How do I choose a penetration testing provider as an SMB?

Evaluate providers on five things: who actually runs the test and their certifications, whether they sign an NDA and handle your data under an ISMS, whether you can see a sample report before signing, whether pricing is transparent and fixed, and whether the scope is driven by your risk rather than a sales template. A good provider answers all five clearly and pushes back when your request does not match your actual need.

What questions should I ask a pentest provider before signing?

Ask who specifically will run the test and what their background is, whether the scoping call involves a tester or only sales, whether you can see a sample report, what the report includes, how findings and data are stored and deleted, whether a retest is available, and how pricing works. The quality of their answers, and their willingness to challenge a bad scope, tells you more than their brochure.

Should a DACH SMB choose a local pentest provider?

A provider in the DACH region offers practical advantages: German-language reporting and debriefs, working hours that align with yours, familiarity with EU and DACH regulation (NIS2, GDPR, ISO 27001, TISAX), and data handling under EU law. These matter more for SMBs than for large enterprises because you have less internal capacity to bridge gaps yourself.

What are red flags when choosing a pentest provider?

Red flags include refusing to say who will run the test, a scoping call with only a salesperson and no tester, no sample report, deliverables that turn out to be raw scanner output, vague or evasive answers on data handling, pressure to buy blackbox testing without a clear reason, and a quote that is far below market without an explanation. Any one of these is a reason to ask harder questions before signing.

Pentest Provider Checklist for DACH SMBs

Jun 13, 2026 (Updated: Jun 15, 2026)

#Pentest #Buyer's Guide

Checklist for choosing a penetration testing provider as a small or mid-sized company in the DACH region

Diese Seite ist auch auf Deutsch verfügbar.

Choosing a penetration testing provider is hard when you are not a security specialist yourself, which is the situation most SMBs are in. The market is full of confident sales pitches, and the difference between a genuinely useful test and an expensive compliance checkbox is not obvious from a brochure. This checklist gives you the specific questions to ask and what good answers sound like.

How do you choose a pentest provider as an SMB?

Evaluate every provider on five concrete dimensions: the people, the data handling, the deliverable, the pricing, and the scope. Most marketing focuses on logos and certifications, but the questions that actually predict outcome are about who runs your test, how your data is protected, what you receive, what it costs, and whether the scope matches your real risk. The sections below turn each dimension into questions you can ask directly.

A useful tell: a strong provider will sometimes talk you out of what you asked for and toward what you need. A provider who just says yes to everything is selling, not advising.

Who will actually run the test?

Ask who specifically will run your test, and what their background and certifications are. The answer should be a named person with relevant, verifiable experience, not “one of our consultants.” Pentest quality is dominated by tester skill, so this is the single most predictive question you can ask. Recognized certifications such as OSCP, CISSP, GWAPT, or the GIAC family indicate a real baseline of competence.

Follow up with: does the scoping call involve the tester, or only a sales contact? If the person who understands the technical work is absent from scoping, the scope is being set by someone who will not do the work, which is how engagements end up mis-scoped.

Will they sign an NDA and how is your data handled?

A serious provider signs a non-disclosure agreement as a matter of routine and can describe, specifically, how your data is stored, access-controlled, and deleted. Ask whether they operate under an information security management system (ideally aligned to ISO 27001 principles), where findings and reports are stored, who can access them, and when they are deleted after the engagement. You are inviting someone to find and document your weaknesses: how they protect that information is part of the service, not an afterthought.

Vague or evasive answers here are a serious red flag. The details of your vulnerabilities are some of the most sensitive data your company holds.

Can you see a sample report before signing?

Yes, and you should always ask for one. The report is the actual product you are buying, so seeing a sample before you sign tells you exactly what you will get. A good report has an executive summary for management, a per-vulnerability technical section with description, evidence, risk rating, and reproduction steps, and concrete remediation guidance. Every finding should be manually verified.

If a provider cannot or will not show you a sample, be cautious. And if the sample turns out to be lightly reformatted scanner output (pages of automated entries with generic descriptions and no manual verification), you are buying a vulnerability scan dressed up as a pentest.

Is the pricing transparent and fixed?

Good providers quote transparent, person-day-based pricing with a fixed total: a stated number of testing days, a daily rate, and a final price that does not move if the work runs a few hours long. Ask exactly what is included (testing, reporting, debrief, retest) and what is extra. This protects you from both surprise overruns and from quotes so vague you cannot compare providers.

Treat a quote far below market as a question, not a bargain. It usually means junior testers, a scanner-driven process, or a scope quietly narrowed to fit the price. Cheap testing that misses the attack path that matters is the most expensive testing there is.

Is the scope driven by your risk or by a template?

The scope should come from a conversation about your actual environment and risk, not from a one-size-fits-all package. A good provider asks what you are trying to protect, what would hurt most if compromised, what compliance drivers you have, and what changed recently, then proposes a scope from that. Greybox testing (with valid user credentials) is usually recommended, because it reflects the realistic attacker who phished an employee or is an insider, and it finds far more than an unauthenticated blackbox test.

Be wary of a provider who proposes blackbox testing without a clear reason, or who sells you the same package they sell everyone. The Penetration Testing Buyer’s Guide covers scoping and methodology in depth.

Should a DACH SMB pick a local provider?

For most DACH SMBs, a regional provider has real practical advantages. You get the option of German-language reporting and debriefs, working hours that line up with yours, direct familiarity with the regulation you face (NIS2, GDPR, ISO 27001, TISAX, DORA), and data handling under EU law. These matter more for smaller companies than for large enterprises, because you have less internal capacity to translate, bridge time zones, or interpret unfamiliar compliance mappings yourself.

This is not an absolute rule, but for a 50 to 500 person company that values a direct relationship and a tester who understands the local regulatory context, a DACH-based provider usually reduces friction.

The checklist at a glance

Area	Ask	Good answer
People	Who runs the test, and their certs?	A named senior tester (OSCP, CISSP, GIAC)
Scoping	Is a tester on the scoping call?	Yes, not just sales
Data	NDA and ISMS-based handling?	Routine NDA, defined storage and deletion
Deliverable	Can I see a sample report?	Yes, manually verified findings
Pricing	Transparent and fixed?	Person-days, daily rate, fixed total
Scope	Risk-driven or template?	Driven by your environment and risk
Methodology	Why this method?	Greybox by default, with a reason
Follow-up	Is a retest available?	Yes, as a defined add-on

If a provider answers these clearly and challenges you where your request does not match your need, that is the provider worth working with.

Where VidraSec fits

VidraSec is built to pass this checklist. Every test is run personally by Martin Grottenthaler (OSCP, CISSP, GCFA, GWAPT), the scoping call is with the tester rather than a salesperson, an NDA and ISMS-based data handling are standard, example reports are published so you can see the deliverable before signing, and pricing is transparent and fixed per person-day. Scope is driven by your risk, and greybox is the default recommendation. The FAQ answers the common questions on price, process, and compliance.

Want a provider who passes this checklist? Get in touch.

martin@vidrasec.com

+43 670 3081275

Book appointment