833-847-3280
Schedule a Call

How Can I Tell a Real Pen Test from a Fake?

There are a lot of companies selling penetration tests (pen tests), but how do you know if what you are getting is a real pen test? When it’s something that’s less tangible than, say, getting an oil change, it can be hard to determine if what you are purchasing is what you need.

That’s why MainNerve has written up a few pointers.

A Real Pen Test will be more expensive.

Software makes things a lot easier, which typically equates to lower cost. The problem with using only software is that it’s as good as the programming.  The software usually can’t take into account things that a human brain can, like skirting business logic or researching default credentials.

Consequently, a real pen test is more expensive due to a pen tester’s experience.  The more tests they conduct, the more information they have to work with when looking for vulnerabilities. The testers will have a better understanding of what may happen when vulnerabilities are actually exploited and not just scanned.

Don’t worry if a company says they use software to help them find vulnerabilities. Unethical hackers will use all the software they can to try to attack their target. A good pen test should reflect that real-world experience.  It should be a mix of some automated searching and manual testing. It makes things a little easier and quicker, translating into the price.

Testers will have the necessary credentials.

The testers should also have certifications, such as CISSP or OSCP. Many certifications require continuing education to maintain them, showing that the tester is always learning since vulnerabilities are ever-evolving. An ethical pen test company should be proud to display its tester’s certifications.

A real pen test will take more than an hour to test.

Because of the manual nature of a real pen test, the testing time should take more than an hour. A good question to ask any vendor is, “how long will it take?”  The company will probably offer an estimate, as it depends on how many vulnerabilities are found and what types of vulnerabilities are discovered.

The account managers should ask many questions during scoping.

Since a real pen test will involve more than a basic vulnerability scan, giving extra information to the account managers will help the testers conduct a more thorough test. Knowing things like IP addresses, the types of devices, and URLs and credentials for applications will make the test easier and quicker. The testers should be looking at everything they can to let you know if you have any open holes.

For a full red team exercise, where a tester has no knowledge other than who the target is, the time for research could be weeks, meaning you are paying for all that time. That will also translate into the cost, and likely not in a way you want unless you know that red teaming is what you need.

A real pen test company should be able to provide sample reports.

These sample reports will likely be redacted but should reflect the type of work the company does. They should be more than a list of Common Vulnerabilities and Exposures (CVE), also known as a vulnerability scan. The report should have screen captures to prove a vulnerability was discovered and remediation recommendations.

 

Many factors go into a real pen test and how you can determine if a company is providing that service. We here at MainNerve hope this helps you make that determination.  We strive for transparency when and wherever we can.

Latest Posts

A transparent image used for creating empty spaces in columns
In the ever-evolving world of cybersecurity, penetration testing (pen testing) stands out as a critical component of an effective defense strategy. For MSPs (Managed Service Providers) and MSSPs (Managed Security Service Providers), the value of pen testing goes beyond identifying vulnerabilities—it’s about proving value to…
A transparent image used for creating empty spaces in columns
 With less than three months remaining until the deadline for PCI DSS 4.0 compliance, now is the time to assess your business’s status and determine what steps you need to take. The Payment Card Industry Data Security Standard (PCI DSS) sets security requirements to…
A transparent image used for creating empty spaces in columns
In today’s increasingly digital world, organizations face a growing number of threats from cybercriminals seeking to exploit weaknesses in systems, networks, and even human behavior. Understanding your attack surface—the totality of vulnerabilities and entry points an attacker could exploit—is essential for protecting your business. Whether…
A transparent image used for creating empty spaces in columns
 The Payment Card Industry Data Security Standard (PCI DSS) has long been a cornerstone for protecting cardholder data against theft and fraud. With the introduction of PCI DSS 4.0, organizations handling payment card information must implement several significant updates to enhance security and provide…
A transparent image used for creating empty spaces in columns
Yes, penetration testing is a proactive approach to cybersecurity. It involves simulating attacks on systems, networks, or applications to uncover vulnerabilities and weaknesses before malicious actors can exploit them. By identifying and addressing these security issues early, penetration testing strengthens an organization’s defenses and reduces…
A transparent image used for creating empty spaces in columns
  March 31st, 2025, is fast approaching, and it’s a pivotal date for businesses handling payment card data. This marks the deadline for full compliance with PCI DSS 4.0, the latest version of the Payment Card Industry Data Security Standard. If your organization processes, stores,…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services