How to Buy Security Testing: A Guide for Decision Makers

Not all penetration tests are equal. I have seen organizations pay significant sums for what amounted to an automated scan with a logo on the cover page. I have also seen inexpensive engagements deliver exceptional value because the tester understood the environment and focused on what mattered. After eighteen years on the delivery side of security testing, here is my honest guide to help you get real value from your investment.

Questions to Ask Vendors

• What methodology do you follow? - A credible vendor should reference frameworks like OWASP Testing Guide, PTES, or OSSTMM. Ask them to walk you through a typical engagement. Listen for evidence of manual testing, not just automated scanning.
• Who will actually perform the testing? - Many firms sell engagements with senior consultants and then assign junior staff. Ask for names and qualifications. Certifications like OSCP, OSCE, or OSCE3 indicate hands-on competence, but also ask about relevant project history.
• What is included in the report? - A good report includes an executive summary, detailed technical findings with evidence, risk ratings with context, and remediation guidance. Ask for a redacted sample. Report quality often reveals testing quality.
• Do you provide remediation support? - Finding vulnerabilities is only half the value. Good testers help your team understand findings and perform retesting to confirm issues are resolved.
• What is your approach to scope creep? - How does the vendor handle findings that are technically out of scope but represent significant risk? A good vendor flags these and discusses options rather than ignoring them.

Red Flags

• Extremely low prices - A thorough penetration test requires significant skilled labor. If a quote seems too cheap, it probably involves mostly automated scanning with minimal manual analysis. I have reviewed reports from budget providers that were essentially Nessus output reformatted with a different header. That is not a penetration test.
• No questions about your environment - A vendor who quotes without understanding your environment, technology stack, number of applications, network complexity, and business context cannot possibly deliver a meaningful assessment. If they do not ask questions, they are selling a commodity, not a service.
• One-size-fits-all proposals - Every environment is different. A proposal that looks identical regardless of client suggests the vendor is not tailoring their approach. The testing plan for a cloud-native microservices application should look very different from a traditional on-premises Windows environment.
• Unwilling to provide sample reports - If a vendor will not show you a redacted sample of their work product, that is a significant warning sign. You are buying their findings and analysis; you should know what that looks like before committing.
• No named testers or team information - Transparency about who performs the work is fundamental. If a vendor cannot tell you who will be testing, they may be subcontracting to unknown parties or assigning whoever is available regardless of expertise.

What Good Looks Like

• Clear scoping discussion - The vendor asks detailed questions about your environment, objectives, constraints, and concerns. They help you define a scope that addresses your actual risk rather than simply testing everything they can.
• Named, qualified testers - You know who will perform the work, you can review their credentials, and you have confidence in their expertise. The tester assigned should have relevant experience for your technology stack.
• Transparent methodology - The vendor can articulate exactly how they will approach the engagement, what tools and techniques they will use, and how they balance automated and manual testing. They explain their process without hiding behind jargon.
• Executive and technical reports - Dual-audience reporting ensures both leadership and technical teams get actionable information. Executive summaries should communicate business risk, not just list vulnerabilities.
• Remediation guidance and retesting - The engagement does not end with the report. Good vendors support remediation by explaining findings to development teams, suggesting specific fixes, and verifying that fixes work through retesting.

Understanding Pricing

Penetration testing pricing varies significantly, and the cheapest option is rarely the best value. Pricing should reflect scope complexity, tester experience, testing depth, and deliverable quality. When comparing quotes, ensure you are comparing equivalent scope and depth, not just the bottom line number.

Getting the Most from Your Investment

The value of a penetration test extends beyond the report. Schedule a findings walkthrough where the tester explains vulnerabilities to your development team. Prioritize remediation based on actual risk, not just severity ratings. Track remediation progress and schedule retesting. Use findings to improve development practices and security architecture, not just patch individual issues. The organizations that get the most value treat security testing as a learning opportunity, not a compliance checkbox. The best testers help you understand not just what is broken, but why it broke and how to prevent similar issues in the future.