Telling whether a pentesting firm is good (and how they might get around it)
Posted on 2020-09-30 by Matt Strahan in Industry
I’ve talked about how it’s almost impossible to validate penetration testing results. Are we done then? Doomed to be left in the dark by ineffective testing?
There are other ways where you could figure out whether or not a penetration tester is good or not. We’ve already talked about things to look for when choosing a penetration testing company. I’d like to be a bit darker in this blog post and put my Evilfirm hat back on. Let’s say you’re a penetration testing firm. How could you present as a good penetration testing company but still deliver shoddy work for cheap?