The Pros and Cons of Vendor Rotation for Penetration Testing

The pros and cons of vendor rotation for penetration testing: should you be rotating pentesting vendors? And if so, why?

With recent research showcasing that there are an estimated 800,000 cyberattacks per year–with that number predicted to continue to rise annually–alongside rising costs of data breaches, the financial and reputational results of a breach have never felt more threatening. As such, it has never been more critical to have a proven risk management strategy in place.

Since one of the primary goals of a penetration is to strengthen an organization's security posture (both short-term and in the long-term), many companies feel that, when investing in a penetration testing vendor, it's beneficial to rotate vendors to see which methodologies best pinpoint their IT vulnerabilities. But is this really the case?

In today's article, our ethical hackers cover why selecting a pentest vendor is one of the most critical business decisions one can make (and how to ensure you're taking the right approach when it comes to retaining–or choosing to change–pentesting vendors.)

Let's dive right in to your most frequently-asked questions:

"How Do I Choose the Right Penetration Testing Vendor?"

Choosing the right pentesting vendor for your organization will be one of the most significant deciding factors in your cybersecurity risk management. During the selection process, you must determine a vendor's:

• Credentials

• Methodologies

• Mission statement

• Pricing

• And scope

Why? Because every vendor's approach differs. For example, one of the approaches that set Packetlabs apart is our dedication to 95% manual penetration testing: while many penetration testing vendors offer baseline Vulnerability Assessment Scans, our dedication to non-automated, non-outsourced pentests often uncover hard-to-find vulnerabilities that our clients have labelled "company-killing asteroids."

Seeking out teams of highly-trained ethical hackers with the industry’s most advanced certifications is also a must when initially securing a vendor. As a benchmark, OSCP is our team's minimum requirement, with team members frequently going above and beyond to gain certified expertise in OSEP, OSWP, OSED, OSWE, CISSP, CISA, GWAPT, GMOB, GSNA, GXPN, and GCIH. When interviewing vendors, scouting teams that have at least a portion of these credentials is a must to guarantee a worthwhile pentest.

Pros of Vendor Rotation for Penetration Testing Vendors

Now that we've outlined what to look for in a penetration testing vendor, let's move on to the potential merits of vendor rotation.

Here are situations when we advise you look into rotation:

• There have been no new findings in 1 - 2 years. Outdated cybersecurity is the top risk for SMBs and enterprises alike–and is costing businesses upwards of one million dollars per cyberattack. That, combined with a cyberattack occurring once every 39 seconds, means that having a pentesting vendor stay on top of new vulnerabilities is crucial... and that, if they aren't finding any, they simply aren't looking deeply enough

• Your reports look like VA scans. Although VA scans are serviceable for identifying base-level threats, this surface-level approach to reporting only skims the tip of the iceberg and leaves your organization vulnerable to numerous advanced and emerging threats

• The penetration testing quality is poor. If your penetration testing vendor delivers only the standard level of VA reporting, is only relaying basic threats, is not relaying new findings, and engages in poor communication, it's time to move on to a vendor that cares about your organization's cybersecurity as much as you do

Contrary to popular belief, small and medium-sized businesses are equally at risk of cybersecurity breaches as large enterprises. No organization is too small–or too large–for threat actors to target, which makes having the right cybersecurity team at your back a necessity.

Cons of Penetration Testing Vendor Rotation

Knowing the pros of penetration testing vendor rotation begs the question: "What are the pros of rotating pentesting vendors?"

Here is what our ethical hackers have to say:

• Don't rotate your pentesting vendor if they deliver high-quality findings. As we illustrate in our plethora of sample reports, the difference between a baseline VA scan report and a report brimming with high-quality findings is stark. If your team is continually coming to the table with new findings, provides in-depth reporting, and is communicative about their approach, we recommend not trying to fix what's not broken

• Don't rotate your pentesting vendor if they offer the ability to rotate testers. With some pentesting vendors, they are not able to offer the opportunity to rotate testers due to either outsourcing or reliance on automated scans. With teams like Packetlabs, our 95% manual testing methodology means that we can (and often do!) swap our ethical hackers between projects periodically in order to ensure that your organization's vulnerabilities are always getting fresh eyes on them

• Don't rotate your pentesting vendor if you're comfortable with the team. Finding a vendor for any service that aligns with your company's goals, security standards, and vision for improvement is rare. If you find that your team is aligning with your vendor's, we advise that you continue to foster that relationship long-term

"What About Penetration Testing for MSPs?"

As a Managed Service Provider, partnering with a reliable penetration testing vendor can be what sets your offerings apart from the competition...and can also lead you to having the same questions about pentesting vendor rotations.

When done right, an MSP-penetration testing vendor partnership can:

• Increase revenue: Generate additional revenue streams with penetration testing by offering a wider range of services

• Bolster security posture: By partnering with a penetration testing service provider, MSPs can offer vulnerability assessments and penetration testing to help SMBs identify and address security vulnerabilities before they’re exploited

• Enhance regulatory compliance: Meet regulatory compliance requirements through periodic pentesting for both cybersecurity insurance purposes and for meeting PCI-DSS, ISO-27001 and SOC 2 standards

• Gain a competitive advantage: Differentiate yourselves from competitors by providing more robust security solutions to clients, which can help to win more business and retain existing clients

The result? Countless opportunities for Managed IT Service Providers to identify and target security vulnerabilities in SMBs before they’re exploited.

Conclusion

While there is no clear-cut answer on the pros and cons of vendor rotation for penetration testing, we hope this guide helps steer you in the right direction for your next decision.

Looking to explore more vendor opportunities? Our team is always one click away.