Blog

Choosing a Penetration Testing Provider: 10 Questions to Ask Before You Sign

Choosing a penetration testing company is one of those decisions that only gets noticed if it goes wrong. You either get a report that actually helps you reduce risk, or a tick-the-box exercise that satisfies no one.

If you are comparing penetration testing service providers right now, these questions will help you identify the teams that are the best fit for your organisation.

 

Siege Cyber Brisbane - Australian SOCI Act compliance consultants

1. What will you test and what is out of scope?

Many proposals state, ‘web app test’ or ‘external pen test’ and stop there.
You want a clear written scope that spells out which applications, environments, APIs, IP ranges and user roles are included and what is explicitly left out.

Good providers will also talk you through what will not be tested, and why.
That matters for your risk register and for any compliance mapping to ISO 27001, SOC 2 or the ASD Essential Eight.

 

2. Who does the testing and what is their experience?

Focus your question on who is actually responsible for the hands‑on work during the engagement. You want to know which consultants will be performing the testing, what their backgrounds are and whether they have solid experience with environments similar to yours.

Useful questions:

  • How many years have they been testing in production environments?

  • What types of systems do they specialise in (SaaS, healthcare, finance, government)?

  • Do they hold recognised industry certifications and more importantly, do they stay current?

You want to know you are getting a tester who understands both modern attack techniques and how Australian businesses operate.

 

Cyber incident response planning meeting at Siege Cyber Brisbane office

 

3. How will you tailor testing to our business?

Most penetration testing service providers will say their work aligns with OWASP, NIST and similar frameworks and that they consider local guidance like ASD Essential Eight and the ISM. That is the minimum you should expect, not something that sets them apart. The real test is how they adapt that methodology to your tech stack, risk profile and regulatory drivers.

Ask for a short walk-through of how they would test:

  • a public-facing SaaS app with API back end,

  • an internal corporate network with hybrid cloud, or

  • an environment subject to APRA CPS 234 or the Privacy Act.

If their answer sounds generic, that is a sign you are buying a template, not a tailored engagement.

 

4. How will you ensure the test meets our needs?

Penetration testing is not the same as a compliance audit, but it often feeds into one. A good provider should first understand what you need from the test and then align their approach to those outcomes.

You might need:

  • evidence for an ISO 27001 audit,

  • support for SOC 2 controls, or

  • proof of testing for cyber insurance or a customer contract.

Agree up front how findings will be prioritised and what level of risk is acceptable, so you are not arguing about severity ratings the day before an audit.

 

5. How will you work with our team during the test?

Communication is important. Ask how the provider will coordinate with your internal IT and security teams, especially around:

  • test windows and maintenance periods

  • change freezes and critical business dates

  • handling of high-risk findings that need immediate action

You want a clear contact plan, not surprise scans during payroll or a major release. If you want a provider who will work as an extension of your team, that is a key selection point.

 

6. How will you access our environment safely?

A good provider should be able to explain exactly how they will connect to your systems, what guardrails are in place and how they avoid disrupting production.

Ask about:

  • how test accounts and credentials will be created and managed

  • what they will and will not do against live systems (for example, brute-force thresholds, load or stress testing limits)

  • how they handle testing of third-party services, integrations and payment gateways

You want confidence that they can simulate real attacks without taking systems down or breaching contracts with your own providers.

 

 

7. What does your report look like?

Reports are often where a penetration testing company proves its value. Ask to see a sample report, with sensitive details removed.

Look for:

  • plain-English executive summary for non-technical stakeholders

  • clear risk ratings tied to likelihood and impact

  • step-by-step technical detail for each finding

If you cannot imagine handing the report to your leadership team or board, keep looking.

 

8. do you handle sensitive data and evidence?

During testing, the team may access production data, credentials, internal documentation and source code. You should be comfortable with how they protect that information.

Questions to ask:

  • How is evidence stored and encrypted?

  • How long is it retained?

  • How is it destroyed or sanitised after the engagement?

This is especially important for Australian organisations covered by the Privacy Act or industry-specific rules such as APRA CPS 234.

 

9. What will this cost us and what is included?

Penetration testing pricing can vary wildly between providers, even for similar scopes. Cheapest is rarely best, but you do need transparency.

Ask for:

  • a fixed price or clear estimate based on defined scope

  • what happens if scope changes

  • whether re-testing is included

  • any travel, retainer or “extras” that might appear later

If you want a simple way to benchmark costs, Siege Cyber publishes indicative penetration testing pricing on our website here: https://siegecyber.com.au/#pentest-pricing.

It can give you a useful reference point when you are reviewing other quotes. Siege Cyber’s pricing is designed to be competitive and transparent, with no hidden extras.

 

10. How will this test help us meet our broader security and compliance goals?

Penetration testing should not be a one-off box you tick for a single customer.

It should fit into a broader security roadmap that might include:

Ask the provider how they see the test feeding into that bigger picture.
If you are using platforms like Vanta or Drata to automate parts of ISO 27001 or SOC 2, you will still need a human partner to interpret pen test results, map them to specific controls and help you close the loop. That is where a team like Siege Cyber can bridge the gap between tool output and real assurance.

 

Bringing it together

In short, you are not just buying a report. You are choosing a partner who will poke at your systems, tell you where they fall over and help you use that pain productively.

If you want a penetration testing company that understands Australian regulations, speaks plain English and works with your team, Siege Cyber can help.

Start by reviewing our penetration testing services here: https://siegecyber.com.au/services/penetration-testing/, then get in touch via siegecyber.com.au or email [email protected] to book a short discovery call and scope out your next test.