It can be difficult to tell that you have a low quality penetration test. Sometimes you receive lots of documents and other times very few. This does not tell you how much work has been performed finding vulnerabilities. Having more or less meetings with a Cyber company does not give an indication of their capabilities nor how long they have spent doing your penetration testing.
Bigger indicators would be things like:
- how many other jobs the Penetration Tester has (as this shows how much focus they have on your website/network/systems).
- how long they spend creating the report (as this is time they aren’t Penetration Testing).
- Who is/was their mentor (the person from whom they learn their approach, technique and skills)?
Unfortunately these are things that are not accessible. Instead we need to use the Penetration Test Report as an indication.
During penetration testing at Vertex, we find that 9 out of 10 times we detect more than 10 vulnerabilities. This would suggest that any penetration test finding less than 10 vulnerabilities is probably low quality. An exception to this might be if the scope of the penetration test is very small e.g. a static website or an IP. If your penetration test report shows less than 10 vulnerabilities we suggest trying a different vendor next year.
Many customers change from competitors to using Vertex Cyber Security after receiving poor quality Penetration tests.
For your next Penetration Test reach out to Vertex Cyber Security