← Back to Blog
Business8 min read

How to Choose a Security Assessment Provider: A Buyer's Checklist

Choosing the wrong security assessment provider is worse than not testing at all. A superficial assessment gives you a false sense of security, ticks a compliance box without finding the vulnerabilities that matter, and wastes budget that could have been spent on a provider who actually finds and helps you fix real issues. This guide gives you a practical checklist for evaluating providers so you can make an informed decision.

Why Choosing the Right Provider Matters

A penetration test or security assessment is not a commodity product, even though parts of the market treat it as one. The quality difference between a thorough, manually-driven assessment and a box-ticking exercise can be enormous. A skilled consultant will find business-logic vulnerabilities, chained attack paths, and misconfigurations that automated scanners miss entirely. A poor provider will run a Nessus scan, export the results into a branded PDF, and call it a penetration test. If you want to understand the difference between the tools a good provider uses and those a poor one relies on, our penetration testing tools comparison breaks down every major tool by category, strengths, and limitations.

The consequences of choosing poorly are real. If you need the assessment for compliance purposes, such as PCI DSS, ISO 27001, SOC 2, or NIS2, a superficial test may not satisfy auditor requirements. You will have spent the budget and still need to pay for a proper assessment. If you need the assessment to genuinely understand your security posture, a provider that misses critical vulnerabilities leaves you exposed. You believe you have been tested, your board has been told the results were acceptable, and yet the vulnerabilities remain for an attacker to find.

The difference between a good and a bad assessment is not always visible from the outside. Both providers will send you a professional-looking report. Both will list findings with severity ratings. The difference is in the depth: did the tester manually explore every attack surface, or did they rely primarily on automated tools? Did they test business logic, authentication flows, and authorisation boundaries, or did they only check for known CVEs? Did they provide actionable remediation advice, or just generic recommendations copied from a template?

This guide will help you evaluate providers before you sign a contract so you can distinguish between a genuine security assessment and a PDF-generation exercise.

Certifications and Qualifications

Certifications are not a guarantee of quality, but they are a useful baseline. They tell you that the tester has passed a standardised examination that validates a certain level of knowledge and practical skill. Here is what to look for and what each certification actually means.

CREST (CRT, CCT)

CREST is an international accreditation body for the cybersecurity industry. CREST Registered Tester (CRT) is the entry-level certification, demonstrating competence in infrastructure and web application testing. CREST Certified Tester (CCT) is the senior-level certification, requiring significantly more depth and experience. CREST accreditation is particularly important in the UK market, where many enterprises and public sector bodies will only engage CREST-accredited firms. If a consultancy has CREST company accreditation, it means they have been audited for their processes, data handling, and quality assurance in addition to their individual testers being certified.

OSCP (Offensive Security Certified Professional)

OSCP is widely regarded as the gold standard for demonstrating hands-on penetration testing skill. The examination is a 24-hour practical test where the candidate must compromise multiple machines. It proves that the holder can actually find and exploit vulnerabilities, not just answer multiple-choice questions about them. If your provider's testers hold OSCP, you can be confident they have practical offensive security skills.

OSCE (Offensive Security Certified Expert)

OSCE and its successor OSEP (Offensive Security Experienced Penetration Tester) are advanced certifications that go beyond standard penetration testing into areas like custom exploit development, advanced evasion techniques, and Active Directory attack chains. If your assessment requires advanced skills, such as red teaming or testing hardened environments, look for testers with these credentials.

CHECK (UK Government)

CHECK is the NCSC (National Cyber Security Centre) scheme for approving companies to test UK government systems. CHECK team leaders must hold CREST CCT or equivalent. If you are a government body or public sector organisation in the UK, you should only use CHECK-approved providers for testing systems that handle government data.

GPEN and CEH

GPEN (GIAC Penetration Tester) is a respected certification from the SANS Institute that demonstrates a broad understanding of penetration testing methodology. CEH (Certified Ethical Hacker) is one of the most widely held certifications but is less valued among technical practitioners because it is a multiple-choice exam with no practical component. CEH alone should not be considered sufficient evidence of testing capability, though it can complement other practical certifications.

Key distinction: Company accreditations (such as CREST company membership) tell you that the firm has been audited for quality processes. Individual certifications (such as OSCP or CCT) tell you that specific testers are skilled. You want both: a firm with strong processes and named testers with strong credentials.

Questions to Ask Before Signing

Before you sign a contract or accept a proposal, ask these questions. The answers will tell you a lot about the provider's quality, professionalism, and suitability for your specific needs.

What methodology do you follow?

A credible provider will reference established frameworks such as OWASP Testing Guide for web applications, PTES (Penetration Testing Execution Standard) for general testing, or OSSTMM (Open Source Security Testing Methodology Manual). They should be able to explain how their methodology maps to your specific scope and what each phase of the assessment involves. Vague answers like "we use industry best practices" without naming specific frameworks are a warning sign.

Who will actually perform the testing?

Ask for named testers and their credentials. Some firms sell engagements using senior consultants and then assign the work to junior staff. You have a right to know who will be testing your systems, what certifications they hold, and how many years of experience they have. If the provider cannot or will not name the testers, consider that a red flag.

What is your retesting policy?

After you remediate findings, you need the provider to verify that the fixes are effective. Some providers include one round of retesting in the engagement price. Others charge separately. Some do not offer retesting at all. Understand what is included before you sign, because retesting is essential for closing the loop on vulnerabilities and demonstrating to auditors that issues have been resolved.

How are findings delivered?

Ask whether the provider delivers findings through a secure client portal or simply emails a PDF. Portal delivery offers significant advantages: real-time access to findings as they are logged, remediation tracking, secure access controls, and an audit trail. Email delivery means your sensitive vulnerability data is sent as an attachment that could be forwarded, lost, or intercepted. The delivery model tells you a lot about how modern and client-focused the provider is. For more on why this matters, see our guide on why security consultancies need client portals.

What is included in the price?

Get a clear breakdown of what the quoted price covers. Does it include a debrief call to walk through findings? Is retesting included? What about ongoing support if your team has questions during remediation? Some providers offer a bare-bones test with everything else charged as extras. Others include a comprehensive package. Make sure you are comparing like for like when evaluating proposals.

What is your communication protocol during testing?

Ask how the provider communicates during the engagement. Will they notify you immediately if they find a critical vulnerability? Do they provide a daily status update? Is there a dedicated point of contact? The best providers will flag critical findings in real time so your team can begin remediation before the engagement is complete.

What insurance and liability coverage do you carry?

Any reputable security testing provider will carry professional indemnity insurance and public liability insurance. Ask for proof of coverage and check that the policy limits are appropriate for the engagement. This protects both parties if something goes wrong during testing.

Red Flags to Watch For

Not all providers are equal. Here are warning signs that should make you reconsider before engaging a security testing firm.

Automated-only testing marketed as a penetration test

Running Nessus or Qualys and reformatting the output is a vulnerability scan, not a penetration test. A genuine penetration test requires manual testing by a skilled consultant who explores business logic, authentication, authorisation, and other areas that automated tools cannot assess. If the provider's methodology is essentially "run a scanner and export the results," you are paying penetration testing prices for a vulnerability scan.

No named testers

If a provider refuses to tell you who will be testing your systems, it may be because the testers are junior, uncertified, or subcontracted to a third party you have not vetted. You should know who is accessing your systems and what their qualifications are.

Unusually low pricing

Security testing has well-established market rates. A web application penetration test that should take 5 days cannot be done properly for 1,500 USD. If a quote is significantly below market rates, the provider is either cutting corners on methodology, using junior testers without adequate supervision, or relying heavily on automated tools. For context on what assessments should cost, see our guide on how security services are priced.

No sample report available

Every established provider should have a redacted sample report they can share during the sales process. If they cannot show you what their deliverable looks like, you have no way to evaluate the quality of their output before committing. A reluctance to share a sample often indicates that the provider knows their report quality is below expectations.

PDF-only delivery with no tracking

Providers who only deliver via emailed PDFs with no remediation tracking, no client portal, and no way to manage findings are using a delivery model from a decade ago. Modern providers use platforms that give you secure, real-time access to findings and support the full remediation lifecycle.

No retesting included

If the provider does not offer retesting or charges excessively for it, they are not invested in your actual security improvement. The purpose of a security assessment is not just to find vulnerabilities but to ensure they get fixed. Retesting is the mechanism that closes the loop.

No pre-engagement scoping call

A provider that sends you a quote without a scoping call has not taken the time to understand your environment, your concerns, or your specific requirements. A proper scoping call is where the provider asks about your technology stack, the number of user roles, the size of the application, any areas of particular concern, and the context for the assessment. Without this, the estimate is guesswork.

Evaluating Report Quality

The report is the primary deliverable of any security assessment. It is what you share with your development team, your CISO, your board, and your auditors. A good report is actionable, clear, and useful for both technical and non-technical audiences. A bad report is a wall of scanner output that nobody reads. For a detailed breakdown of what makes a strong report, see our guide on how to write a penetration test report.

Always ask for a redacted sample report before signing. When reviewing it, check for these elements:

Clear executive summary

The executive summary should be written for a non-technical audience. It should explain the overall risk level, the most critical findings, and the recommended priorities in plain language. If the executive summary reads like a technical findings list, it is not doing its job.

CVSS scoring with vectors

Each finding should include a CVSS score with the full vector string, not just a label like "High" or "Critical". The vector string shows how the score was calculated and lets you evaluate whether the severity rating is appropriate for your context. Providers who use CVSS demonstrate a standardised, reproducible approach to severity assessment.

Reproduction steps and evidence

Every finding should include clear steps to reproduce the vulnerability, along with evidence such as screenshots, HTTP request and response pairs, or code snippets. Your development team needs this information to understand the finding and verify their fix. Findings without reproduction steps are almost useless to the people who need to remediate them.

Actionable remediation advice

Remediation advice should be specific and practical, not generic. "Implement proper input validation" is not helpful. "Implement server-side input validation using parameterised queries for all database interactions, and add output encoding using your framework's built-in templating engine to prevent XSS" is helpful. The remediation guidance should give your developers enough information to fix the issue without needing to research the vulnerability from scratch.

Delivery Model: Email vs Portal

How your provider delivers findings and reports matters more than most buyers realise. The delivery model directly affects your ability to remediate findings effectively, track progress over time, and demonstrate compliance to auditors.

Modern security assessment providers deliver through secure client portals. This is not a nice-to-have feature. It is a fundamental improvement in how assessment results are communicated, tracked, and acted upon.

Email Delivery Risks
  • Sensitive vulnerability data sent unencrypted
  • No version control on report documents
  • No remediation tracking or workflow
  • No audit trail of who accessed findings
  • Reports get lost in inboxes or forwarded insecurely
Portal Delivery Benefits
  • Encrypted, authenticated access to findings
  • Single source of truth, always current
  • Built-in remediation workflow and tracking
  • Complete audit trail for compliance evidence
  • Real-time access to findings during assessment

When evaluating a provider, ask whether they use a client portal for delivery. If they do, ask for a demo of the portal experience. Check whether the portal supports finding-level remediation tracking, whether clients can add comments or notes to findings, and whether there is an audit log of who accessed what and when. These features are not luxury extras. They are the mechanisms that turn a one-time assessment into an ongoing improvement process.

Providers who use AI-powered reporting platforms can also deliver more consistent report quality because the AI applies the same structure, tone, and level of detail to every engagement. Ask whether the provider uses AI-assisted report generation and whether you can see how it improves the consistency and speed of their deliverables. For an overview of what to expect during the assessment process itself, see our guide on what to expect from a security assessment.

Pricing Transparency

Security assessment pricing varies widely, and understanding what you are paying for is essential to making a fair comparison between providers. The cheapest quote is almost never the best value, and the most expensive is not always the best quality. What matters is understanding the pricing structure and what is included.

Day Rate vs Fixed Price

Some providers quote a day rate multiplied by the estimated number of testing days. Others quote a fixed price for the entire engagement. Day rates are more transparent because you can see exactly what you are paying for each day of testing. Fixed prices are easier to budget but can hide the actual level of effort. If a provider quotes a fixed price, ask how many testing days are included. A 5,000 USD web application test that includes 3 days of testing is a very different proposition from one that includes 7 days.

What Is Included

Ask explicitly what the quoted price covers. Common inclusions and exclusions that affect the total cost: retesting (one round included or charged separately), debrief call (included or extra), report delivery format (PDF only or portal access), ongoing support during remediation (time-limited or not included), and scoping and pre-engagement preparation (included in the price or billed separately). Two quotes that look similar on the surface can differ significantly once you account for these extras. Always compare the total cost of the engagement, including everything you need, rather than just the headline price.

Scope-Based Pricing

Good providers price based on scope: the number of IP addresses, the number of web application pages or API endpoints, the number of user roles to test, and the complexity of the environment. This approach produces accurate estimates because the effort is tied to the actual work required. Be wary of providers who quote without asking detailed scoping questions. If they do not understand your environment, their estimate is a guess, and guesses tend to be either too low (meaning corners will be cut) or too high (meaning you are overpaying).

Tip: Request proposals from at least three providers and compare them using a standardised matrix. For each provider, note: number of testing days, named tester credentials, methodology, what is included (retest, debrief, support), delivery method (email vs portal), and total cost. This makes the comparison objective rather than based on how polished the proposal document looks.

Look for providers who use modern platforms.

SecPortal powers security consultancies with AI report generation, branded client portals, and automated engagement management. Ask your provider if they use SecPortal. No credit card required.

Get Started Free