> task: select_provider —— criteria: loaded —— red_flags: scanning<span class="cursor-blink">_</span>_
The penetration testing market is unregulated. Anyone can set up a company, build a website, and start selling tests. The result is enormous variation in quality — from expert, thorough assessments that genuinely improve your security, to automated scans with branded covers that provide a false sense of assurance. As a buyer, you need to distinguish between the two before you spend your budget.
This guide gives you a practical framework for evaluating providers — the credentials to check, the questions to ask, the red flags to avoid, and the indicators that tell you whether a provider will deliver genuine value.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping CallCredentials are not a guarantee of quality, but they establish a verified minimum standard. In an unregulated market, they are the closest thing to quality assurance a buyer has before committing.
| Credential | What It Verifies | Significance |
|---|---|---|
| CREST (Company) | The company has been audited against standards for methodology, data handling, staff qualifications, and quality assurance. | The industry standard in the UK. Recognised by the ICO, FCA, and PCI SSC. Required or strongly preferred by most compliance frameworks. |
| CREST CRT / CCT (Individual) | The individual tester has passed practical, hands-on examinations demonstrating penetration testing capability. | Tells you about the person testing your systems, not just the company they work for. CCT is the advanced level — ask whether your tester holds it. |
| OSCP / OSCE / OSWE (Individual) | Offensive Security certifications — rigorous practical examinations requiring the candidate to compromise multiple systems within a time limit. | Widely respected as proof of genuine technical ability. Cannot be passed through theory alone — requires real exploitation skills. |
| CHECK (NCSC) | The company is approved by the National Cyber Security Centre to test government systems. Testers are vetted and hold advanced qualifications. | The highest level of formal accreditation in the UK. Required for government testing. Indicates the company operates at the top end of the market. |
Beyond checking credentials, there are practical questions that reveal the quality and professionalism of a provider. Ask these during your initial conversations — the answers will tell you a great deal about what to expect from the engagement.
| Red Flag | What It Tells You |
|---|---|
| Fixed-price quote without scoping | The provider has not assessed your environment and is selling a standardised package. The test will not be tailored to your specific infrastructure and risks. |
| Price dramatically below market rate | The provider is cutting corners — less time, less qualified testers, or heavy reliance on automated tools. In penetration testing, you get what you pay for. |
| Cannot name the tester | The work may be subcontracted or assigned to the most junior available person. You cannot verify the qualifications of someone they refuse to identify. |
| Sample report looks like scanner output | If the sample report is dominated by automated vulnerability scanner output with minimal manual analysis, you are being sold a scan as a test. |
| No discussion of rules of engagement | A provider who does not raise scope boundaries, testing windows, escalation procedures, and communication protocols is not following a professional methodology. |
| Guarantees a clean result | No reputable tester guarantees what they will or will not find. A provider suggesting the outcome will be favourable is prioritising your comfort over your security. |
| No accreditation and no explanation why | Some excellent testers choose not to pursue CREST accreditation for cost or philosophical reasons — but they should be able to articulate why and demonstrate quality through other means. A provider with no accreditation and no alternative evidence of quality is a risk. |
When comparing quotes from multiple providers, compare like for like. A cheaper quote may reflect a smaller scope, fewer testing days, less qualified testers, or the exclusion of retesting. Use the following checklist to normalise your comparison.
Consider building a long-term relationship with a single provider rather than shopping for the cheapest quote each year. A provider who knows your environment delivers deeper, faster, more contextually relevant testing — and can track your security posture improvement over time. That said, rotating providers every two to three years brings fresh perspectives. The ideal balance is a primary relationship with periodic third-party validation.
We are CREST-accredited, our testers hold individual certifications, and we are happy to answer every question on this page before you commit. Ask us for a sample report, our CREST certificate, and the CV of the tester we would assign to your engagement. If we are not the right fit, we will tell you.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping Call