+ Reply to Thread
Results 1 to 8 of 8
  1. Senior Member Nyblizzard's Avatar
    Join Date
    Jan 2013
    Location
    South Florida
    Posts
    325

    Certifications
    A+, Network+, Project+, Security+, Hyper-V, MCSA: Windows 7, CCNA: CyberOps, SSCP
    #1

    Default Pentest company recommendations?

    I've been handed the task of finding a reputable pen testing company for my organization. Not sure what to look for/where to look so I'm asking here, as we have some of the best folk around. Would appreciate some insight from this community
    O
    /|\
    / \
    Reply With Quote Quote  

  2. SS
  3. Member
    Join Date
    Dec 2017
    Posts
    73
    #2
    Quote Originally Posted by Nyblizzard View Post
    I've been handed the task of finding a reputable pen testing company for my organization. Not sure what to look for/where to look so I'm asking here, as we have some of the best folk around. Would appreciate some insight from this community
    I believe the size of your organization and the cost must come into play. The most important being the cost. I could recommend a Mercedes or Acura or I could recommend a Kia or Hyundai. Price must come into play. Sometimes people/organizations can't understand the term...You get what you pay for..


    Personally, you would be doing yourself a disservice contacting anyone to provide a service without knowing your budget. Nobody goes to a store and buys clothes without looking at the price tag. You don't want to be surprised at the register, nor do you want to waste your time or that of a potential contacted individual.



    A lot of the SANS instructors have penetration testing services that they provide.
    Reply With Quote Quote  

  4. Cyber Donkey slinuxuzer's Avatar
    Join Date
    Jul 2003
    Location
    East Texas
    Posts
    645

    Certifications
    VCDX:NV - A+ Net+ Sec+ MCSA08 CISSP CCNA B.S. IT/WGU
    #3
    Start by defining the scope, are you actually only looking for a pentest? or are you wanting this company to develop a solution / architecture to fix issues they find?
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Sep 2016
    Location
    VA
    Posts
    732

    Certifications
    CISSP, PMP, CCNP, FITSP-M
    #4
    You need to know the scope of the test. Do you want just the perimeter? Web apps? Social engineering? what operational restrictions will the testing firm have? Will they be able to flood your network with queries? Or do you expect business-as-usual while the test is going on? Will you allow testing any time-of-day/day-of-the-week or will you limit that? Are there certain things they absolutely have to stay away from? Will this be a blind test or will you give them certain pieces of data in advance?
    2018: CCIE Written (R/S) (done - Jan), CCIE R/S
    After that: MBA, OSCP
    Reply With Quote Quote  

  6. Completely Clueless TechGromit's Avatar
    Join Date
    Oct 2015
    Location
    Ontario, NY
    Posts
    1,618

    Certifications
    A+, Network +, Sanity+ (Revoked), GSEC, GCIH, GREM
    #5
    Most SANS instructors do consulting on the side, pretty much any of them would be a safe bet, Black Hills Security, LMG Security are a few that come to mind, but they are located South Dakota and Montana, I assume you would want to find a company closer to Florida. Just keep in mind SANS level consultants will not be cheap.
    Last edited by TechGromit; 06-12-2018 at 07:28 PM.
    Still searching for the corner in a round room.
    Reply With Quote Quote  

  7. I drink and I know things Ertaz's Avatar
    Join Date
    Jan 2006
    Posts
    795

    Certifications
    CISSP, CSAE, CSAP, CASP, MCSA:Cloud, CSA+, GPEN, CCNA Cyber Ops, Security+, MCP
    #6
    Kore is good.

    https://korelogic.com/testingServices.html

    If you need specialized testing (Like Manufacturing{OT}, or the finance sector), a smaller boutique firm might be more your speed.
    Reply With Quote Quote  

  8. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,565

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, AWS CCP, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #7
    I’d definitely take a look at Rapid7.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, AWS CCP, CEHv8, CHFIv8, ITIL-F, BSBA - UF, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning: Linux/CLI, Git, Python, Pentesting
    Next Up:​ eJPT, eCPPTv2, OSCP
    Studying:​ Code Academy (CLI, Git, Python), eLearnSecurity PTSv3
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Feb 2012
    Posts
    2,429
    #8
    We do quite a bit of pentesting and what I always ask a prospect is what they want to get out of the test. We are a boutique shop and we are never a good fit for a company that just wants a checkbox pent-test. Bigger firms like Rapid7 tend to cookie-cutter their pent tests - which can be fine if this is the first pent test that your company has ever done or you just need a checkbox. Smaller pent test boutique firms like ours tend to change our attack techniques depending on the target and will generally have much higher compromise rates.

    If your company already has a good security program and you really want to test your actual readiness, then I would suggest you look for a boutique firm. You will be paying a lot more but the quality is lot better.

    Good luck.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks