In
today’s
world
of
automated
hacking
systems,
frequent
data
breaches
and
consumer
protection
regulations
such
as
GDPR
and
PCI
DSS,
penetration
testing
is
now
an
essential
security
requirement
for
organisations
of
all
sizes.
But
what
should
you
look
for
when
choosing
the
right
provider?
The
sheer
number
of
providers
can
be
daunting,
and
finding
one
which
can
deliver
a
high-quality
test
at
a
reasonable
price
is
not
easy.
How
do
you
know
if
they’re
any
good?
What
level
of
security
expertise
was
included
in
the
report?
Is
your
application
secure,
or
did
the
supplier
simply
not
find
the
weaknesses?
There
are
no
easy
answers,
but
you
can
make
it
easier
by
asking
the
right
questions
up
front.
The
most
important
considerations
fall
into
three
categories:
certifications,
experience,
and
price.
Certifications
Certifications
are
the
best
place
to
start,
as
they
provide
a
quick
shortcut
for
building
trust.
There’s
no
shortage
of
professional
certifications
available,
but
one
of
the
most
well-recognised
is
CREST
(Council
of
Registered
Ethical
Security
Testers).
CREST
was
set
up
by
the
UK’s
leading
pen
testing
consultancies
precisely
to
solve
this
problem,
and
it
is
now
an
internationally-recognised
hallmark
of
quality
for
a
variety
of
cyber
security
disciplines.
You
still
need
to
know
what
to
look
for
though,
as
CREST
have
both
a
company-level
certification,
as
well
as
individual
certifications
where
each
tester
must
pass
an
exam
to
prove
their
skills.
Having
one
does
not
mean
you
have
the
other.
The
company-wide
accreditation
(‘CREST
member
company’)
is
given
to
companies
that
can
prove
their
policies,
processes
and
procedures
are
up
to
scratch.
This
allows
penetration
testing
companies
to
show
that
they
follow
good
practices
on
paper,
and
use
appropriate
security
testing
methodologies.
However,
asking
a ‘CREST
member
company’
to
carry
out
a
pen-test
does
not
guarantee
that
the
consultant
performing
your
test
is
certified
themselves
–
merely
that
the
company
is
morally
obliged
to
provide
you
with
a
suitable
tester.
Make
sure
you
ask
about
the
actual
tester
that
will
carry
out
the
work
—
do
they
have
appropriate
certifications
and
experience?
For
that
reason,
CREST
also
has
different
levels
even
for
the
individual
testers,
from
entry-level
certificates
to
complex
practical
examinations
in
different
specialist
areas.
It’s
important
to
look
at
both
the
level
of
certifications,
and
whether
they’re
specific
to
the
type
of
penetration
testing
you
are
looking
for.
We’ve
outlined
the
available
CREST
certifications
for
penetration
testing
below:
 |
|
Whether you’re looking for a junior, senior or specialist would depend on your organisation’s risk appetite. Governments would usually ask for specialists, startups with lower risk profiles might be fine with juniors. |
While
certifications
are
useful,
they
can’t
cover
everything.
There
are
many
types
of
technology
out
there,
and
you
can’t
have
an
exam
to
cover
every
single
one.
As
you
can
see
from
the
diagram
above,
there
is
no
CREST
exam
for
AWS,
or
for
embedded
devices,
or
mobile
applications.
Penetration
testers
are
like
doctors;
they
have
a
broad
set
of
knowledge
and
skills,
but
there
isn’t
always
a
textbook
for
the
patient
you’re
dealing
with.
That’s
when
experience
can
come
into
play.
Experience
Another
big
factor
is
the
experience
your
pen
tester
has
under
their
belt.
The
more
exposure
they’ve
had,
the
better
they
will
be
at
uncovering
a
wider
range
of
security
threats.
It’s
also
important
to
note
that
not
all
experience
is
equal,
as
some
types
of
testing
can
involve
specific
skills
in
particular
technologies,
like
AWS
Cognito,
or
the
Real
Time
Messaging
Protocol.
Make
sure
your
provider
has
relevant
experience
in
the
technologies
you’re
working
with.
Remember,
there
may
not
be
a
tester
with
experience
in
every
technology
out
there,
so
you
may
need
to
be
flexible.
A
good
penetration
tester
will
be
able
to
learn
about
the
technology
you
need
testing,
based
on
skills
and
principles
from
other
disciplines,
but
it
might
take
them
longer
to
become
familiar
with
the
technology
at
hand.
Which
could
have
a
knock-on
effect
on
the
price…
Price
When
customers
ask
the
average
cost
of
a
penetration
test,
it’s
like
asking
how
long
is
a
piece
of
string.
It
depends
what
you’re
working
with,
and
how
deep
you
need
to
go.
Imagine
painting
a
bridge:
it
depends
how
big
it
is,
and
how
many
coats
of
paint
you
want.
One
coat
could
leave
you
exposed
to
the
elements.
 |
|
Asking how much does a pen-test cost is like asking how much it would cost to paint a bridge. It depends on the size of the bridge, any complicating factors, and how much coverage you want to get. |
Therefore,
pen
tests
are
usually
quoted
on
a ‘day-rate’
basis,
and
very
broadly,
you
can
expect
to
pay
anything
in
the
range
of
£800-£1500.
Day
rates
vary
from
vendor
to
vendor
based
on
things
like
reputation,
certifications,
and
special
requirements
and
experience,
although
discounts
can
be
negotiated
if
you’re
buying
lots
of
days
(anything
more
than
fifteen
days
would
be
considered
a
large
test).
To
understand
how
long
your
job
will
take,
the
vendor
will
often
need
to
get
a
demo
of
your
product,
or
gather
information
about
your
environment.
As
a
rule
of
thumb,
the
less
questions
they
ask
at
this
stage,
the
less
likely
you
are
to
get
an
accurately
quoted
piece
of
work.
There’s
also
no
standard
when
it
comes
to
scoping
a
piece
of
work,
so
you
might
find
estimates
differ.
One
supplier
may
scope
a
job
as
3-days’
work,
and
another
as
5.
These
are
best
estimates;
it’s
hard
to
be
sure
until
you’re
doing
the
work.
You
can
even
buy “fixed-fee”
pentests,
but
going
back
to
the
bridge
analogy,
you
should
probably
be
concerned
about
coverage
if
they’re
offering
it
for
a
fixed
fee
without
asking
how
big
the
job
is.
As
with
everything
in
life,
the
price
you’re
quoted
should
reflect
the
quality
of
the
penetration
test
–
but
in
an
industry
where
the
quality
of
a
test
is
hard
to
judge,
there
are
bound
to
be
some
rogue
traders.
Ask
the
right
questions
and
don’t
skip
due
diligence.
Going
beyond
point-in-time
penetration
tests
There
are
major
issues
with
using
penetration
testing
as
your
sole
vulnerability
detection
method.
Firstly,
while
in
depth,
penetration
testing
only
covers
a
point
in
time.
With
20
new
vulnerabilities
identified
every
day,
your
penetration
test
results
are
likely
to
be
out
of
date
as
soon
you
receive
the
report.
Not
only
that
but
reports
can
take
as
long
as
six
months
to
produce
because
of
the
work
involved,
as
well
as
several
months
to
digest
and
action.
They
can
be
very
expensive
–
often
costing
thousands
of
pounds
each
time.
With
hackers
finding
more
sophisticated
methods
to
break
into
your
systems,
what
is
the
best
modern
solution
to
keep
you
one
step
ahead?
In
order
to
gain
the
most
comprehensive
picture
of
your
security
posture,
you
need
to
combine
automated
vulnerability
scanning
and
human-led
penetration
testing.
Intruder
Vanguard
does
just
that,
bringing
security
expertise
and
continuous
coverage
together
to
find
what
other
scanners
can’t.
It
fills
the
gap
between
traditional
vulnerability
management
and
point
in
time
penetration
tests,
to
provide
a
continuous
watch
over
your
systems.
With
the
world’s
leading
security
professionals
on
hand,
they’ll
probe
deeper,
find
more
vulnerabilities,
and
provide
advisories
on
their
direct
impact
on
your
business
to
help
you
keep
attackers
at
bay.
About
Intruder
Intruder
is
a
cyber
security
company
that
helps
organisations
reduce
their
attack
surface
by
providing
continuous
vulnerability
scanning
and
penetration
testing
services.
Intruder’s
powerful
scanner
is
designed
to
promptly
identify
high-impact
flaws,
changes
in
the
attack
surface,
and
rapidly
scan
the
infrastructure
for
emerging
threats.
Running
thousands
of
checks,
which
include
identifying
misconfigurations,
missing
patches,
and
web
layer
issues,
Intruder
makes
enterprise-grade
vulnerability
scanning
easy
and
accessible
to
everyone.
Intruder’s
high-quality
reports
are
perfect
to
pass
onto
prospective
customers
or
comply
with
security
regulations,
such
as
ISO
27001
and
SOC
2.
Intruder
offers
a
30-day
free
trial
of
their
vulnerability
assessment
platform.
Visit
their
website
today
to
take
it
for
a
spin!
