Recently, on the MainNerve podcast, we had the privilege of hosting Ayman Elsawah, an experienced offensive security expert known for helping companies build security programs that are not just effective but also sustainable. His perspective on choosing a penetration tester? Direct, refreshing, and incredibly relevant to the industry’s evolving landscape.
His message was clear: technical skills are essential, but they aren’t the whole story. If your penetration tester disappears after kickoff and reemerges weeks later with a dense report and no dialogue in between, they’re not just hard to work with; they’re putting your business at risk.
At MainNerve, we couldn’t agree more.
The Technical Side of Pen Testing: Table Stakes
Yes, technical ability matters. Deeply. A good penetration tester should be able to:
- Identify misconfigurations, insecure protocols, and code-level vulnerabilities
- Chain together low-severity issues into full-blown exploits
- Understand how attackers think and adapt to defensive controls
But these are the bare minimum expectations in 2025.
Unfortunately, many organizations still evaluate vendors solely based on checklists and certifications. Can they do the job? Do they offer a report? Is the price competitive? While these questions matter, they miss the bigger picture.
The truth is, most technically proficient testers can find vulnerabilities. But only the best will help you understand what those findings mean, how they affect your risk posture, and what to do next.
What Ayman Highlighted: The Human Factor
During the episode, Ayman shared a common scenario: a penetration test begins with a promising kickoff meeting, followed by radio silence. No status updates, no questions, no signs of life, until the final report lands with a thud in your inbox three weeks later.
You might get a high-level debrief. Or you might not. But what you definitely don’t get is a sense of partnership.
This kind of experience doesn’t just feel bad. It’s dangerous. When communication breaks down:
- Critical context is lost. Maybe you rolled out a new web app or made a firewall change mid-test. A disconnected tester won’t know.
- False positives persist. You spend time and money chasing ghosts instead of fixing real risks.
- Remediation suffers. You’re left to read between the lines instead of receiving clear, actionable guidance.
At MainNerve: We Do Things Differently
Hearing Ayman’s perspective validated what we’ve built our entire approach on: being great at the technical work is not enough. That’s why communication and transparency are part of our core values, not add-ons.
Here’s what that looks like in practice:
1. A Single Point of Contact
You’re never wondering who to email. Our clients are paired with a lead tester who owns the engagement from scheduling to final report delivery and is available throughout.
2. Mid-Test Check-Ins
We don’t vanish. Whether it’s a daily sync, a mid-week update, or real-time messaging, you’ll know how things are progressing. If we uncover something serious, you’ll hear from us immediately.
3. Interactive Debriefs
Reports are important, but we believe the real value comes from collaboration. We can walk through our findings with your technical teams, answer questions, explain exploit paths, and prioritize fixes if you’d like. Simply ask us for that meeting.
4. Remediation Guidance
We don’t just say, “You have a problem.” We help you solve it. Whether you need clarification, a sample fix, or re-testing after patching, we’re still here to help.
What to Look for When Choosing a Penetration Tester
Whether you’re a CISO for a financial firm or an IT director for a regional healthcare provider, here are a few questions to ask your next penetration testing vendor:
1. What’s your communication process during an engagement?
If they can’t give you a clear plan, including how they handle in-progress updates or critical finding escalation, that’s a red flag.
2. Can I speak with the tester who will be performing the work?
You should know who’s behind the keyboard. Relationships matter. Technical chops are important, but so is the ability to explain findings in plain English.
3. How do you prioritize findings?
A good tester doesn’t just dump CVSS scores. They’ll help you understand which issues pose the greatest risk in the context of your environment.
4. What’s included post-engagement?
Pen tests shouldn’t end with the report. Ask about support for remediation (we don’t do the remediation, but we can help you understand it), follow-up testing, and long-term advisory.
The Industry Is Changing and So Should Your Expectations
The penetration testing industry is at a crossroads. On one side, you have vendors chasing volume, automated scans wrapped in generic reports, performed by testers juggling multiple engagements at once. On the other hand, you have partners who prioritize quality, clarity, and relationships.
At MainNerve, we’ve chosen the second path. And that’s why Ayman’s comments resonated so deeply with us. Penetration testing is not just a technical service; it’s a trust-based collaboration between security professionals and the businesses they protect.
When you choose a penetration tester, don’t just ask what tools they use or what’s in their methodology. Ask how they work with clients. Ask how they communicate because the best test in the world won’t help you if the findings don’t make it past the report, or if the report shows up too late to matter.
Final Thoughts: Choose a Partner, Not Just a Vendor
In cybersecurity, clarity is power. And that applies just as much to communication as it does to code. Whether you’re undergoing a compliance audit, preparing for a merger, or just trying to strengthen your defenses, you deserve a pen testing team that treats your business like more than a checklist.
We take pride in our technical capabilities. But we’re just as proud of how we show up for our clients. Clear, transparent, and invested in your success.
If you’re looking for a penetration testing partner who values communication as much as expertise, we’d love to connect.
Let’s Talk Security
Reach out to schedule a free consultation with our team. We’ll walk you through our process, answer your questions, and help you determine the best scope and approach for your next test. Because great pen testing isn’t just about what we find, it’s about how we help you fix it.
