Pentest company recommendations?

NyblizzardNyblizzard Member Posts: 332 ■■■■□□□□□□
I've been handed the task of finding a reputable pen testing company for my organization. Not sure what to look for/where to look so I'm asking here, as we have some of the best folk around. Would appreciate some insight from this community
O
/|\
/ \

Comments

  • johndoeejohndoee Member Posts: 152 ■■■□□□□□□□
    Nyblizzard wrote: »
    I've been handed the task of finding a reputable pen testing company for my organization. Not sure what to look for/where to look so I'm asking here, as we have some of the best folk around. Would appreciate some insight from this community

    I believe the size of your organization and the cost must come into play. The most important being the cost. I could recommend a Mercedes or Acura or I could recommend a Kia or Hyundai. Price must come into play. Sometimes people/organizations can't understand the term...You get what you pay for..


    Personally, you would be doing yourself a disservice contacting anyone to provide a service without knowing your budget. Nobody goes to a store and buys clothes without looking at the price tag. You don't want to be surprised at the register, nor do you want to waste your time or that of a potential contacted individual.



    A lot of the SANS instructors have penetration testing services that they provide.
  • slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
    Start by defining the scope, are you actually only looking for a pentest? or are you wanting this company to develop a solution / architecture to fix issues they find?
  • EANxEANx Member Posts: 1,077 ■■■■■■■■□□
    You need to know the scope of the test. Do you want just the perimeter? Web apps? Social engineering? what operational restrictions will the testing firm have? Will they be able to flood your network with queries? Or do you expect business-as-usual while the test is going on? Will you allow testing any time-of-day/day-of-the-week or will you limit that? Are there certain things they absolutely have to stay away from? Will this be a blind test or will you give them certain pieces of data in advance?
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Most SANS instructors do consulting on the side, pretty much any of them would be a safe bet, Black Hills Security, LMG Security are a few that come to mind, but they are located South Dakota and Montana, I assume you would want to find a company closer to Florida. Just keep in mind SANS level consultants will not be cheap.
    Still searching for the corner in a round room.
  • ErtazErtaz Member Posts: 934 ■■■■■□□□□□
    Kore is good.

    https://korelogic.com/testingServices.html

    If you need specialized testing (Like Manufacturing{OT}, or the finance sector), a smaller boutique firm might be more your speed.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    I’d definitely take a look at Rapid7.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    We do quite a bit of pentesting and what I always ask a prospect is what they want to get out of the test. We are a boutique shop and we are never a good fit for a company that just wants a checkbox pent-test. Bigger firms like Rapid7 tend to cookie-cutter their pent tests - which can be fine if this is the first pent test that your company has ever done or you just need a checkbox. Smaller pent test boutique firms like ours tend to change our attack techniques depending on the target and will generally have much higher compromise rates.

    If your company already has a good security program and you really want to test your actual readiness, then I would suggest you look for a boutique firm. You will be paying a lot more but the quality is lot better.

    Good luck.
Sign In or Register to comment.