Page Loader Logo
Loading...
833-847-3280
Schedule a Call
Partner With Us

How Can I Tell a Real Pen Test from a Fake?

There are a lot of companies selling penetration tests (pen tests), but how do you know if what you are getting is a real pen test? When it’s something that’s less tangible than, say, getting an oil change, it can be hard to determine if what you are purchasing is what you need.

That’s why MainNerve has written up a few pointers.

A Real Pen Test will be more expensive.

Software makes things a lot easier, which typically equates to lower cost. The problem with using only software is that it’s as good as the programming.  The software usually can’t take into account things that a human brain can, like skirting business logic or researching default credentials.

Consequently, a real pen test is more expensive due to a pen tester’s experience.  The more tests they conduct, the more information they have to work with when looking for vulnerabilities. The testers will have a better understanding of what may happen when vulnerabilities are actually exploited and not just scanned.

Don’t worry if a company says they use software to help them find vulnerabilities. Unethical hackers will use all the software they can to try to attack their target. A good pen test should reflect that real-world experience.  It should be a mix of some automated searching and manual testing. It makes things a little easier and quicker, translating into the price.

Testers will have the necessary credentials.

The testers should also have certifications, such as CISSP or OSCP. Many certifications require continuing education to maintain them, showing that the tester is always learning since vulnerabilities are ever-evolving. An ethical pen test company should be proud to display its tester’s certifications.

A real pen test will take more than an hour to test.

Because of the manual nature of a real pen test, the testing time should take more than an hour. A good question to ask any vendor is, “how long will it take?”  The company will probably offer an estimate, as it depends on how many vulnerabilities are found and what types of vulnerabilities are discovered.

The account managers should ask many questions during scoping.

Since a real pen test will involve more than a basic vulnerability scan, giving extra information to the account managers will help the testers conduct a more thorough test. Knowing things like IP addresses, the types of devices, and URLs and credentials for applications will make the test easier and quicker. The testers should be looking at everything they can to let you know if you have any open holes.

For a full red team exercise, where a tester has no knowledge other than who the target is, the time for research could be weeks, meaning you are paying for all that time. That will also translate into the cost, and likely not in a way you want unless you know that red teaming is what you need.

A real pen test company should be able to provide sample reports.

These sample reports will likely be redacted but should reflect the type of work the company does. They should be more than a list of Common Vulnerabilities and Exposures (CVE), also known as a vulnerability scan. The report should have screen captures to prove a vulnerability was discovered and remediation recommendations.

 

Many factors go into a real pen test and how you can determine if a company is providing that service. We here at MainNerve hope this helps you make that determination.  We strive for transparency when and wherever we can.

Latest Posts

A transparent image used for creating empty spaces in columns
Welcome to today’s briefing on a crucial topic in the realm of cybersecurity: internal network penetration testing. Now, I know that the term might sound a bit intimidating but fear not. By the end of this discussion, you’ll have a solid understanding of what it…
A transparent image used for creating empty spaces in columns
 In the world of cybersecurity, there’s a misconception that a clean pen testing report means something was missed or the test wasn’t thorough enough. But here’s the truth: receiving a clean report from your penetration test is not only a positive outcome—it’s a testament…
A transparent image used for creating empty spaces in columns
Hey there, folks! Let’s get one thing straight: when MainNerve talks about penetration testing, we’re diving deep into the world of cybersecurity. But hey, we know what people think when we say “penetration testing.” So, buckle up because we’re about to compare pen testing to…
A transparent image used for creating empty spaces in columns
 In the fast-paced world of managed IT services, we know that time is money. Your clients rely on you to keep their systems secure, and you need partners who can deliver top-notch services without slowing you down. If you’re a Managed Service Provider (MSP)…
A transparent image used for creating empty spaces in columns
The primary purpose of performing a penetration test is to simulate real-world attacks on a computer system, network, or application. This is done by skilled cybersecurity professionals, who are tasked with identifying vulnerabilities and weaknesses that malicious actors could exploit. Their role is crucial in…
A transparent image used for creating empty spaces in columns
 If your business relies on older technology, you’ll want to listen up. We’re highlighting a critical weakness in many organizations’ defenses: legacy systems. What Are Legacy Systems? Legacy systems are outdated technologies that are no longer supported with updates or patches from their creators.…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
quick links to

Our Services

On Load
Where? .serviceMM
What? Mega Menu: Services
201 E Pikes Peak Ave Suite 2025
Colorado Springs, CO 80903