daqoon
Back to Blog/pentest

Finding a Penetration Test Provider: The Honest Checklist

Most companies pick the wrong pentest provider and never notice. The red flags, the right questions, and a checklist to separate the good from the bad.

Published on2 min read
penetration-testpentest-providervendor-selectionsme
Selecting a penetration test provider using a checklist

Most companies pick the wrong pentest provider. And the worst part: they never notice.

Why? Because both reports look the same. The one from the provider who spent three days manually breaking into your application. And the one from the provider who ran a scanner and swapped the logo. Both are PDFs with red bars.

The difference only shows up when a real attacker arrives. By then it is too late.

Every technical vulnerability has an organizational root cause. But the report should be understandable to both IT admins and management.

Here is the checklist that helps you figure out who you are dealing with before you sign.

The 6 red flags

If you see one of these, get skeptical. If you see several: keep looking.

  • Fixed price without scoping. No serious provider quotes a price before they know what you have. Anyone who throws out a number immediately is selling a standard package, whether it fits or not.
  • No meaningful certifications. Ask for OSCP+, CPTS, or equivalent. "We have been doing this for years" is not proof.
  • No retest in the offer. A test that does not verify whether fixes actually hold is only half a test.
  • No management summary. If your CEO cannot understand the report, they cannot make a decision. Then the money was wasted.
  • Vague about methodology. A good provider names standards like OWASP, PTES, or OSSTMM without hesitation.
  • Sloppy on the legal side. Without proper written authorization under German law (Sections 202a-c of the German Criminal Code), a pentest in Germany is a criminal offense. Anyone who does not handle this proactively is working recklessly.

The 5 green flags

This is what the right provider looks like:

  • They want to talk first, then quote. A scoping conversation before every price. Always.
  • Certified people test manually. Scanners are a tool, not a replacement for a brain.
  • The report has two layers. One for technical teams, one for management. Both clear.
  • Findings are prioritized by real risk. Not 200 "findings" sorted by CVSS, but the three that can actually hit you, first.
  • Retest is a given. Fixed means fixed, not "we wrote it in a ticket once."

Questions to ask in the first call

Copy these. In ten minutes they separate the professional from the salesperson:

  1. "Who exactly will test, and what certifications does that person have?" Not the company. The person.
  2. "How much is manual, and how much is automated?" A good provider can quantify this precisely.
  3. "Is a retest included?" And if so, how long after the test.
  4. "How do you handle legal authorization?" The answer should come quickly and concretely.
  5. "Which standard do you test against?" OWASP, PTES, OSSTMM, BSI. Something recognized should come up.

Anyone who struggles with these five questions does not have their craft down.

Local or remote: does "nearby" matter?

Many companies search for a provider "nearby." For pure web and network tests, location barely matters. Those run remotely anyway.

Location becomes relevant when physical tests are involved: on-site social engineering, access controls, an attacker sneaking into the building. Then you want someone who can show up without a plane ticket.

For the DACH region, language adds another layer. A German report, German contacts, German law. That saves real headaches on compliance topics and audits.

Why this matters right now

Cyber insurers, NIS2, DORA, ISO 27001. Everywhere, proof of tested systems is required. A bad pentest gives you the PDF, but not the substance behind it.

When things blow up and the insurer looks closer, a scanner report is not a good place to hide.

How we do this at daqoon

Short and honest: We talk first. We test manually. The report is built for humans, not tool logs. And retest is always included when you want it.

Testing is done by people with OSCP+ and CPTS, not an intern with a scanner license.

Want to hold this up against your situation? Let's talk for 20 minutes. It costs nothing, and you will quickly see whether we are a fit.

Request a free initial consultation →

daqoon: We break in before others do.