Your pen tester's toolkit determines what they'll actually find—and what they'll miss. Knowing which vulnerability assessment tools matter separates thorough security audits from expensive box-checking. This guide shows you what to look for when hiring or evaluating a penetration testing team.
Why Tool Selection Matters for Your Assessment
A penetration tester's effectiveness hinges on their toolset. A team using only older or free tools might miss sophisticated vulnerabilities, while one relying on a single commercial platform may develop tunnel vision around that vendor's detection patterns. You're paying for both expertise and their ability to wield the right instruments for your environment.
When interviewing testers, ask specifically which tools they plan to use on your infrastructure type. A team assessing a cloud-heavy environment should mention AWS-specific tools; one testing a network with legacy systems needs different capabilities than a DevOps-first organization.
Core Categories of Tools You Should See
Network & Port Scanning
Nessus remains the industry standard for vulnerability scanning—most pen testers carry an active license at $2,400–$3,500 annually. OpenVAS offers a free alternative, though it requires more tuning. Look for testers who use both; they're complementary. Port scanners like Nmap typically run alongside these, but that's table stakes; it's how they interpret the findings that matters.
Web Application Testing
If you operate web properties, your tester should mention Burp Suite Professional ($399–$600/year single-user, or $20k+ for team licenses). It catches authentication bypasses, injection flaws, and session handling issues that generic scanners miss. OWASP ZAP is a solid free equivalent, but Burp's passive and active scanning depth is why most reputable firms choose it.
Testers should also run endpoint protection checks and enumerate APIs explicitly—many teams scan websites but overlook internal APIs that attackers find immediately.
Credential & Access Testing
Metasploit ($3,000–$4,000/year or free with Kali Linux) is essential for exploitation and privilege escalation workflows. Expect your tester to discuss how they'll attempt lateral movement, credential dumping (Mimikatz on Windows networks), and escalation chains. This separates a genuine pen test from a vulnerability report.
Cloud & Infrastructure
For AWS, Azure, or GCP environments, testers should use platform-specific tools:
- Prowler (AWS security auditing)
- ScoutSuite (multi-cloud configuration review)
- CloudMapper (AWS architecture visualization)
If they don't mention these, they're likely running generic scans and missing cloud-specific misconfigurations—the most common finding in cloud assessments.
Key Questions to Ask Your Tester
Before engaging a penetration testing firm, ask these concrete questions:
- "Which versions of Nessus/Burp will you use, and have you tuned the plugins for false positives?" (Shows they think about accuracy, not just raw findings.)
- "How will you handle encrypted traffic during the assessment?" (Legitimate answer: with your proxy cert, firewall rules, or explicit scope limits—not silence.)
- "Will you test our API endpoints, and if so, with what methodology?" (Many teams skip this entirely.)
- "What's your process for re-testing findings after remediation?" (Quality testers include this; others don't.)
What to Expect in Your Engagement Timeline
A typical scope determines tool selection and duration. Network assessments run 2–5 days depending on size; expect your tester to spend the first day on reconnaissance and scanning, the next 2–4 on manual testing and exploitation. Web applications need 5–10 days minimum for meaningful coverage. Budget accordingly—rushed assessments with limited tool usage produce shallow results.
Comparing Quotes and Proposals
When you receive a quote, the proposal should list specific tools by name. If it says "comprehensive vulnerability scanning" without naming Nessus, Qualys, or similar, that's a red flag. Similarly, a proposal that doesn't mention testing methodology (NIST, OWASP, PTES) suggests they haven't thought through their approach.
Cost ranges for penetration testing typically run $5,000–$15,000 for small networks, $15,000–$40,000 for mid-size organizations, and $40,000+ for enterprise environments. The toolset investment is included in these fees—you're not paying extra for software licenses. Firms with proper licensing and current tool versions tend to land at the higher end because they deliver better findings.
Tools matter, but execution matters more. The best penetration testing teams use standard tools exceptionally well, adapting their approach to your unique risks rather than running canned scans.
If you're comparing multiple pen testers, Mercoly lets you evaluate proposals and find trusted Penetration Testing & Vulnerability Assessment providers all in one place, making it easier to spot which firms invest in quality tooling.
Frequently Asked Questions
Q: Should I be concerned if a penetration tester uses mostly free tools like OpenVAS and Metasploit instead of commercial suites? Free tools are legitimate and often sufficient for smaller assessments, but they require more manual tuning and interpretation. The real risk is if the tester relies only on free tools without commercial backup—mixing toolsets (one commercial, one open-source) is how you catch edge cases.
Q: How often do penetration testing tools need to be updated? Nessus and Burp Suite should be updated monthly at minimum; testers using versions older than 6 months are missing known vulnerability signatures. Ask your tester about their update cadence explicitly—it directly affects what they'll find.
Q: Is it normal for a pen tester to refuse testing certain tools or systems? Yes, and it's often a good sign. Responsible testers will decline testing systems they lack proper tool coverage for (certain embedded systems, proprietary protocols) or where they can't operate safely—better to be upfront than deliver shallow results.
Ready to find a penetration testing team with the right toolkit for your organization? Compare vetted providers and get detailed proposals that specify their toolsets.