See if they have published advisories (your pentesters had vulnerabilities discovered by their researchers) in field that you're going to ask them. This is the only way to understand if they have real practice in finding vulnerabilities.

-----
Best regards,
Sergey V. Soldatov

On 07.02.2013, at 6:30, Justin Rogosky <jrogosky (at) gmail (dot) com [email concealed]> wrote:

> Well, I would see if you could get a sample report making sure it isn't
> just a nessus report with a cover sheet. I would check out their client
> list (assuming it is on their webpage) to make sure they have some
> speciality in your line of business.
>
> A lot of it is up to you too. You need to make sure you properly define
> the scope and are available for them to contact you. If issues arise,
> do you have the resources / contacts to fix them or get the information
> to the person who can?
>
> The first thing I would do is to make sure you need a penetration test?
> Have you done a vulnerability assessment? Have you looked at your
> security policies and made sure they are up to date and valid (adhered
> to may be too much to ask depending on the environment)
>
> Just my 2 cents (3 cents Canadian)
>
> --Justin
>
>
>
> On Wed, 2013-02-06 at 18:31 -0700, Remi Broemeling wrote:
>> Hi all,
>>
>> I'm currently in the process of sizing up/comparing various
>> Penetration Testing firms, and am having a bit of trouble finding
>> distinguishing characteristics between them. I've looked at a fair
>> few, but they all seem to offer very similar services with little to
>> recommend one over another. What I'm looking for is an independent
>> firm capable of doing external penetration tests against a small
>> datacenter cluster of hosts and then providing a report of their
>> results (I realize that I just described the general process of
>> penetration testing).
>>
>> Does anyone on here have any specific recommendations on what to look
>> for when choosing an independent penetration testing firm?
>>
>> Thanks,
>>
>> Remi
>>
>> ------------------------------------------------------------------------

>> This list is sponsored by: Information Assurance Certification Review Board
>>
>> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------

>
>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]