Questions for prospective pen test consultants

As the information security officer for a financial institution, what questions should I ask prospective penetration

testing consultants before I agree to the test?

While this list isn't exhaustive, here are a few that I would ask:

  • How much experience do you have in performing penetration tests? Can you provide some references of former clients? (Check the references, don't just assume they are valid.)
  • What steps do you take to ensure that your penetration testers do not maliciously destroy data on our systems should they successfully get in? Have you run background checks of any kind on your employees?
  • Will you sign an agreement not to disclose any information that you might obtain as the result of a successful penetration?
  • Describe what you will do for penetration testing. Are you doing anything more than running vulnerability scanners?

    Also, a good paper to read on this subject is, "Penetration Testing -- Is it right for you?", by Jimmy Braden, available on the SANS Institute site.

    For more info on this topic, please visit these SearchSecurity.com resources:
  • On-demand webcast: Audits, assessments and penetration tests
  • Best Web Links: Infrastructure and network security
  • This was first published in December 2003

    Dig deeper on Security Testing and Ethical Hacking



    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: