How do I choose a good penetration testing vendor?

Judge vendors on the quality of the actual testing, not the brochure. The strongest signals are: a recognized methodology (OWASP WSTG/MASVS, PTES), genuine manual testing rather than a rebranded automated scan, a redacted sample report you can review before buying, a retest included to confirm fixes, transparent scope-based pricing, and the ability to map findings to the standards you're held to. A vendor who can show you all of these is a safer bet than one selling on price or a long certification list alone.

What's the difference between a real pentest and a vulnerability scan sold as one?

A vulnerability scan is an automated tool that outputs a list of potential issues with false positives and no proof. Some vendors run that scan, format the output, and sell it as a 'penetration test.' A real pentest is performed by a person who validates each issue by exploiting it, chains weaknesses into serious attacks, and finds the access-control and business-logic flaws scanners structurally cannot detect. The giveaway is the report: a real pentest contains reproducible proof of concepts, not just a scanner's severity list.

Should I just pick the cheapest pentest?

Price alone is a poor filter, because the cheapest quote is often a lightly-edited automated scan that misses the high-impact flaws a real test would find — leaving you with a false sense of security and a compliance checkbox that doesn't reflect reality. Compare what's actually delivered: testing depth, methodology, report quality, and whether a retest is included. A slightly higher price for genuine manual testing is usually the better value.

What questions should I ask a penetration testing vendor before hiring them?

Ask: Which methodology do you follow? How much of the test is manual versus automated? Can I see a redacted sample report? Is a retest to confirm fixes included? How is scope and pricing determined? Will you tell us about critical findings during the test or only at the end? How is our data handled and protected? And can you map findings to the standards we report against — OWASP, ISO 27001, UU PDP, OJK, or SPBE/BSSN? The answers reveal quality fast.

How to Choose a Penetration Testing Vendor: A Buyer's Guide

On paper, almost every penetration testing vendor offers the same thing — web, mobile, infrastructure, API testing against the OWASP standards. The real differences are in the delivery, and they decide whether you get a genuine security assessment or an automated scan with a nicer cover page. The fastest way to tell them apart is to ask a few specific questions: how much of the test is done by hand, whether you can see a sample report, whether a retest is included, and whether findings map to the standards you answer to. This guide gives you those questions and the red flags to watch for.

If you’re comparing providers — and in Indonesia alone there are more than twenty — this is how to look past the brochure.

The core test: is it actually a pentest, or a scan in disguise?

This is the single most important distinction, and it’s where the price gap usually comes from. A vulnerability scan is an automated tool that matches your application against a database of known issues and outputs a list of potential findings, complete with false positives and no proof. Some vendors run that scan, reformat the output, and sell it as a “penetration test.”

A real penetration test is performed by a person. They validate every finding by exploiting it, chain small weaknesses into serious breaches, and — crucially — find the access-control and business-logic flaws that scanners structurally cannot detect (we cover why in web application penetration testing). Those are the highest-impact issues in real breaches, so a test that can’t find them isn’t protecting you.

The tell is the report. A real pentest documents each issue with a reproducible proof of concept — the exact steps to make it happen. A dressed-up scan gives you a severity list and CVE references with nothing behind them. Which is why the first thing to ask for is a sample.

The questions that reveal quality

Ask these before you sign anything. The answers separate real vendors from resellers fast.

“Which methodology do you follow?” A credible vendor works to a recognized standard — the OWASP Web Security Testing Guide (WSTG) for web, MASVS for mobile, PTES for the overall process — so coverage is consistent and nothing important is skipped. “We use our own approach” with no detail is a warning.
“How much of the test is manual versus automated?” Automation has a place for breadth, but the value is in the manual work. If they can’t articulate what their testers do by hand, you’re likely buying a scan.
“Can I see a redacted sample report?” This is the most revealing question of all. A good vendor will happily show a sanitized example. Read it: are findings explained with real proof of concepts and clear remediation, or is it scanner output with the logo changed?
“Is a retest included?” Finding flaws is half the job; confirming the fixes worked is the other half. A vendor confident in their work includes a retest after you remediate. If retesting is an expensive add-on, ask why.
“How is scope and pricing determined?” Quality vendors price on the size and complexity of the attack surface, not a flat rate — see our pricing guide. A fixed price quoted before anyone understands your system is a sign of a one-size-fits-all scan.
“Will you flag critical findings during the test, or only at the end?” A serious tester tells you immediately if they find something that’s actively dangerous, rather than sitting on it for the final report.
“How is our data handled?” You’re giving a vendor access to sensitive systems. Ask about NDAs, how test data is stored and destroyed, and who on their side has access.
“Can you map findings to the standards we report against?” If you answer to OJK, UU PDP, ISO 27001, or SPBE/BSSN, the report needs to speak those frameworks’ language so it stands up to an auditor — not just to your engineers.

Red flags

Some signals should make you walk away:

“We guarantee your system will be 100% secure.” No one can. Security is risk reduction, not a guarantee, and anyone promising perfection is selling.
A flat price with no scoping. It means the same canned test for every client regardless of size — almost always an automated scan.
No sample report, or a sample that’s clearly scanner output. If they won’t show their work, assume the work isn’t there.
No retest offered. Suggests low confidence, or that fixing isn’t really their concern.
Selling purely on price or a wall of certification logos, with nothing said about how they actually test. Credentials are a signal, but they’re not the work.

What actually matters

Strip it back and the question is simple: will a skilled human genuinely try to break this system, prove what they find, and help you fix it? Methodology, manual depth, an honest report you can read before you buy, a retest to close the loop, and findings mapped to your obligations — those are the things that determine whether a pentest protects you or just produces a certificate. The right vendor is happy to be judged on exactly those points; see how we structure an engagement in our methodology and what we cover across our services. For how access level shapes coverage, see types of penetration testing.

The bottom line

Every vendor’s brochure looks the same, so don’t buy the brochure — buy the delivery. Ask for the methodology, the manual/automated split, a sample report, a retest, transparent scoping, and standards mapping. The vendor who answers all of those clearly is the one doing real work; the one selling on price and promises is selling you a scan. Choose on what’s actually delivered, and you’ll get security instead of a checkbox.

Want a straight answer to all of those questions for your project? Get in touch and we’ll walk you through exactly how we’d test your system.