> series: business_owners_guide —— part: 04/10 —— topic: choosing_a_provider —— warning: not_all_testers_are_equal<span class="cursor-blink">_</span>_
Penetration testing is an unregulated industry. Anyone can set up a website, call themselves a penetration tester, and start selling engagements. The consequence is that the quality of penetration testing varies enormously — from thorough, expert-led assessments that genuinely improve your security, to automated scan-and-report exercises that provide a false sense of assurance while missing critical vulnerabilities.
Choosing the right provider is one of the most consequential decisions in the process. This article gives you the criteria to evaluate providers, the questions to ask, and the warning signs that should prompt you to look elsewhere.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallCertifications are not a guarantee of quality, but they are a meaningful minimum standard. They demonstrate that the provider — and critically, the individual testers who will work on your engagement — have been independently assessed against a recognised body of knowledge.
| Certification | What It Means | Why It Matters |
|---|---|---|
| CREST | The Council of Registered Ethical Security Testers. A CREST-accredited company has been audited against standards covering methodology, data handling, staff vetting, and quality assurance. Individual testers hold CREST examinations (CRT, CCT) which are rigorous, practical assessments. | CREST is widely regarded as the industry standard in the UK and is recognised by regulators including the ICO, FCA, and NHS. For many compliance requirements, CREST accreditation is either required or strongly preferred. |
| CHECK (NCSC) | The CHECK scheme is run by the National Cyber Security Centre (NCSC). CHECK-approved companies are authorised to conduct penetration testing for UK government and public sector organisations. Testers must hold CREST CCT or equivalent qualifications and undergo NCSC vetting. | Required for testing government systems. Represents the highest level of formal accreditation for penetration testing in the UK. |
| OSCP / OSCE / OSWE | Offensive Security certifications — OSCP (Certified Professional), OSCE (Certified Expert), and OSWE (Web Expert). These are hands-on, practical examinations that require the candidate to compromise multiple systems within a time limit. They are widely respected as proof of genuine technical capability. | An OSCP or higher-level Offensive Security certification on your tester's CV is a strong indicator of practical ability. These examinations cannot be passed by memorising theory — they require real exploitation skills. |
| CSTM / CSTL (CREST) | CREST Registered Tester (CRT), CREST Certified Tester (CCT Infrastructure / Web Application), and CREST Certified Simulated Attack Manager (CSAM) / Specialist (CSAS) for red team operations. | These individual certifications tell you about the specific tester assigned to your engagement, not just the company. Ask which certification level your assigned tester holds. |
A company can hold CREST accreditation while assigning your engagement to a junior tester who does not hold individual CREST certification. Always ask: who specifically will conduct my test, what are their individual qualifications, and how many years of experience do they have? A good provider will answer this question directly and without hesitation.
Beyond certifications, there are practical questions that reveal whether a provider will deliver a thorough, valuable engagement or a superficial exercise. These questions should be asked during your initial conversations — before any contract is signed.
There are specific warning signs that indicate a provider will not deliver a quality engagement. Any of the following should prompt you to continue your search elsewhere.
| Red Flag | What It Tells You |
|---|---|
| They quote without understanding your environment | A provider who gives you a fixed price without asking detailed questions about your infrastructure, applications, number of IP addresses, user roles, and business context is not scoping a genuine penetration test. They are selling you a fixed package — likely an automated scan with a templated report. |
| The price is dramatically lower than competitors | Penetration testing is labour-intensive skilled work. If a provider quotes a fraction of what others are charging for the same scope, they are either spending less time, using less qualified testers, or relying heavily on automated tools. You get what you pay for. |
| They cannot name the tester | If the provider will not tell you who will conduct the test, you cannot verify their qualifications or experience. This may indicate the work will be subcontracted or assigned to the most junior available resource. |
| Their sample report is a vulnerability scanner export | If the sample report consists primarily of automated scanner output — Nessus, Qualys, or similar — with minimal manual analysis, the provider is selling vulnerability scanning as penetration testing. A genuine penetration test report demonstrates manual testing, exploitation, and business-context analysis. |
| They guarantee a clean result | No reputable penetration tester will guarantee that they will find nothing. If a provider suggests that the outcome will be favourable, they are telling you what you want to hear rather than what you need to know. The purpose of a penetration test is to find problems — if nothing is found, either the tester did not look hard enough or your security is genuinely exceptional. The former is far more common. |
| They do not discuss rules of engagement | A professional provider will establish clear rules of engagement before testing begins — what is in scope, what is excluded, what to do if critical vulnerabilities are found during testing, emergency contact procedures, and testing windows. A provider who does not raise these topics is not following a professional methodology. |
Now that you know how to choose a provider, next week we cover scoping — the process of defining exactly what will be tested, how it will be tested, and what is excluded. Good scoping is the foundation of a valuable penetration test, and poor scoping is the most common reason engagements deliver disappointing results.
Our testers hold individual CREST and Offensive Security certifications, we carry full professional indemnity insurance, and we are happy to answer every question on this page before you commit. Retesting of critical and high findings is included in every engagement.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call