill of the penetration tester. You'll know later why both are important. You surely don't want your future vendor to just beat around the bush and left you thinking you've chosen the best IT security service provider. 

2. Understand your own scope
Sometimes defining a scope can be mission critical before starting penetration testing assessment. Most of the clients do not know what they truly need and just make an assumption based on their budget. Consult your pentester on this. If he can give a good suggestion to help you formulate your scope, there is a chance that you're dealing with the right person. Good and genuine pentester will recommend things you need, a salesperson will recommend things they want you to have. 

3. How much do pentester charge? 
An expensive service is not necessarily the best and a cheap service does not guarantee you'll get a quality service. One thing one must know is that good and quality penetration testing service requires time and time spent is equivalent to cost spent. A dark hacker took weeks or even months to hack a good system, so realistically don't expect a pentester to find the same vulnerabilities within just one or two days! If they promise such thing, you'll probably ended up getting just a automated scan instead of a thorough and detail penetration testing. Every pentester has their own rates. Let them calculate the cost for you and ask you can ask them to justify their pricing. A standard rate may be applied using man-days. 

4. You know the cost, but how do you define the quality of penetration service? 
Money alone does not solve everthing. If you spend too much, it doesn't necessarily guarantee you a good quality service, and likewise. Keep in mind, quality is subjective. The most important thing is that your objective is achieved. It is a good idea to ask your pentester to explain what level of quality that they can deliver to your organization. One of the best ways to know how good is your pentester is to ask them to give a demo or Proof of Concept (P.O.C) then you'll know how authentic their skill/experience is aside from their fancy certificates. 

5. Communication is vital
Once you've confirmed that your pentester skill set is acceptable and authentic, the next thing is to know if he/she can effectively communicate his/her findings during penetration testing to your organization.Here is when soft skills come to play. A good pentester can explicitly communicate technical findings during findings presentation in a language that is understandable to their client and thus ultimately come out with an effective solution to remediate vulnerabilities and develop a good action plan for their client. 

6. Report is mission critical 
Last, the penetration testing report. Don't get too excited if the pentester can deliver the report to you in a short period of time. Sometimes, pentester need to allocate longer timeline to complete the assessment so they can provide a better insight of their findings and also come up with a better solution. So the important key is constant communication during penetration testing project. 

That's all folks, we hope this brief guide can help you choose your IT security vendor, happy pentesting!