topic Re: Reputed Pen Testing Companies to use in Tech Talk

Reputed Pen Testing Companies to use

2012 — Mon, 23 Jul 2018 18:29:15 GMT

Hello,

Sorry if this post does not fit the content here. I would appreciate if esteemed members could suggest reputed names for engaging them for pen testing of SaaS-based service with desktop/mobile and browser clients.

Thanks in advance.

Re: Reputed Pen Testing Companies to use

CISOScott — Tue, 31 Jul 2018 13:56:09 GMT

I have heard good things about Black Hills Information Security in the pentesting arena:

Here is their website:

https://www.blackhillsinfosec.com/

Re: Reputed Pen Testing Companies to use

2012 — Thu, 02 Aug 2018 17:04:41 GMT

Thank you CISO Scott.

Re: Reputed Pen Testing Companies to use

Caute_cautim — Thu, 02 Aug 2018 20:27:30 GMT

If you want a regular subscription based service, with immediate real time results, rather than having to wait for Statement of Work overheads - then you may find this useful:

https://www.ibm.com/security/services/penetration-testing

Regards

Caute_cautim

Re: Reputed Pen Testing Companies to use

2012 — Wed, 08 Aug 2018 03:35:09 GMT

Thank you.

Re: Reputed Pen Testing Companies to use

viethanguyen — Tue, 14 Aug 2018 03:25:46 GMT

Hi,

In case still consider you should go with Big4 (EY, KPMG, PwC, Delloitte) for not just pentest but more consultant 🙂

Re: Reputed Pen Testing Companies to use

Caute_cautim — Tue, 14 Aug 2018 05:11:18 GMT

From experience, it does not matter who it is - ensure they are carefully supervised. Had a situation on a private cloud, where by the Big 4 pen tester, was given access to an internal 10 Gbit switch port, and decided to unleash the throttle without first checking with the client and associated team first. The resultant chaos, certainly had the Incident Response going for a little while. It does not matter, who they are, ensure they are supervised and monitored carefully.

Regards

Caute_cautim

Re: Reputed Pen Testing Companies to use

CISOScott — Tue, 14 Aug 2018 13:28:47 GMT

@viethanguyen wrote:
Hi,

In case still consider you should go with Big4 (EY, KPMG, PwC, Delloitte) for not just pentest but more consultant 🙂

In my personal opinion going with a big 4 or even another pen testing company you need to be careful. I have found that pen testers who are reputable AND good will not do a pen test for you for more than 2 years in a row. Sometimes the big 4 or others who do not specialize in pen testing are just in it for the money. I have seen one company come in for 6 years straight and they were just tool monkeys. They ran Nessus, spit out the results and told the OIG how bad the company's IT staff was. They provided no analysis, no solutions, just you need to patch and you are so bad because you have 13,000 vulnerabilities across your 3 networks.

I was brought in as a new ISSO, I had to bite my tongue in the out brief meeting because I was new and still under probation but I wanted to stand up and say this:

"You guys are nothing but tool-monkeys, which means we could have brought in monkeys and had them run the tool and got the same results. Your analysis is flawed because you incorrectly stated we have 13,000 vulnerabilities. We have 3 identical networks, dev, test, and prod. So really we have the same 4,333 vulnerabilities 3 times. Secondly, you offer no solutions about the core problem. You know nothing of how our company works, despite having been running the SAME pentest for 6 years. The problem is not the number of vulnerabilities, the problems are various and not even being dealt with because you just keep pointing out the big number. Problem #1 is that we have a bad IT setup. The government staff are all managers who manage IT contractors to do the work. We have no federal IT staff that are actually able to do the patch management. #2 is the fact we have written bad IT contracts and security and IT are not brought into the contract writing portion of the contracts. Our current contract says the IT contractors will patch Windows, Oracle, and RedHat. It does nothing to address 3rd party patching or other security solutions for which a patch is not available, but manual solutions exist. Even though the contractor is technically able to remediate it, if they were to screw something up, because it is not written in their contract, they could be thrown off of the contract. They are not going to take that risk. #3 Because you just keep reporting numbers and offering no solutions, Everyone is pointing fingers at each other, which further delays the response. #4 Because you keep bringing back the same team year after year and doing the same things you always do, we have no idea if you are competent at your task. Brining in a new set of eyes by using a different company will show different things. That is why COMPETENT pen-testing companies do no more than 2 years in a row before suggesting that you use someone else. If a company is suggesting rotating pen-testing companies that is a good indication that they know what they are doing.

I had only been on the job for 6 months and had already pointed out several problems within the IT sphere. Unfortunately for me, I was young in my InfoSec career and did not know about how things like company culture would be a roadblock for my successes. I banged my head against a wall throwing good ideas after good ideas not realizing that, even though my security analysis was good and correct, the way I was presenting it was making IT look like fools so they were resistant to my good ideas and started building walls around it. They had the mentality that they were a small obscure federal agency (who only had about a billion in funds they were managing) so they weren't anybody's target. No one would even think to go after them. It wasn't until later, after I started in my Master's program that I learned about Organizational Culture and how I had to address that while making my suggestions, in order for them to accept them.

So I would ask, when selecting a pen-test company, what is their suggestion for length of contract? If they say over two years, I would be suspicious.

Re: Reputed Pen Testing Companies to use

rslade — Tue, 14 Aug 2018 17:52:20 GMT

@viethanguyen wrote:
In case still consider you should go with Big4 (EY, KPMG, PwC, Delloitte) for not just pentest but more consultant 🙂

The Big $ (oh, sorry, I left my finger on the shift key too long, that should be Big 4) are extremely good at finding problems in your security posture that can be addressed by consulting they can sell you ...

Re: Reputed Pen Testing Companies to use

Steve-Wilme — Fri, 24 Aug 2018 14:08:14 GMT

If you're EMEA based you could examine the CREST of CHECK list of companies

https://www.crest-approved.org/member-companies/index.html

Re: Reputed Pen Testing Companies to use

karishmaqualyse — Fri, 08 Aug 2025 12:32:37 GMT

Re: Reputed Pen Testing Companies to use

Caute_cautim — Sat, 09 Aug 2025 06:00:12 GMT

@karishmaqualyse

A quick question on Google AI came up with the following companies:

Several companies offer reputable SaaS-based penetration testing services, including Cybri, NetSPI, Cobalt, Bishop Fox, Rhino Security Labs, Informer (Bugcrowd), and Veracode. These companies provide various levels of service, from expert-led, compliance-focused testing to continuous, automated assessment platforms.

Here's a more detailed look at some of these companies and their offerings:

1. Cybri: CYBRI provides expert-led, compliance-aligned penetration testing as a service (PTaaS) tailored specifically for SaaS applications.

2. NetSPI: Known for enterprise-grade PTaaS, NetSPI integrates with CI/CD pipelines and DevOps workflows.

3. Cobalt: Offers agile PTaaS with a focus on rapid launch and a global network of testers.

4. Bishop Fox: Specializes in red teaming and continuous offensive testing for complex SaaS platforms.

5. Rhino Security Labs: Provides in-depth manual testing, particularly for cloud-native and high-risk SaaS applications.

6. Informer (Bugcrowd): Offers real-time PTaaS with continuous asset discovery capabilities.

7. Veracode: Provides a unified AppSec platform with both PTaaS and AI-powered remediation features.

8. Astra Security: Offers a SaaS platform that combines automated vulnerability scanning with manual penetration testing, focusing on SaaS applications.

9. Rapid7: Known for its robust automated penetration testing solutions and integration with existing security frameworks.

10. Qualysec: Offers comprehensive security assessments for SaaS applications, combining automated tools with manual testing.

When selecting a SaaS penetration testing company, consider factors

such as:

Scope of testing: Does the company offer testing for web applications, mobile apps, APIs, cloud infrastructure, etc.?
Testing methodology: Do they offer automated scanning, manual penetration testing, or both?
Integration capabilities: Can their platform integrate with your existing security tools and workflows?
Reporting and remediation: Do they provide clear, actionable reports and guidance on how to fix vulnerabilities?
Compliance requirements: Do they have experience with relevant compliance standards for your industry (e.g., PCI DSS, HIPAA, SOC 2)?
Pricing and scalability: Does the pricing model fit your budget and can they scale with your needs?

Regards

Caute_Cautim

Re: Reputed Pen Testing Companies to use

karishmaqualyse — Tue, 12 Aug 2025 04:52:38 GMT

You can also read: https://qualysec.com/top-20-best-penetration-testing-companies-in-the-uk/