Penetration Testing Companies

Factors involved in selecting a pen test company or consultant.

Get in touch >
Penetration testing companies, joseph sheridan

Joseph Sheridan

Penetration testing companies, joseph sheridan

Joseph Sheridan (pictured) is the Owner and Principle Consultant of ReactionIS, a CESG-approved CHECK penetration testing company. His qualifications include CHECK Team Leader, CREST Consultant (Web App and Infrastructure disciplines) and CISSP. Find out more here.

Penetration Testing Companies - Selecting the Best Supplier

There are many penetration testing companies offering similar services but how can the prospective purchaser choose between them? This article aims to inform the reader about the factors that should be considered when selecting a pen test company or consultant.

Consultant Experience Level

Penetration testing is an art, not a science. It is not possible to try all the mathematically possible ways of interacting with a web application or computer system to test for security vulnerabilities. Therefore, it is imperative that the security consultant testing your systems can rely on years of experience to hone in on areas where vulnerabilities are likely to occur and also has the skill to exploit the flaw and demonstrate the true extent of the vulnerability.

Penetration Testing Qualfications

The main qualifications for penetration testing within industry and government circles are the CHECK Team Leader, CREST Certified Web Application/Infrastructure Consultant and the Tigerscheme Senior Tester certifications. It is widely recognised that security consultants with one or more of these qualifications are at the top of their game. Without these qualifications within the testing team, testing quality can vary and easily exploitable security holes may be overlooked.

Ensure consultants are security cleared

Ensure that the penetration testing company provides security consultants with adequate security clearance suitable for your industry. Testers who cannot achieve requisite clearance levels may not be trustworthy to handle your data which in many cases may contain sensitive information about security vulnerabilities in client systems.

Ensure that the Penetration Testing Company is Endorsed by the CHECK or CREST schemes

CESG CHECK and CREST organisations both maintain lists of authorised penetration testing companies who have met demanding scheme entry requirements. Entry requirements include an assessment of staff capabilities, reporting quality, testing methodology, data handling and project management, amongst others.

Ask About Research Activities

Security research allows consultants to showcase their expertise in the field and ensures that consultants are one step ahead of the bad guys. Ensure that your pen testing company can demonstrate research experience.

Ensure Experience in Your Sector

Each industry sector has different objectives and goals when commissioning security testing. Ensure that the prospective penetration testing company understands the challenges of your industry/government sector and has previous experience of working in your sector.

About Joseph Sheridan

Joseph Sheridan is a CHECK Team Leader, CREST Consultant (in both Web App and Infrastructure disciplines) and CISSP certified. He founded ReactionIS, one of the CESG-approved CHECK penetration testing companies and has multiple security clearances including HMG and NATO. Joseph has released important security advisories which now feature in the widely used Metasploit exploit framework - more about Joseph here. Please get in touch for more info.