Is my organization or infrastructure susceptible to compromise by a malicious attacker, unethical competitor or foreign government?' Both security consulting companies and Big Four audit companies have been trying to answer this question by offering penetration testing services to their clients in the last decades. This kind of specialized testing is a method for evaluating the security of an organization's information systems by simulating an attack. Its objective is to probe and identify security weaknesses in information systems such as an online banking application the supporting network infrastructure or even the physical premises of an organization. Companies expect third-party organizations that perform penetration testing to be truthful with them but this has proven not to be the case in many instances. This paper is intended to help managers decide on a penetration testing firm by providing them with some essential points of attention and critical questions to ask the prospective service providers.
