Penetration testers hold your security posture in their hands—hiring an unqualified one could leave you with a false sense of safety or worse, a liability. Vetting credentials and references thoroughly before signing a contract separates a genuinely valuable assessment from a checkbox exercise. Here's how to verify you're working with a professional who actually knows what they're doing.
Understand the Key Certifications
The penetration testing industry has several recognized credentials that signal competence and ongoing commitment to the field.
OSCP (Offensive Security Certified Professional) remains the gold standard. It's a hands-on exam that requires proof of real hacking skills—not just multiple-choice knowledge. Candidates spend weeks or months in a lab environment before attempting the 24-hour practical exam. If someone claims OSCP, ask when they earned it and check the Offensive Security registry directly.
GPEN (GIAC Penetration Tester) and CEH (Certified Ethical Hacker) are also common. GPEN requires real penetration testing experience and is well-regarded in enterprise environments. CEH is more accessible and faster to obtain, so don't weight it equally with OSCP or GPEN.
GWAPT (GIAC Web Application Penetration Tester) signals specialization in web app security, useful if that's your primary concern.
Red flags: anyone claiming multiple premium certifications (OSCP, GPEN, CEH, GWAPT) earned within 12 months likely bought training materials rather than learned through practice.
Check References Against Real Projects
Generic reference letters mean nothing. You need specifics about the work they performed.
Call past clients directly and ask:
- What type of testing did they perform? (external network, internal, web app, API, wireless?)
- How thorough was the assessment? Did they find vulnerabilities your team had missed?
- How clear was the final report? Could your non-security staff understand the findings and remediation steps?
- Did they provide remediation guidance or just identify issues?
- What was the turnaround time, and did they meet deadlines?
Ask for at least three references from similar-sized organizations in your industry. A penetration test for a 50-person startup looks different from one for a 5,000-person enterprise. Relevant experience matters.
Verify the reference is legitimate—don't just call a number they provide. Look up the company's main phone line, ask for the contact person independently, and confirm they actually worked with the penetration testing firm.
Review Their Published Work and Community Presence
Legitimate penetration testers contribute to the industry through blogs, conference talks, tool development, or GitHub repositories.
Search for:
- Blog posts or articles on their methodology, tools, or lessons learned from assessments (without breaching client confidentiality)
- Conference presentations at events like DEF CON, Black Hat, or regional security conferences
- Open-source contributions to tools like Metasploit, Burp Suite extensions, or custom security scripts
- Social media engagement in security communities—active participation in discussions, sharing vulnerability research, or contributing to forums
This doesn't guarantee competence, but it shows they stay current and are willing to invest in the community beyond billable hours.
Ask Specific Technical Questions
During an initial conversation, pose a scenario relevant to your environment:
"We run a hybrid cloud setup with AWS, some on-prem servers, and Okta for SSO. How would you approach testing our attack surface?"
Listen for:
- Specific mention of tools they'd use (Nmap, Burp Suite, AWS-specific reconnaissance techniques)
- Discussion of scope-setting and rules of engagement
- Awareness of your industry's compliance requirements (PCI-DSS, HIPAA, SOC 2)
- Questions back to you about your architecture, not a canned answer
A vague response or generic "we'll run a full assessment" suggests limited depth.
Verify Insurance and Compliance Credentials
Ask for proof of:
- Professional liability insurance (typically $1–2M coverage minimum)
- E&O insurance covering errors and omissions
- Compliance with industry standards—do they follow NIST guidelines, PTES (Penetration Testing Execution Standard), or OWASP Testing Guide?
Legitimate firms carry insurance because they know things go wrong sometimes. If they brush this off, walk away.
Compare on Mercoly
Mercoly makes it easier to vet multiple penetration testing firms side-by-side, comparing credentials, pricing (typically $3,000–$25,000+ depending on scope), and verified client reviews in one place.
Frequently Asked Questions
Q: How long should a penetration test take, and what's a realistic timeline? A: Scope varies wildly, but external network assessments typically run 1–2 weeks, while comprehensive internal and web app testing can take 3–4 weeks; expect 1–2 weeks for the final report after testing concludes.
Q: What should a good penetration test report include? A: It should contain an executive summary, detailed findings with CVSS scores and risk ratings, proof-of-concept steps for each vulnerability, remediation recommendations prioritized by risk, and a methodology section explaining what was tested and what was out of scope.
Q: Can I hire a junior penetration tester to save costs? A: Junior testers are fine for initial scanning and straightforward vulnerability identification, but you lose depth in complex attack chain discovery and business-context risk analysis; budget for at least one senior resource leading the engagement.
Start vetting your next penetration testing vendor today—your security posture depends on it.