Over the last decade of security testing, we have often been asked what other penetration testing companies would we recommend? While this may seem weird, there are several reasons for this question. For example, some organizations require competing bids from similar suppliers. Others follow a strategy of regularly switching or alternating penetration testing companies.(If you are interested, we have an article about switching vendors).
While we would prefer organizations to use Secure Ideas as their third-party security consulting company of choice, we understand the need for evaluating alternatives. So to help out, we decided to list some of the security consulting firms that we would recommend. All of the consulting firms on this list are companies that we are confident would provide a level of service that we are comfortable recommending.
This article focuses on what is commonly referred to as boutique security firms offering penetration testing services. While we recognize that many people work well with larger security or full-service consulting firms, we believe strongly that the focus and skill sets found within the firms on this list provide a better solution for most organizations.
Please keep in mind that we ordered this list alphabetically. While it is likely possible to come up with some type of ranking between them, we find that each of these companies are awesome in their own way:.
Atredis Partners - Atredis Partners is run and staffed by some of the best known names in information security. When organizations request penetration testing from them, they build out a custom scope designed to meet your goals.
Black Hills Information Security - BHIS is run by John and Erica Strand and is best known for their regular webcasts explaining so many of the techniques that Red Teams use around the world. The BHIS team uses these techniques while delivering outstanding tests and reports.
Counter Hack - Founded by Ed Skoudis of SANS fame, Counter Hack is better known as the organization that runs the NetWars system, but they also perform specialized penetration testing. Counter Hack's staff has helped build the industry standards for penetration testing, and this is shown in their services.
InGuardians - While InGuardians is probably the oldest organization on this list, they are still a powerhouse when it comes to penetration testing. They work well with their clients by ensuring that the test exceeds all goals set.
Lares - When people think of Lares, they often think of the Penetration Testing Execution Standard (PTES). And when we consider their services, they produce excellent work that surpasses the standard.
Red Siege - While Red Siege is the newest in this list, Tim Medin has created a powerhouse in the industry. Not only do they perform top-notch penetration tests, but Tim's team shares their knowledge around the world.
TrustedSec - Probably the most commonly interviewed on TV, TrustedSec is one of the best companies around. Dave Kennedy has developed many of the processes that the infosec industry follows to ensure that they perform a comprehensive test.
Finally, we would like to point out IANS Research. While it is not directly a penetration testing organization, they do offer the services of their faculty. Many of the organizations above (including Secure Ideas) have staff members that are part of the IANS faculty, so if your organization already works with IANS, you can work with them to have a penetration test performed.
If you are looking for alternate companies in the consulting industry, any of the vendors above would be a great addition to improving your security posture.