While performing external penetration testing, one of the primary ways to breach the perimeter and Clients often ask if they should keep the same penetration testing vendor each year or rotate. While we hate to depart with our clients and pride ourselves in cultivating a partnership with them, we always adhere to giving unbiased advice. Unfortunately, it’s not a simple answer, depending on several factors. Read on to learn about some of the pros and cons of switching penetration testing vendors to choose what is suitable for your organization.

1. Pros to rotating penetration testing vendors

One of the most popular password guessing campaigns that we experience is trying various season, mRotating penetration testing vendors gives a fresh perspective on your organization’s security. While penetration testing has standard methodologies, it is a subtle art. Each penetration tester and vendor has its own methodologies, reporting styles, and focus areas that may supplement another vendor. This could give you an entirely new look at security measurement. Rotating vendors allows you to receive different advisory viewpoints, new toolsets, and testing against a “new advisory.”

2. Cons to rotating penetration testing vendors

However, rotating penetration testing vendors can have some significant drawbacks. The most important is that clients lose the partnership knowledge gained from working closely with a security vendor. This can take many forms, such as unique reporting customizations, knowledge areas of focus, or overall cadence of working styles. You often lose the trending of previous findings to measure overall improvement. For example, we provide comparisons from the previous testing directly beside current findings to show verification of what has improved, remained the same, or net new findings. Lastly, clients have shared horror stories of less than quality performances from security vendors, and if you’re on a tight budget, this may severely impact your overall security program for the year.

3. Conclusion

In circumstances where we are able to obtain uncrackable NTLM hashes through relay attacks or NTDS, there are multiple tiers of security assessment vendors that can compare to the retail industry. For Several factors are in play when choosing to stay or rotate penetration testing vendors. First, it’s a risk balancing act, much like you are currently doing with your security program. If you’re happy with the quality of service you are getting, then perhaps it’s a good idea to stay. However, if you have an extra budget, a mature security program, are unhappy with your current vendor, or simply want to see what’s out there, it may make sense to rotate. At TCM Security, we help curb these issues by rotating the tester each year. However, we have the previous tester perform quality assurance on the findings report. This tandem approach generates a fresh perspective while retaining that level of partnership that we’ve seen great results from.