For customers· 4 min read

Red Flags When Hiring a Penetration Testing Firm

Warning signs of unqualified pen testers. Know what to avoid when selecting vulnerability assessment and penetration testing services.

Penetration testing is one of the most critical investments in your security posture—but hiring the wrong firm can waste thousands of dollars and leave gaps that matter. A bad pen test firm might run surface-level scans, miss critical vulnerabilities, or deliver reports so generic they're useless for remediation. Learning to spot red flags before you sign a contract saves time, money, and your reputation.

Vague Scope and Methodology

If a firm can't clearly articulate what they'll test, how they'll test it, or what your deliverables will include, walk away. A professional penetration testing firm should provide:

  • A detailed statement of work (SOW) that specifies testing type (external, internal, web application, API, cloud infrastructure)
  • Testing methodology alignment with NIST, OWASP, or PTES frameworks
  • Clear exclusions (no testing during business hours, no physical destruction, etc.)
  • Defined assessment timeline and resource allocation

A firm that says "we'll do a penetration test" without drilling into these specifics is either inexperienced or intentionally vague to avoid accountability.

No Professional Certifications or Credentials

Legitimate penetration testers hold industry-recognized certifications. The most credible include:

  • OSCP (Offensive Security Certified Professional)—the gold standard
  • GPEN (GIAC Certified Penetration Tester)
  • CEH (Certified Ethical Hacker)
  • OSCE (Offensive Security Web Expert) for web app specialists

Ask for verifiable proof. Many firms misrepresent qualifications, so request LinkedIn verification or look up names on official certification databases. If lead testers lack any formal credentials, that's a major red flag—this work requires demonstrated technical depth.

Suspiciously Low Pricing

A full internal and external penetration test typically costs $3,000–$15,000 depending on scope and environment complexity. Anything significantly cheaper suggests corners being cut:

  • Automated vulnerability scanners run without manual exploitation
  • Limited time spent on reporting and business context
  • Junior staff with minimal oversight
  • Incomplete test coverage (only 3–5 days of testing vs. 10+)

A bare-bones scan might cost $1,500, but that's not a true penetration test. If a quote seems too good to be true, ask specifically what's included and for references from similar-sized companies.

Lacks Insurance and Legal Safeguards

Penetration testing operates in legal gray zones. Ensure the firm carries:

  • Professional liability insurance (cyber and errors & omissions)
  • A detailed rules of engagement document you sign beforehand
  • Clear language about scope boundaries and authorization requirements
  • Indemnification clauses protecting both parties

Without these, you have no recourse if they accidentally knock systems offline or expose data during testing. Ask to see certificates of insurance before engagement.

Weak Report Quality and Explanations

The report is where theoretical findings become actionable security improvements. Red flags include:

  • Reports filled with CVSS scores but minimal business context ("This vulnerability allows remote code execution")
  • No remediation guidance or prioritization strategy
  • Copy-paste descriptions from vulnerability databases
  • No executive summary for non-technical stakeholders
  • Overly technical jargon without explanation for your team

Request a sample report during the sales process. A quality report typically runs 30–60 pages, includes proof-of-concept evidence, and explains why each finding matters to your specific environment.

No References or Verifiable Track Record

Ask for at least three customer references from companies similar to yours in size and industry. Then actually call them. Red flags include:

  • Refusing to provide references
  • References from only tiny startups or only Fortune 500 companies (no middle ground)
  • References unwilling to speak about the engagement
  • No online presence or case studies

Check LinkedIn to see if their pentesters have worked at credible security firms or if they're all new hires. A firm that can't prove consistent delivery is betting you won't do your homework.

No Post-Testing Support

A quality engagement includes:

  • A debrief meeting explaining findings to your team
  • A 30–90 day re-test window to verify fixes
  • Availability to answer clarification questions
  • Guidance on prioritizing remediation efforts

Firms that deliver a report and disappear aren't helping you improve security—they're collecting a check. Remediation support is part of the value.

Frequently Asked Questions

Q: What's the difference between a vulnerability scan and penetration testing? A vulnerability scan is an automated tool that identifies known weaknesses; a penetration test involves manual testing by skilled professionals who actively exploit vulnerabilities to prove real-world impact. Scans are faster and cheaper but miss context-dependent risks that manual testing catches.

Q: How often should we run penetration tests? Annual testing is the industry baseline, but quarterly or after major system changes is better for high-risk environments. A firm should recommend frequency based on your threat profile and compliance requirements (PCI-DSS, HIPAA, etc.).

Q: Can internal staff perform penetration testing on our own systems? Internal teams can run vulnerability scans, but external penetration testers catch blind spots and bring fresh attack perspectives your team might miss. Using Mercoly to compare and find trusted penetration testing providers in one place streamlines vetting this critical hire.

Start your vendor comparison process armed with these red flags—your security posture depends on it.

Looking for Penetration Testing & Vulnerability Assessment?

Compare trusted Penetration Testing & Vulnerability Assessment providers on Mercoly — browse profiles, products, and services and reach out in one place.

Related articles

More in IT Services & Managed Support · Penetration Testing & Vulnerability Assessment