10 Questions to Ask Before Hiring a Penetration Testing Provider

EJN Labs
10 Questions to Ask Before Hiring a Penetration Testing Provider

By EJN Labs · 18 Jun 2026 · 11 min read

The most useful questions to ask a penetration testing provider cover accreditation, scoping, methodology, who tests, the report, retesting, data handling, insurance, references and pricing. Strong answers are specific and evidenced, not reassuring generalities. Use the ten below to separate genuine assurance from a slick sales pitch.

Choosing a penetration testing provider is hard because almost every firm says the same thing on its website: certified team, thorough methodology, clear reporting. The difference shows up when you ask the right questions to ask a penetration testing provider and listen for specific, evidenced answers rather than reassurance. This guide gives you ten penetration testing questions to ask, why each matters, and what a strong answer actually sounds like, so you can shortlist with confidence. For the broader decision, see our parent guide to CREST penetration testing and our run-down of the best UK penetration testing provider criteria.

How to use these pen test provider questions

Treat this as a scorecard, not a script. Ask the same ten questions of every provider on your shortlist and write down the answers, because the comparison is where the signal lives. The point of knowing what to ask a pentest company is to surface gaps before you sign, not after the report lands. For a fuller decision framework, read how to choose a penetration testing company, and to spot the warning signs early, see our list of red flags when choosing a penetration testing company.

The 10 questions to ask a penetration testing provider

1. Are you and your testers CREST accredited, company and individual?

Why it matters: CREST accreditation is awarded to the company after an audit of its processes, and separately to individuals who pass rigorous practical exams. A firm can employ a CREST-qualified contractor without holding company accreditation, so ask about both. CREST membership gives you an independent assurance of method, reporting quality and a complaints route if something goes wrong.

A strong answer sounds like: “Yes, we hold CREST company accreditation, and the named testers on your engagement hold individual CREST certifications. Here is our membership listing.” If a provider blurs the company-versus-individual distinction or cannot point you to a public listing, treat that as a flag. For the detail, see what CREST accreditation is and how CREST compares to CREST, CHECK and non-accredited testing.

2. Will you run a scoping call before quoting?

Why it matters: a price produced without a scoping conversation is a guess. Penetration testing is priced in tester-days, and the day count depends on how many assets there are and how deeply they are tested. A provider who quotes off a single web form, without ever asking how many applications, user roles or APIs are in scope, is either padding for unknowns or will raise a change request mid-engagement.

A strong answer sounds like: “Yes, we scope on a short call before quoting, usually around thirty minutes, so we confirm the asset inventory and depth before we put a number to it.” A named scoping call is one of the clearest signs you are dealing with a serious provider rather than a price generator.

3. What methodology and standards do you follow?

Why it matters: a credible test follows a recognised methodology so coverage is consistent and repeatable, not dependent on whichever tester picks up the work. You want the relevant frameworks named for your asset type, and an explanation of how manual testing sits alongside automated tooling. A test that is purely an automated scan with a logo on top is not a penetration test.

A strong answer sounds like: “We follow OWASP for web and API testing, the OWASP Mobile guide for mobile apps, and structured network methodologies aligned to CREST and NCSC guidance. Scanning gives us coverage, but the findings that matter, business logic and access-control flaws, come from manual testing by an experienced tester.” If methodology is hand-waved, the depth of testing probably is too.

4. Who exactly will test, and what are their certifications?

Why it matters: the single biggest variable in test quality is the person doing the work. Some firms win on price by selling senior expertise and delivering junior or offshore execution. You are entitled to know the seniority and certifications of the actual testers, not the partners who pitched you.

A strong answer sounds like: “Your testing is delivered by senior and principal testers, never juniors or associates, and we will tell you who is assigned and what certifications they hold before the engagement starts.” At EJN Labs every engagement is delivered by senior and principal testers, which is also why our pricing is driven by scope complexity rather than a tiered seniority rate.

5. What does the report include, and is it audit-ready?

Why it matters: the report is the deliverable you actually keep. A weak report is a raw scanner dump with severity labels and no context. A strong one serves three audiences: an executive summary for the board, a technical body your engineers can reproduce, and a remediation track your auditor can sign off. If you test for a compliance driver, the report has to stand up as evidence.

A strong answer sounds like: “Every report includes an executive summary, a technical findings section with reproducible steps and CVSS ratings, prioritised remediation advice, and a structure built to satisfy CREST, ISO 27001, Cyber Essentials Plus or PCI DSS requirements.” Ask to see a redacted sample so you can judge quality before you commit.

6. Is a retest of fixes included?

Why it matters: finding vulnerabilities is only half the job. A retest confirms the issues you fixed are actually closed, and many compliance schemes expect that verification. Some providers treat the retest as a chargeable follow-up, which can quietly add cost and friction at exactly the point you need a clean result for an auditor or customer.

A strong answer sounds like: “Yes, a retest of remediated findings is included, and you receive an updated report confirming the fixes.” EJN Labs includes free retests as standard, so you can demonstrate closure without a second invoice. If a retest is not included, get the price and turnaround in writing before you sign.

7. How do you handle our data, and what is in the NDA?

Why it matters: a penetration test gives an external party deep access to your systems and findings. You need to know where test data and the report are stored, how long they are retained, who can access them, and how they are destroyed afterwards. A mutual non-disclosure agreement should be standard, and an ISO 27001-certified provider can show you the information security controls behind those promises.

A strong answer sounds like: “We sign a mutual NDA before any access, store engagement data within our ISO 27001-certified controls, restrict access to the assigned team, and securely destroy data on an agreed schedule.” As a firm holding ISO 27001, Cyber Essentials and Cyber Essentials Plus, we treat your data with the same rigour we test for. Vagueness here is a serious concern.

8. Do you carry professional indemnity insurance, and at what level?

Why it matters: penetration testing is intrusive by design, and on rare occasions something can go wrong. Professional indemnity and public liability cover protect you if a test causes loss or disruption. The level should be proportionate to your engagement and your own contractual obligations to customers.

A strong answer sounds like: “Yes, we hold professional indemnity and public liability insurance, and we can provide a certificate confirming the cover level.” A provider who cannot evidence insurance, or who is evasive about the level, is asking you to carry a risk that should sit with them.

9. Can you share references or sample, redacted reports?

Why it matters: claims are easy, evidence is not. References from comparable clients and a redacted sample report let you verify quality and fit before money changes hands. A provider with a strong track record will have both ready; reluctance can mean thin experience or unhappy clients.

A strong answer sounds like: “Yes, we can put you in touch with reference clients in a similar sector and share a redacted sample report so you can see the standard of our findings and remediation advice.” Read the sample for depth: are findings explained and reproducible, or just listed? That tells you more than any sales call.

10. How is pricing structured, fixed or day rate?

Why it matters: you need to know whether the number you are quoted is the number you pay. Transparent providers build a price from a defined scope and tell you the day-range up front. Opaque ones quote low to win, then add change requests once they are inside. Ask how the price is derived and what would cause it to change.

A strong answer sounds like: “Our price is built from a defined scope, a set number of tester-days at a clear UK day rate, fixed in writing before you sign. It only changes if the scope changes, and we agree that with you first.” EJN Labs prices on scope complexity with fixed, written quotes and no junior-rate games. For how scope drives the figure, see our penetration testing cost hub.

How EJN Labs answers these questions

We wrote this scorecard from the answers we give buyers every week. EJN Labs holds CREST accreditation as a company, and our individual testers hold CREST certifications, so the assurance is verifiable at both levels. We scope every engagement on a named call before quoting, follow recognised OWASP, CREST and NCSC-aligned methodologies, and assign senior and principal testers only. Our reports are built audit-ready for CREST, ISO 27001, Cyber Essentials Plus and PCI DSS evidence, and a retest of remediated findings is included free as standard.

Commercially, we sign a mutual NDA before any access, handle your data within ISO 27001-certified controls, carry professional indemnity and public liability insurance, and provide a fixed, written price driven by scope complexity. We are glad to share references and a redacted sample report on request. Holding CREST plus Cyber Essentials, Cyber Essentials Plus, ISO 27001 and ISO 9001 is what lets us answer all ten questions with evidence rather than adjectives.

Frequently Asked Questions

What are the most important questions to ask a penetration testing provider?

The most important questions to ask a penetration testing provider cover CREST accreditation at company and individual level, whether they run a scoping call before quoting, their methodology, who exactly will test and their certifications, what the report includes, whether a retest is included, how they handle your data, their insurance, references, and how pricing is structured. Strong answers are specific and evidenced rather than reassuring generalities.

What should I ask a pentest company about its testers?

Ask who exactly will perform the test, their seniority and their certifications, and whether work is ever passed to junior or offshore staff. A credible provider will tell you the named testers assigned and the certifications they hold before the engagement starts. At EJN Labs every engagement is delivered by senior and principal testers, never juniors or associates.

Should a penetration testing provider include a retest?

A retest confirms the vulnerabilities you fixed are actually closed, and many compliance schemes expect that verification, so it is a reasonable thing to require. Some providers charge for it separately, which can add cost when you most need a clean result. EJN Labs includes free retests of remediated findings as standard, with an updated report confirming closure.

What pen test provider questions reveal a low-quality firm?

The questions that expose weak providers are the specific ones: who exactly will test, can you see a redacted sample report, is a retest included, and how is the price derived. Vague answers, refusal to name testers, no scoping call before a quote, and a price that only makes sense with junior delivery are all warning signs worth taking seriously.

Does the penetration testing provider need professional indemnity insurance?

Yes. Penetration testing is intrusive, so professional indemnity and public liability insurance protect you if a test causes loss or disruption. Ask for a certificate confirming the cover level, and check it is proportionate to your engagement and your own obligations to customers. A provider who cannot evidence insurance is asking you to carry a risk that should sit with them.

Ready to put these questions to the test?

The fastest way to see how a provider answers all ten is to ask. Bring this scorecard to a scoping call and judge the responses for yourself. When you are ready, request your CREST penetration testing quote and our CREST-certified team will give you specific, evidenced answers and a fixed, written price. For the wider decision, start at our CREST penetration testing hub or compare the best UK penetration testing provider criteria.

Related research

BLOG

Penetration Testing for ISO 27001: What Annex A Requires

10 min · 17 Jun 2026BLOG

G-Cloud 15: The Cyber Essentials Requirements for Every Lot

9 min · 17 Jun 2026BLOG

API Penetration Testing Cost UK (2026 Pricing Guide)

11 min · 17 Jun 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

EJN Labs

EJN Labs

We are a CREST-certified, AI-led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top