A bad cybersecurity vendor can expose your business to worse threats than no vendor at all. Before you sign a contract, you need to know whether the provider actually delivers—or just sells promises. Here's how to separate the legitimate operators from the ones cutting corners.
Check Independent Security Certifications
The most credible cybersecurity firms carry third-party certifications that require regular audits. Look for:
- ISO/IEC 27001 (information security management)
- SOC 2 Type II (security controls, availability, and confidentiality)
- NIST Cybersecurity Framework compliance documentation
- CISSP or CEH certifications held by actual employees (not just marketing claims)
Request a copy of their current certification documents. If a provider hesitates or says "we're working on it," that's a red flag. Legitimate firms renew these annually or every two years and post expiration dates without fuss.
Verify Real Client References and Case Studies
Ask for at least three client references from companies in your industry or size bracket. When you call them:
- Ask specifically about response times during incidents (target: under 1 hour for critical alerts)
- Inquire whether the vendor actually prevented breaches or only detected them after the fact
- Request details on pricing—did it match the proposal, or were surprise costs added?
- Ask if the vendor provided ongoing training or just deployed tools
A provider offering only vague case studies ("Fortune 500 client") without specifics is protecting their portfolio because those clients weren't satisfied. Real wins are cited by name.
Review Their Breach Response History
Search the firm's name alongside "data breach," "lawsuit," or "outage." Check:
- The SEC database (EDGAR) if they're public
- Court records for liability cases
- Security industry watchlists (BleepingComputer, Krebs on Security)
- Glassdoor reviews from actual employees (engineers and security analysts, not just sales staff)
If they've had a breach themselves, assess how they handled it: Did they disclose quickly? Did they provide compensation? Did they change their practices afterward? A single incident isn't disqualifying—silence or defensiveness is.
Evaluate Their Security Operations Center (SOC)
Most managed security services run a SOC. Verify:
- Location and staffing: Are analysts in-house or heavily outsourced to low-cost regions? (Both can work, but know what you're paying for.)
- Alert response time: Ask for their SLA (Service Level Agreement) on critical vs. medium alerts. Typical: critical within 15 minutes, medium within 4 hours.
- Tools and technology: Do they use updated SIEM platforms (Splunk, Microsoft Sentinel, etc.), or aging tools? Outdated infrastructure signals cost-cutting.
- Staffing ratios: A typical SOC analyst monitors 500–1,500 endpoints. If they claim one analyst handles 5,000+, quality suffers.
Request a walkthrough video or site visit. Legitimate firms showcase their SOC confidently; sketchy ones deflect.
Compare Pricing Against Industry Standards
Cybersecurity services vary wildly by scope, but here's a rough baseline:
- Managed Detection & Response (MDR): $200–$500 per endpoint/month (25–100 employee companies)
- Penetration testing: $3,000–$15,000 per engagement, depending on scope
- Incident response retainer: $500–$2,000/month for 24/7 on-call response
- Security awareness training: $3–$10 per employee/year
If a quote is significantly below these ranges, ask what's excluded. If significantly above, confirm what justifies the premium (e.g., custom threat hunting, compliance-specific expertise).
Check Insurance and Liability Coverage
Ask whether the provider carries cyber liability insurance. Reputable firms typically carry $1M–$10M in coverage. This protects you if they miss a breach they were responsible for detecting. Request proof of coverage—a policy number, not a promise.
Use Comparison Platforms
Platforms like Mercoly let you compare and vet multiple cybersecurity service providers in one place, complete with verified credentials and customer reviews. This saves time and ensures you're seeing apples-to-apples pricing and capabilities.
Frequently Asked Questions
Q: How long should I expect before a cybersecurity provider detects a breach in my network? Most reputable MDR providers detect breaches within 24–48 hours; premium SOCs operate 24/7 and flag critical incidents within 1–4 hours. Your SLA should specify exact response windows.
Q: Can I trust customer reviews on Google or Trustpilot for cybersecurity vendors? Partially. Verified reviews are useful for spotting patterns (slow support, hidden fees), but always call references directly—cybersecurity reviews are sometimes filtered or written by competitors.
Q: What's the difference between a security audit and a penetration test? A security audit is a comprehensive assessment of your existing controls and compliance (typically quarterly or annual). A penetration test simulates an actual attack to find exploitable weaknesses (annual minimum, often after major system changes).
Start your vetting process today by comparing certified providers with verified track records.