Hiring the wrong penetration tester can leave critical vulnerabilities undetected—or worse, damage your systems during testing. Before you sign a contract, ask the right questions to ensure the tester has the credentials, methodology, and scope alignment your business needs. Here's what separates competent testers from those who'll waste your budget.
What Certifications and Credentials Do They Hold?
Look for Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), or GPEN (GIAC Penetration Tester) certifications. These demonstrate hands-on expertise, not just theoretical knowledge. Ask how recently they earned or renewed them—the field moves fast, and outdated certifications matter less than active, current ones.
Don't assume one certification covers everything. OSCP holders excel at technical exploitation, while CEH credential holders may have stronger compliance knowledge. If your industry requires specific audit standards (healthcare, finance, retail), verify they've successfully tested similar environments before.
What's Your Testing Methodology?
Ask whether they follow a defined framework like NIST SP 800-115, OWASP, or the PTES (Penetration Testing Execution Standard). This matters because it shows they approach testing systematically rather than ad-hoc. A structured methodology means consistent findings, clear reporting, and reproducible results.
Request a sample report from a previous engagement (with client details redacted). Look for specificity: does it explain why a vulnerability matters, provide proof-of-concept steps, and suggest realistic remediation? Generic vulnerability lists are useless; good reports connect findings to your actual business risk.
How Do They Define and Limit Scope?
Scope creep wastes time and money. Before engagement, they should define clearly:
- Which systems, networks, and applications are in-scope
- Which are explicitly out-of-scope (critical production databases, for example)
- What testing window is available (nights, weekends, scheduled downtime)
- Whether they'll test external infrastructure only, internal networks, or both
- If physical security testing or social engineering is included
- Limits on denial-of-service tactics or data exfiltration during testing
A tester who's vague about scope boundaries is a red flag. You need a signed rules of engagement document that both parties understand before any testing begins.
What's Your Timeline and Cost Structure?
Penetration testing costs typically range from $3,000–$10,000 for small-scope assessments to $25,000–$75,000+ for enterprise-level testing across multiple systems. Timeline varies too: a focused web application assessment might take one week; comprehensive network testing could span three to four weeks.
Ask how they price: by the day, by scope complexity, or as a fixed project fee? Day rates typically run $1,500–$3,500 depending on the tester's experience level and your location. Clarify what happens if testing uncovers significantly more vulnerabilities than anticipated—do hours expand, or does the scope simply expand within a fixed fee?
Will They Provide Remediation Guidance?
Finding vulnerabilities is only half the battle. Ask whether they'll provide remediation recommendations, and if those recommendations come with estimated effort levels (quick fix, medium effort, architectural redesign). Some testers charge extra for a remediation workshop; others include it.
Request clarity on follow-up testing: if you fix vulnerabilities they found, will they retest to confirm the fixes work? This add-on typically costs 20–30% less than the initial test and is worth budgeting for.
Can They Work Within Your Compliance Requirements?
If you're regulated (PCI-DSS, HIPAA, SOC 2, etc.), verify the tester understands your industry's specific penetration testing requirements. Not all tests are created equal—PCI-DSS has stricter scoping rules than a general security assessment, for example.
Ask if they've conducted similar assessments for your industry. They should know common tooling restrictions, data handling requirements, and documentation standards your auditor expects.
How Do You Compare Multiple Testers?
Mercoly lets you compare and find trusted penetration testing and vulnerability assessment providers side-by-side, so you can evaluate credentials, pricing, and specialization in one place.
Frequently Asked Questions
Q: How long should a penetration test take? A: A focused application test might take 1–2 weeks, while a comprehensive network assessment can take 4–6 weeks depending on infrastructure complexity and scope.
Q: What's the difference between a vulnerability scan and a penetration test? A: Scans automatically identify known vulnerabilities; penetration tests manually exploit those vulnerabilities to demonstrate actual risk and business impact.
Q: Should we do annual or more frequent penetration tests? A: Annual testing is standard, but retest after major infrastructure changes, following significant vulnerability fixes, or when compliance audits require it.
Compare penetration testers based on credentials, methodology, and fit for your specific needs—not just price.