Top 5 things you need in a Pen Tester

Amy is a Cyber Security Specialist at Cognisys Group who are cyber security experts who exist to improve your cyber security posture. They offer a number of Cyber Security Solutions. These include penetration testing , cyber security consulting and security awareness training.

There are a lot of good security service providers on the market right now, and it can be difficult to choose which organisation is the right one to work with. Using ALLOWLIST is a great way to make sure you’ve selected a reputable business, but we have pulled together some top tips to help you narrow down your search and choose the right security services partner for your business. So, who you gonna call?


Cyber security is a complex topic, so you want to make sure you’re working with people who have the right knowledge to guide you on your journey to improve your security posture. One way of checking a business’ technical prowess is to look at what certifications they hold.

As a minimum, we’d expect a pen testing organisation to be CREST accredited and hold Cyber Essentials Plus. This means that an independent body has audited the business and verified their security credentials. There are some mega-talented people out there who don’t hold these badges, but we think they’re a great benchmark if you’re dipping your toe in the security services water.

You may also want to check whether an organisation deploys junior pen testers on their engagements or whether they are overseen by more experienced consultants as well. Some of the more generic tests may be easy enough to be completed by junior members of a consulting team, but it’s best practice to always have a senior engineer double check their work.


As security providers expand their services to enable more longstanding partnerships, through “As-a-Service” offerings and longer-term engagements, it’s important that you find a company to partner with that fits the culture of your business, and who’ll you enjoy working with! That’s right, work doesn’t have to be boring!!

We’d recommend checking out the social media accounts and website of your prospective providers to see whether they’re more of a corporate business or a bit more informal. Finding a business that “gets” you and speaks your kind of language will make any partnership run more smoothly and you’ll probably end up being much more engaged!


Whoever your chosen provider is, you should ensure that they have a good reputation in the market. In this industry, it can be difficult to get public case studies as a lot of companies don’t want their dirty washing aired in public. Organisations can get around this by anonymising case studies, changing the names of the organisations but keeping the facts the same.

Reputable businesses should also be able to provide customer references on request, and you shouldn’t be afraid to ask the question when you’re talking to a salesperson. You’ll get a better idea of whether the company is a good fit for your business too if they have referenceability in your sector or industry.


Companies looking to provide services like penetration testing should be asking you to confirm the scope of the project prior to providing pricing. Before completing any scoping documentation, it’s best to complete an NDA with your chosen partner so you can share information about your applications, infrastructure, and environment, as well as being free to voice any concerns you have.

Also, considering penetration testing, it’s key for a partner to understand the size of the job to be able to provide accurate pricing. A web application test can take anywhere from a few hours to several days, so be prepared to answer questions in order to get your price.

Your chosen partner should be helping you achieve the biggest bang for your buck with the budget you have available, so make sure you discuss priorities with them and ask why they’re recommending certain services.


Finally, it might not always be top of your list when choosing your security services partner but finding a company with the correct level of Professional Indemnity (PI) Insurance should definitely be on your tick list.

Knowing an organisation is covered in the (highly unlikely) event that something goes wrong, should give you peace of mind. Smaller companies or self-employed contractors don’t always carry a high level of PI Insurance, meaning that if they do make mistakes which cost your business money or damage your reputation, you may find yourself out of pocket.

Subscribe to receive the latest cyber insights


Quix Case Study


0-300mph ISO 27001 at F1 speed: Quix’s success story

Learn how Quix teamed up with Cognisys for their ISO 27001 certification, overcoming challenges through strategic collaboration for compliance and success.

Biggest Cyber Attacks of April


The biggest cyber attacks and vulnerabilities of April 2024

Insights and trends from recent cyber threats and vulnerabilities from April.

Investing wisely: the justification for consultant-led compliance projects in business


Investing wisely: the justification for consultant-led compliance projects in business

In this blog post we’ll explore the compelling justifications for businesses to opt for a consultant-led compliance project rather than navigating the compliance labyrinth on their own.