If you want to know how to choose a penetration testing company, start with what a poor one looks like. No verifiable accreditation. A quote produced without any scoping conversation. Testers you are never told the names of. A report that reads like an automated scan with a logo stuck on the front. Rule those out first, then judge the shortlist on accreditation, the individual testers, methodology and reporting.
Penetration testing is one of the harder services to buy well. Most buyers only commission one once or twice a year, so they cannot easily judge the quality of the work itself. That gap is exactly what weaker providers exploit.
Table of Contents
How to choose a penetration testing company, in short
Check four things before you sign anything. Look for real, verifiable accreditation: CREST, or CHECK for public sector work. Ask for named testers with relevant experience. Confirm the methodology goes beyond automated scanning, and make sure the report is one your own team can act on. Get those four right and price becomes easy to compare fairly. You end up judging like against like instead of guessing.
Red flag: the provider cannot say why the timing matters
A test bought to satisfy an annual PCI DSS obligation is a different job to one bought ahead of a product launch. A good provider asks which situation you are in before pricing anything. If a supplier proposes the same generic package regardless of the reason you are buying, they have not engaged with your actual requirement. They are working from a template they send to everyone.
Red flag: a quote with no scoping conversation
A fixed price emailed back within the hour, with no questions asked about your systems, is a warning sign. The National Cyber Security Centre’s guidance on penetration testing says scoping works best when risk owners, technical staff and the testers work together. It should not be a form filled in by a salesperson. If nobody asks what you actually run before pricing the job, the test itself is likely to be just as generic.
Red flag: accreditation you cannot verify
CREST is the accreditation most UK penetration testing companies point to, and rightly so. It means the organisation’s methodology, quality management and staff competence have been independently assessed. Individual testers also hold practical certifications such as CPSA and CRT. The catch is that “CREST accredited” is sometimes used loosely. Ask for the specific membership details. Check them against CREST’s own directory, rather than taking a logo on a website at face value.
If you work in the public sector, critical national infrastructure, or supply government contracts, you likely need CHECK too. The NCSC runs CHECK so that testing on OFFICIAL-tier government systems meets a trusted standard. Every CHECK Team Leader must hold Security Clearance. A company can be CREST accredited without being CHECK-approved. Confirm which one your contract actually requires.
Red flag: you never find out who is doing the work
A sales team can sound impressive without the delivery team matching it. Ask for the names, certifications and relevant experience of the testers assigned to your job. Do not settle for the company’s most senior consultant, wheeled out only for the marketing photo. A provider that dodges this question, or offers only vague reassurance, is worth pushing on before you sign.
Asking for a redacted sample report from a similar past engagement is a fair, normal request. Hesitation here usually tells you something.
Red flag: a scan wearing a penetration test’s name tag
Automated vulnerability scanning and manual penetration testing get sold under the same heading more often than buyers realise. The price difference is usually the biggest clue. A scan checks systems against a database of known signatures. A manual test involves a person actively chaining smaller weaknesses together the way a real attacker would, then confirming what is genuinely exploitable. The NCSC is direct about this: test quality is closely tied to the ability of the individual tester, because the work “cannot be entirely procedural.”
Ask what proportion of the engagement is manual versus automated, and get the answer in writing. If a provider cannot answer clearly, treat the whole quote with caution.
Red flag: no mention of your actual compliance requirement
If your test needs to satisfy PCI DSS, the provider should already know the rules without being prompted. The methodology must follow an industry-accepted approach. It must cover the cardholder data environment from both outside and inside the network. The tester must be organisationally independent from whoever manages those systems day to day. That tester does not need to be external to your company, but they cannot also run the systems being tested.
Cyber Essentials and Cyber Essentials Plus, by contrast, do not require a penetration test at all. CE+ relies on vulnerability scanning against a defined control set. A provider who is not clear on this distinction has not done the groundwork. They should be able to tell you exactly which certification your engagement is supporting.
Red flag: a report you cannot hand to your developers
A genuinely useful penetration test report ranks findings by real-world risk, not just a severity label. It explains exactly how each issue was found, and gives your team enough detail to fix it without a follow-up call. If a provider cannot show you a redacted example in advance, that is a bad sign. A thin sample usually means a thin final report. Also confirm whether a retest of fixed issues is included, because plenty of contracts quietly leave it out.
Red flag: the cheapest quote by a wide margin
Penetration testing costs in the UK vary a great deal depending on scope, so some spread between quotes is normal. What is not normal is one bid coming in at a fraction of every other quote for the same scope. That gap is almost always testing depth, not efficiency. It usually shows up later as a scan-based report with little manual work behind it.
If you would like help working through a scope, or a quote you already have, Aardwolf Security’s team is happy to take a look. There is no obligation. You can get in touch whenever you are ready to talk specifics.
Frequently asked questions
What is the biggest mistake businesses make when choosing a penetration testing company?
When learning how to choose a penetration testing company, most people compare quotes on price alone, before checking scope, accreditation and how much of the work is genuinely manual. Two quotes can look similar and represent very different amounts of testing.
Is CREST accreditation always necessary?
Not legally, but it is the baseline most UK regulators, insurers and larger clients expect. Without it, more of the verification work falls on you.
Can we run the test with our own internal staff?
Often, yes. The tester must be organisationally independent from the team managing the systems, and needs documented, relevant experience. Many organisations still prefer an external firm for a fresh set of eyes and to avoid conflicts of interest.
How do we spot an automated scan being sold as a full penetration test?
Ask directly what proportion of the work is manual. Request a sample report. Check whether findings are confirmed as exploitable or just flagged as theoretically possible.
Should the report include a retest?
Ideally, yes, either included in the price or offered clearly as a paid add-on. Confirm this before you sign rather than assuming it is standard.
What if we have never bought a penetration test before?
Say so upfront. A supplier worth hiring explains the process in plain terms and scopes to what you actually need. They should not treat your inexperience as a reason to sell a bigger package than necessary.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world