DEV Community

Cover image for Penetration Testing Firms: 10 Red Flags Every Business Should Know
Jason
Jason

Posted on • Originally published at artificesecurity.com

Penetration Testing Firms: 10 Red Flags Every Business Should Know

#cybersecurity #security #discuss #watercooler

Why You Shouldn’t Trust Penetration Testing Firms Without Asking These Questions

I've worked in cybersecurity and pentesting for over 25 years. After seeing the same patterns repeat again and again with vendors misrepresenting services, scan reports sold as manual testing, and legal threats used to shut people up, I decided to write this down.

This isn’t a hit piece or a sales pitch. Just real patterns I’ve seen in the field that too often go unnoticed until a client gets burned.

If you've ever had to review or act on a pentest report and something felt off, this might explain why.

This guide is based on extensive research pulled from a wide range of sources: court records, legal filings, public discovery materials, conversations with companies that received questionable pentest reports, online complaints, whistleblower accounts, and archived website data. In short, we didn’t just analyze one case, we examined a pattern that keeps showing up across the industry.

We’ve seen penetration testing providers that faked credentials, outsourced critical work, misrepresented the size and makeup of their teams, and sold automated scans as if they were manual penetration testing services. They promote themselves as boutique penetration testing companies or elite cybersecurity vendors, but what they’re really selling is illusion, not protection.

In this guide, you’ll learn how to separate a company offering quality pentesting services from the ones who just act the part. These 10 red flags highlight tactics you need to watch for. And while we don’t name names, if you’ve worked in this space, some of them may sound familiar.

What you’ll take away:

  • How to spot fake certifications, phantom teams, and recycled testimonials
  • What to ask before you sign a pentesting services agreement
  • Why vendors claiming to be the best penetration testing companies often have the most to hide

If you’re evaluating a penetration testing company right now, or reconsidering one you’ve already hired, read on. A bad decision won’t just waste money, it can leave your environment exposed in ways you won’t see until it’s too late.

Red Flag #1: When Penetration Testing Firms Lie About Cybersecurity Certifications

One of the easiest ways unqualified penetration testing firms mislead clients is by plastering their websites with logos from respected certification bodies like Offensive Security, ISC², and GIAC. These logos are meant to build instant trust, but many firms are betting you’ll never actually check if they’re real.

Our research uncovered several examples of firms doing exactly this, but one lawsuit in particular revealed how deep the deception can go. A Colorado pentesting company who had been publicly accused by a former employee of lying about its credentials responded by filing a defamation lawsuit. In trying to silence the whistleblower, they triggered the very scrutiny they were trying to avoid.

Once the case moved into discovery, subpoena responses from multiple certification authorities confirmed that the 60+ cybersecurity certifications listed on the company’s website were not held by the company or its staff.

The vendor’s excuses shifted. First, they blamed a “former co-owner,” even though the certifications had been on the website several years (according to the Wayback Machine) before that person joined. Then they claimed the credentials belonged to some hacker in Pakistan, but couldn’t provide a name. After those explanation attempts fell apart, the pentesting firm quietly dropped the lawsuit with prejudice, confirming that the employee had told the truth.

This wasn’t a misunderstanding. It was a calculated move to win contracts by appearing more qualified than they were.

Most businesses take these claims at face value. But if a firm is willing to fake certifications, what else might they be lying about? Are you really getting tested by experienced cybersecurity professionals, or is your engagement being handed off to someone they found at the last minute?

Magnifying glass hovering over a fake cybersecurity certification marked with a red

How to protect yourself:

  • Ask for the full names of the specific testers assigned to your engagement, not just titles or initials.
  • Request digital copies of their certifications, especially from well-known bodies like Offensive Security, ISC², CompTIA, or GIAC.
  • Use public verification tools. Most certifying organizations allow you to verify credentials online.
  • For example, Offensive Security (OffSec) includes a QR code on all certificates issued after April 5, 2022. Scanning it will take you directly to the tester’s digital credential page for quick verification. If there’s no QR code, you can still request manual verification by submitting the tester’s full name and OSID or Certification ID at https://help.offsec.com/hc/en-us/requests/new.
  • Be skeptical of vague language like “our team is fully certified” without any proof. Generic claims with no documentation are a red flag.

Security companies don’t just drop logos on a page and hope you won’t notice. They give you names, resumes, and credentials that you can actually verify. If a vendor stalls or dodges when you ask, walk away.

Red Flag #2: When Pentesting Companies Fake Government Ties

Some vendors try to build credibility by pretending they work with the federal government. They paste government logos (e.g., DHS logos) on their websites, casually reference ICS-CERT, or claim vague “trusted partnerships” with government agencies. To someone outside the cybersecurity world, it sounds official. That’s exactly the point. But in reality, it usually isn’t true.

Laptop screen displaying a fake Cyber Emergency Response Team seal with a red

Real government cybersecurity work doesn’t go to two-person pentesting companies through a contact form. It involves formal contracts, bidding processes, and documentation that can be independently verified. If a company claims to work alongside government agencies like DHS, but offers no proof, they are counting on you not to ask questions.

During our research, one penetration testing company Photoshopped a fake badge labeled “Certified Industrial Control Systems Emergency Response Team.” That phrase doesn’t exist. The real entity is the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, and it is a division of DHS, and “CERT” is not a certification. Not only that but ICS-CERT doesn’t outsource their core mission work to any third-party civilian company. Whoever made the image either misunderstood or didn’t care.

Photoshopped fake DHS seal labeled 'Certified Industrial Control Systems Emergency Response Team' used by a vendor to falsely imply government affiliation.

If you’re going to impersonate a federal agency, at least get the name right.

After receiving a call from a government agent, the company quietly scrubbed the image from its website. The screenshot below was captured during our research using the Wayback Machine before the takedown. There was no contract, no partnership, and no federal work. Just a fake logo and a founder who confused an emergency response team with a certificate.

How to protect yourself:

  • Ask for documentation. Government engagements always leave a record.
  • Use USAspending.gov to check if a company has received any federal contracts. It is the official source for public data on government spending and contract awards.
  • Use your judgment. If a small firm says it handles DHS-level infrastructure but has no history or paperwork, that should raise serious concerns.

The best penetration testing providers don’t need to fake government relationships. They prove their credibility through real work, real clients, and real results. If a vendor is using logos to impress you, they are selling you a story, not a service.

Red Flag #3: When Penetration Testing Firms Rank Themselves #1

One of the most shameless tricks in the industry is when penetration testing companies publish their own “Top 10” lists and conveniently rank themselves first. These lists are made to look like credible third-party comparisons, but they’re really just self-promotional fluff disguised as research.

You’ve probably seen it:

  • “We’re the #1 penetration testing company in the U.S.”
  • “Check out our guide to the top 10 penetration testing companies, and yes, we’re at the top.”
  • “As featured in [a site they paid for placement]”

Humanoid robot standing in an office, proudly holding a trophy labeled

This isn’t bold branding. It’s misleading.

These rankings are often published on the vendor’s own blog, partner site they control, or paid third-party placement site. There’s no independent verification, no clear selection criteria, and no transparency. It’s marketing dressed up as authority, and it fools a lot of buyers who don’t know how common this tactic has become.

In one legal case that pulled back the curtain, a vendor claimed it had evaluated over 30 competitors using “mock pentests” and ranked them accordingly. When the company filed a defamation lawsuit against a former insider who called out the rankings and “30+ mock pentests” as fake, the truth came out. According to records, the owner admitted under oath that the mock pentests never happened and the entire ranking was just his opinion. There were no metrics, no comparisons, and no evaluation of any kind. The lawsuit was quietly dropped soon after.

The fake ranking page? Still archived on the Wayback Machine along with claims that their “penetration testing team is ranked on the world’s ethical hacker list within the top 5 spots…”

Archived blog post claiming a mock pentest was used to evaluate 30+ penetration testing companies, with fabricated review criteria. This list was later admitted under oath to be entirely opinion-based.

This screenshot was captured from a publicly archived page on the Wayback Machine. Company name has been removed. This image is used solely for commentary on general industry trends.

And here’s the part that matters: We pulled their SEO data using SEMrush and found that the fake ranking page isn’t just marketing fluff. It’s their top traffic driver. That article brings in most of their leads. It’s not just misleading. It’s the core of their sales strategy. If a company starts the conversation with a fake Top 10 list and claims their team ranks in the “top 5 ethical hackers in the world,” don’t walk. Run. That’s not confidence. It’s a con. And based on the data, they’ve been doing it for years.

Here’s what to check before trusting any ranking:

  • Was the list published by a third party with publicly available criteria?
  • Has the company actually won any industry awards?
  • Is the “ranking” hosted on an independent site, or one they control or paid for?

If those answers are vague or suspicious, it’s not a top penetration testing company. It’s a company playing dress-up.

The best penetration testing providers don’t need to crown themselves in a blog post. Their clients speak for them. Their names show up in real industry conversations. Their work builds trust, not fake trophies.

Red Flag #4: When Penetration Testing Firms Lie About Their Team Size

A common trick small vendors use is inflating the size of their internal team. You’ll see claims like “20+ full-time senior experts” on websites and sales decks, even when the actual company might be just the owner and one contractor.

There’s nothing wrong with being a small or specialized team. In fact, many of the best pentesting providers are lean by design, focusing on deep expertise, hands-on work and the highest quality instead of inflated team and empty titles. The issue is when a vendor fabricates their headcount to appear more established than they are. Usually just to win bigger contracts or impress less technical buyers.

In one researched example, a vendor claimed it “manages a scalable team of 10 to 20 experienced pentesters” in its sales materials. But a quick review of LinkedIn, company bios, and past project references revealed only two people associated with the company, the founder and one contractor. There were no full-time senior testers, no support staff, and no evidence of an actual team. The so-called “scalable team” was just a vague reference to freelancers that could be hired, from recruiting platforms, none of whom had ever worked with the company. It’s the equivalent of saying, “I could own all of those cars,” while driving past a dealership.

This kind of deception isn’t about capacity. It’s about trust. Some vendors exaggerate headcount to land contracts with scope requirements they can’t actually fulfill. Others do it to create the illusion of scale, hoping to appear more established or enterprise-ready than they really are. Again, a small team isn’t the issue, but lying about the size of that team is.

A clipboard showing a penetration testing proposal claiming an internal team of 10 to 20 pentesters, stamped with the word “FRAUD,” highlighting deceptive practices by some penetration testing services.

Here’s how to check:

- Search LinkedIn (https://www.linkedin.com) for the company name and filter by “People.” Do you see a team of security professionals, or just one or two names?
- Ask directly: Who exactly will be working on your assessment? Are they full-time W-2 employees, or outside contractors brought in per engagement?
- Request resumes or bios, and verify employment history. Anyone unwilling to share that probably isn’t on staff.
- Look at time zones and job titles. Do they align with the vendor’s pitch? A team “headquartered in the U.S.” shouldn’t be entirely based overseas with vague titles like “Security Advisor.”

Truthful companies are upfront about who they are. Whether it’s a two-person team or twenty, honest vendors focus on delivering results, not pretending to be something they’re not. If someone needs to inflate their bench just to win your business, that’s your red flag.

Red Flag #5: When Security Companies Mislead You About Who’s Doing the Work

Some penetration testing firms claim to have a full-time, in-house team of experts. In reality, they offload your assessment to independent contractors you’ve never heard of and never approved.

Using contractors isn’t the problem. Plenty of legitimate providers rely on them for specialized tasks or overflow. The problem is when companies lie about it. If a vendor promises “no outsourcing” or claims that every tester is a W-2 employee, but quietly hands off your engagement to freelancers, that’s deception, plain and simple.

Laptop screen displaying a LinkedIn-style profile where

We’ve seen firms claim to only use full-time employees on one part of their website while telling job applicants on their careers page that new hires start as contractors. So which is it? If a contractor is doing the work, that’s something the client deserves to know upfront.

Other vendors make statements like:

  • “We only employ full-time penetration testers.”
  • “No third parties. Ever.”

But a quick look on LinkedIn paints a different picture. Most profiles are listed as “freelancer,” “contractor,” or have no employment info at all. Some don’t even live in the country. That matters when you’re handing over access to your internal systems.

This creates serious risks. If a contractor mishandles sensitive data and you never knew they were involved, your NDA may already be compromised. And if they’re offshore, there might not be much legal recourse if something goes wrong.

To protect your business, ask the right questions:

  • Who will be doing the work?
  • Are they a full-time employee or a contractor?
  • If you are using a contractor, how often is that person doing projects for your company?
  • Is the contractor following your security policies and if so, how are they being enforced?
  • Are they based in the U.S., or working remotely from another country?

If the answers are vague or don’t match what you see on LinkedIn, you’re not talking to a honest penetration testing company. You’re talking to a vendor pretending to be something it’s not.

Trustworthy penetration testing firms don’t pretend their freelancers are full-time employees. Using contractors isn’t the problem but lying about it is. If a company needs to blur those lines just to win your trust, walk away.

Red Flag #6: When Pentest Companies Fake Reviews

Client testimonials are powerful. In cybersecurity, a single quote from a happy client can lend a vendor instant credibility. But not every penetration testing company earns those endorsements, some invent them.

During our research, we found marketing material from one vendor showcasing glowing reviews for a product called “iSOC MDR,” which was supposedly a managed detection and response (MDR) service delivered through an Information Security Operations Center (iSOC), designed to monitor and respond to threats in real time. The customer claimed it stopped a malware attack and prevented data exfiltration. The quote was polished, specific, and designed to impress. The problem? The service never existed. There was no SOC. There were no clients using it, and no record of it ever being delivered. Just a name and a fake testimonial.

Screenshot of a fake testimonial for an iSOC MDR service which identified malware and stopped a data exfiltration attack within 48 hours. The service never existed.

This screenshot was captured from a publicly archived page on the Wayback Machine. Company name has been removed. This image is used solely for commentary on general industry trends.

And how many times have you come across a fake Google review? It’s so common now that most people barely notice. But when a cybersecurity company that you’re trusting to protect your systems and data is faking its own credibility just to look legitimate, that’s a whole different story.

Some hire review farms. Others use bots, mass-create Gmail accounts, or have employees pose as satisfied clients. It’s not just dishonest. It’s reckless. You’re not hiring them to look good online. You’re hiring them to find threats, secure infrastructure, and protect what matters. If a company needs to fabricate praise just to win business, what happens when something actually goes wrong?

You might come across a few legitimate reviews and that’s exactly the point. A couple of real testimonials can make a sea of vague or unverifiable ones seem credible, even when they’re tied to services that never existed. It’s a bait-and-blend tactic: let a sliver of truth mask a larger lie.

If a vendor calls itself one of the top U.S.-based penetration testing companies but can’t show real clients backing up those claims across the board, dig deeper. A few surface-level compliments don’t erase a pattern of deception.

How to Spot Fake Testimonials

  • No full names, company names, or verifiable credentials
  • “Case studies” that read like ads instead of describing real security problems and outcomes
  • Glowing praise for services that aren’t offered or explained anywhere else on the vendor’s site
  • Testimonials that reuse vague phrases like “highly recommended” with no attribution
  • Stock photos or generic headshots that appear in multiple places across industries
  • Quotes from people or companies that can’t be found on LinkedIn or verified online
  • No option to verify the testimonial source, even if you ask

Red Flag #7: When Cyber Companies Fake Their Infrastructure

Some cybersecurity vendors want to appear larger and more established than they actually are.

They claim to operate Security Operations Centers, multiple Network Operations Centers, and enterprise-grade data centers across the country. Their websites often describe impressive facilities, teams, and capabilities meant to signal scale and professionalism.

But when you take a closer look, none of it holds up. We reviewed archived versions of vendor websites that made bold claims such as running two NOCs, a SOC, and multiple data centers. These pages have since been scrubbed, quietly and without explanation. There were no support staff, no operational teams, no documented infrastructure, and no evidence that these services ever existed.

Open janitor’s closet labeled “Security Operations Center,” showing cleaning supplies, boxes, and a mop bucket inside, highlighting the false presentation of real infrastructure by some providers.

This wasn’t just fluff to win a contract. It was a strategy to look bigger and more capable, lure clients with services they couldn’t deliver, and scramble to backfill if someone actually bit.

That’s not aggressive sales. That’s deception.

Here’s how to tell what’s real:

  • Ask to see the SOC or NOC, even over video
  • Request team details and shift coverage if they advertise 24/7 operations
  • Look up the business address. Is it a legitimate facility or a mailbox rental?
  • Search LinkedIn for staff roles. If you don’t see SOC analysts or NOC engineers, the facility probably doesn’t exist

Most real pentesting companies don’t run large-scale infrastructure, and that’s completely fine. What matters is whether they tell the truth about what they offer. A small but capable team is more trustworthy than a vendor inventing a data center they can’t show you.

If you have to invent a fake SOC to get clients, you don’t run a security company. You run a con.

Red Flag #8: When Penetration Testing Firms Sell Automated Scans as Real Pentests

Let’s be clear up front: vulnerability scans are a legitimate part of a security program when they’re presented honestly. They identify known issues quickly and help with patch management at scale. PTaaS, or Penetration Testing as a Service, is also real. It’s a delivery model that lets you schedule, review, and manage human-led penetration testing through an online platform. The problem isn't the model. The problem is when vendors blur the lines and try to pass off fully automated scans as real penetration tests. These are not the same thing.

There’s no such thing as automated penetration testing. If no human manually exploited, validated, or chained vulnerabilities, it’s not a pentest. Yet some companies try to repackage automated scans as “Penetration Testing as a Service,” dressing them up with flashy phrases like:

They’ll promote phrases like:

  • “Continuous automated penetration testing”
  • “PTaaS”
  • “Security insights in real-time”
  • “Pentesting without the long wait times”

Two computer monitors on a desk, one displaying

This is marketing theater, not offensive security. What you’re really getting is a recurring scan with tools like Nessus or OpenVAS, followed by a PDF that looks official but contains no human testing, no exploitation, no logic flaws, and no real-world attack paths. It’s fast, cheap, and misleading if you think you’re buying a pentest.

Some vendors even take it further by promoting manual pentesting in one section of their site, then pushing “automated penetration testing” as a standalone service elsewhere, as if the two are interchangeable. That’s not innovation. That’s misrepresentation.

We’ve reviewed multiple pentesting business claims where what was sold as a “manual test” was actually nothing more than scan output wrapped in branding. In one legal case, the vendor had sued a former employee for defamation after being accused of passing off automated scans as manual penetration tests. But during the proceedings, the vendor admitted under oath that clients had, in fact, received scan reports instead of real tests. An expert witness also confirmed the reports were riddled with false positives and lacked any sign of manual testing. Once those facts were on record, the vendor dropped the lawsuit, not because the claims were false, but because they were true.

This tactic isn’t just dishonest, it’s dangerous. Clients are led to believe their networks were tested by experts when, in fact, no human ever reviewed the results.

Here’s how to tell when you’re being sold a scan, not a pentest:

  • The report includes no screenshots, no payloads, and no proof-of-concept.
  • Findings are listed as CVSS scores with generic descriptions and no context.
  • There’s no attack chaining or lateral movement, just standalone vulnerabilities.
  • No business logic flaws or application abuse techniques are discussed.
  • The report reads like something a vulnerability scanner could generate in minutes.
  • Vulnerability scans aren’t the problem. They’re useful when they’re marketed honestly. But when a vendor advertises “automated penetration testing,” that should be your cue to ask hard questions.

There is no such thing.

Scanners don’t think. They don’t understand context. They don’t prove impact. And they definitely don’t replace the work of a skilled human tester.

A real penetration testing company draws a clear line between scanning and testing. A fake one calls both by the same name and hopes you won’t notice.

If your vendor promotes “automated pentesting,” or claims you can have a comprehensive test with no manual exploitation, ask yourself why they’re trying so hard to rebrand something that already exists?

Red Flag #9: When Penetration Testing Firms Use Lawsuits to Silence Critics and Hide Collapse

When a penetration testing firm files a lawsuit instead of answering questions, you’re not looking at a company built on integrity. You’re looking at a firm scrambling to protect a lie.

Realistic image of a desk with a bankruptcy document stamped 'Financial Collapse,' a red lawsuit folder, crumpled papers, a calculator, and a stack of cash - symbolizing a company facing legal trouble and financial ruin

We’ve reviewed multiple cases where vendors sued whistleblowers, ex-employees, and online critics for defamation. Not because the claims were false, but because they were true. The lawsuits weren’t about setting the record straight. They were about silencing the people who knew too much. Creating fear. Sending a message. And above all, stalling.

In one example, a company that was already facing financial pressure, including multiple lawsuits from lenders, filed a multi-million-dollar defamation claim against a former insider who exposed serious misrepresentations. But once discovery started, the narrative collapsed. Evidence showed the “truth-teller” was telling the truth. Certifications were fake. Infrastructure didn’t exist. Reports were inflated, and more. After all that, the company dropped the case with prejudice.

It didn’t resemble a serious legal effort. It read like a shakedown and a last-ditch push for a fast settlement by someone already being dragged into court by creditors. The timing wasn’t subtle. The case was filed just as the company was being sued in multiple states for defaulted advances and unpaid debts. It’s hard not to see the lawsuit as a last-ditch cash grab.

When a penetration testing firm is both financially unstable and litigious, it creates serious risks for clients:

  • Can you trust them to safely store credentials and vulnerability data?
  • Could they be tempted to sell or misuse sensitive data just to stay afloat?
  • Are their employees or contractors under NDAs and properly vetted?
  • Could internal chaos lead to leaked assessment reports or logs?

Here’s how to protect yourself:

- Search for lawsuits using tools like Trellis.law. Type the company name and look for legal cases. A pattern of litigation often signals deeper issues.
- Look up UCC filings to see if the company has leveraged assets or taken high-interest advances. Many states have searchable databases, like Colorado’s UCC Portal. Multiple UCCs in a short timeframe can be a sign of cash flow trouble.
- Search for executive leadership history. Has the owner or founder filed for bankruptcy before? Do they show up in other failed ventures?
- Watch for red flags in the sales process. If a company pushes NDAs too early, dodges basic questions about staff, or reacts poorly to scrutiny, stop there.
- They say they’re the best in the business. But if they’re suing whistleblowers, dodging creditors, and rewriting their lies after being exposed, they’re not a security company. They’re a ticking time bomb with root access.

Red Flag #10: Hiding Behind NDAs to Avoid Accountability

Non-disclosure agreements are supposed to protect sensitive information. But some security companies use them to protect themselves, not your data.

We reviewed numerous NDAs shared by clients and contractors. In several, the language went far beyond protecting confidential information. It was about control. Several agreements included broad non-disparagement clauses, reputation-based gag terms, and vague restrictions that could easily be used to threaten anyone who spoke up, even privately.

Realistic image of a legal document stamped 'Silence the Truth' on a clipboard labeled 'Lawsuit,' surrounded by confidential folders, a gavel, eyeglasses, and a pen - symbolizing legal tactics used to suppress whistleblowers and avoid accountability.

In one researched case, a client discovered that their “manual” pentest was nothing more than an automated scan. The report included obvious scanner output, riddled with false positives, and lacked any manual analysis. When they questioned the results, the vendor didn’t explain or offer to redo the work. They pointed to a clause in the contract and warned the client that public criticism would violate their NDA and “harm their reputation.”

In another case, a business paid a cybersecurity company top dollar for on-site firewall installation and security appliance configuration. But after the payment cleared, the contractor handed over a generic PDF of setup instructions and walked away. The documentation wasn’t customized and could’ve been downloaded online. When the client pushed back, the vendor didn’t offer a refund or additional work to make it right. Instead, they threatened legal action unless the client paid the remaining invoice in full. The client, bound by an NDA, was warned that speaking up publicly could trigger a defamation claim.

And in one of the most absurd examples we reviewed, a digital forensics contractor working for a pentesting vendor delivered a “report” that was over 35,000 pages long and was delivered months after the engagement ended. The vendor had already prepaid the contractor and took no responsibility when the result was unusable. After complaints, the file was hastily trimmed down to 883 pages, but it remained bloated, inaccurate, and incomprehensible to the non-technical client who had trusted them. When the client demanded accountability and threatened to speak publicly, the response wasn’t an apology or a fix. It was a legal threat.

This kind of language doesn’t protect clients. It shields the vendor from being exposed for poor work, questionable ethics, or outright fraud.

Here’s how to protect yourself:

  • Review every clause in your NDA, especially those tied to reviews, public statements, or reputational harm
  • Ask your legal counsel to flag language that could be used to silence complaints or block fair discussion
  • Push back on blanket non-disparagement terms or any clause that limits truthful communication
  • If the contract reads like a muzzle, it probably is

Honest companies don’t need to hide behind NDAs. They welcome scrutiny, stand by their work, and fix problems when they happen. If your vendor is more focused on silencing you than securing you, that’s all the clarity you need.

Final Thoughts: Choosing a Pentesting Company You Can Actually Trust

Hiring a pentesting company isn’t just a procurement decision. It’s a matter of security, liability, and trust. You’re giving them access to your infrastructure, your data, and in some cases, the systems that keep your business alive.

As this article has shown, the industry has a dark side: fake certifications, inflated teams, automated scans sold as manual work, and legal intimidation tactics used to bury criticism. These aren’t accidents. They’re deliberate tactics used by companies that rely on illusion instead of capability.

If you’re evaluating a penetration testing provider, here’s how to protect yourself:

  • Verify Certifications
    Use the public lookup tools offered by GIAC, Offensive Security, and others. If a certificate isn’t verifiable, it doesn’t count.

  • Search Public Records
    Use resources like Trellis.law and state-level UCC databases (e.g., Colorado’s UCC search) to uncover lawsuits, liens, and financial red flags.

  • Ask for the Names and Resumes of the Actual Testers Who Will Be Performing Your Assessment
    Generic bios and vague claims about “collective experience” are red flags. A real firm can tell you who is doing the work.

  • Check LinkedIn
    Validate employee claims made by the vendor, not salespeople, marketers, or vague “engineers.”

  • Read the NDA
    Watch for gag clauses, broad non-disparagement terms, or anything that could be used to silence your honest feedback.

  • Ask About Methodology
    Make them walk you through how they test, not just what tools they use. Real testers talk process, not products.

  • Pay Attention to Marketing Ploys
    Are they marketing “automated penetration testing” instead of honestly saying it is a vulnerability scan?

  • Look for Original Research or Community Contributions
    Are they improving the field or just parroting buzzwords?

One last reality check: bad actors in this space don’t always get caught. Major cybersecurity incidents involving billion-dollar companies make headlines. But small vendors who quietly fake certifications, inflate their teams, or lie about services? They often slip through the cracks. Regulators go after the big fish, not the dozens of small vendors quietly misleading clients. That’s why it’s on you to do the homework.

Bad vendors don't always get caught. The ones that fake certifications, inflate team size, or sell scan reports as if they’re real testing often slip through because most clients never look closely.

Not every pentest company is a problem. But the ones who misrepresent what they do put everyone at risk, especially the teams and engineers who have to act on bad data.

If you've seen this too, or if you’ve had to fix messes caused by low-quality testing, I’d like to hear about it.

Click here to book a consultation!

This article is based on research, public records, customer interviews and reviews, and general industry practices. It does not name or refer to any company or individual directly. All examples are derived from publicly available sources and verified third-party information.

Originally published at Artifice Security.

Top comments (0)