How to Choose a Penetration Testing Company in 2026
Tiers, certifications, PTaaS platforms, and the 10 questions to ask before you sign. A framework for buyers, not a vendor ranking.
We do not sell penetration testing services. This site is not affiliated with any pentest vendor or security firm. All prices are independently researched from publicly available quotes, industry surveys, and published rate cards.
The Three Provider Tiers
This is not a vendor ranking — it's a tier definition framework. The right tier depends on your compliance requirements, report audience, and budget.
Tier 1: Freelancer
£600–£1,200/day
$800–$1,500/day
Certifications
OSCP, CEH, GPEN (individual)
Report Quality
Variable — may lack executive summary, CVSS scoring, or formal methodology section
Audit Acceptance
Rarely accepted for PCI DSS or SOC 2 without additional documentation
Best For
Startups, narrow scope, first pentest on tight budget
No scoping call, no methodology document, sub-3-day delivery for complex scope
Tier 2: Boutique Firm
£1,000–£1,800/day
$1,200–$2,500/day
Certifications
CREST, CHECK, OSCP, GPEN — organisation-level accreditation
Report Quality
Professional — CVSS-scored, executive + technical sections, remediation guidance, re-test included
Audit Acceptance
Yes — accepted for PCI DSS, SOC 2, ISO 27001
Best For
SMB to enterprise, compliance-driven engagements, most organisations
Unwilling to share methodology doc, re-test priced separately at full rate
Tier 3: Big 4 / Enterprise
£1,800–£3,500+/day
$2,500–$5,000+/day
Certifications
All above + CREST STAR, TIBER-EU qualified for DORA engagements
Report Quality
Highest formal standard — audit-ready, board-level executive reporting, tailored evidence packages
Audit Acceptance
Yes — all frameworks including DORA TLPT, CBEST, board-level reporting
Best For
Regulated enterprises, DORA TLPT, financial institutions requiring board credibility
Cost may not justify complexity for standard web app test
Tier 4: PTaaS — Pentest as a Service
A subscription model increasingly popular with startups and mid-market companies. Continuous scanning plus scheduled manual tests plus a compliance dashboard. Less deep than a bespoke engagement but sufficient for early-stage SOC 2.
$999–$3,999/year
Continuous scanning + annual pentest certificate
Compliance: SOC 2, GDPR
£2,499–£9,999/year
Continuous vulnerability scanning + manual tests
Compliance: SOC 2, ISO 27001
From $4,999/year
PTaaS + compliance reporting dashboard
Compliance: SOC 2, PCI DSS, ISO 27001
PTaaS trade-offs: Subscription platforms provide continuous coverage and compliance certificates but are less deep than bespoke engagements. The manual testing component is typically a fixed-scope annual test, not a scoped deep-dive. For PCI DSS or DORA, a traditional bespoke engagement is required. For early SOC 2 or ISO 27001 evidence, PTaaS is often sufficient.
Certification Reference Table
| Certification | Body | What It Means | Required For |
|---|---|---|---|
| CREST | CREST International | Organisation-level quality standard — rigorous testing process and methodology requirements | PCI DSS (preferred), CHECK scheme, most enterprise RFPs |
| CHECK | NCSC (UK) | UK government-endorsed penetration testing scheme — highest UK assurance standard | UK public sector systems, HMG networks, Cabinet Office systems |
| OSCP | Offensive Security | Individual tester certification proving practical exploitation skills | Widely accepted — industry standard minimum for manual testers |
| GPEN / GWAPT | GIAC / SANS | Individual tester certifications covering network and web application penetration testing | Enterprise RFPs, compliance frameworks, US federal context |
| CREST STAR | CREST International | Highest individual CREST certification — specialist advanced researcher | TIBER-EU, CBEST engagements (DORA compliance) |
| CEH | EC-Council | Entry-level certification covering ethical hacking concepts | Minimum qualification — look for OSCP or CREST in addition |
Verify CREST membership at crest-approved.org · Verify CHECK status at ncsc.gov.uk/section/products-services/check-assessments · Verify OSCP at offensive-security.com
10 Questions to Ask Before Signing
Send these to prospective providers before engagement. The quality of their answers tells you more than their marketing.
“What methodology do you follow?”
Why ask: Should name OWASP Testing Guide, PTES, or CREST methodology. Generic answer ('industry standard') is a red flag.
“What percentage of testing is manual vs automated?”
Why ask: A legitimate pentest is primarily manual, with automated tooling as a supplement. Below 60% manual is a warning sign.
“Will the same tester(s) conduct the full engagement?”
Why ask: Handoffs mid-engagement lose context. Continuity matters — especially for complex logic flaws.
“What does your re-test policy cover and at what cost?”
Why ask: Re-test of critical/high findings should be included. If separately priced at full engagement rate, that's unusual.
“Can I see a redacted sample report?”
Why ask: The best providers will share examples. A refusal should be concerning. Look for CVSS scores, PoC evidence, and actionable remediation guidance.
“Does your report format meet [compliance framework] requirements?”
Why ask: PCI DSS, SOC 2, and DORA have specific evidence requirements. Confirm before signing.
“What certifications do the individuals on this engagement hold?”
Why ask: Ask for OSCP/CREST/GPEN specifically. Generic 'our team is certified' is not sufficient.
“Do you carry professional indemnity insurance?”
Why ask: A legitimate provider carries PI insurance covering the scope of work. Ask for the certificate.
“What is your critical finding escalation policy?”
Why ask: If they discover an active breach or critical RCE during the test, you need to know the protocol before it happens.
“What post-engagement support do you provide?”
Why ask: Good providers offer a debrief call, answer remediation questions, and are available during the re-test period.
Already have a proposal?
Calculate the implied day rate and check if the quote is fair for your test type.