Security Guides
In this guide

Note

Reviewed by security engineers, updated regularly, not legal advice.

Security Guide

Common mistakes when choosing providers

Most bad decisions do not come from bad intent, but from time pressure, poor comparability, or wrong assumptions. This guide highlights the most common mistakes - and how to avoid them pragmatically.

Quick summary

Avoid

Deciding only on price, leaving scope unclear, not reviewing reports.

Risk

Accepting scanner-only work as a pentest, missing accountability in the team.

Critical

No methodology, no PoCs, no follow-up on findings.

Why these mistakes are so common (experience)

In practice, we keep seeing the same patterns:

  • time pressure leads to quick decisions without clean scoping
  • marketing claims replace technical evidence
  • comparability is missing because offers are shaped differently
  • accountability is not clearly named

Common mistakes - and how to avoid them

1) Comparing only price

A low price often means less depth.
Better: make offers comparable (scope, time allocation, methodology).

2) Unclear scope definition

Without scope, there is no serious comparison.
Better: document target systems, exclusions, risks, and RoE in writing.

3) Accepting scanners as a “pentest”

Automated tests are useful, but they do not replace manual testing.
Better: ask about manual analysis and PoCs.

4) No clear technical accountability

Anonymous teams lead to unclear decisions.
Better: require a named lead tester.

5) Not reviewing reports

Unusable reports waste time and budget.
Better: request sample report(s) and check prioritization.

6) Missing compliance boundaries

No NDA/DPA or privacy process is a risk.
Better: clarify legal boundaries upfront.

From the field: proposal comparison

In proposal comparisons, we often see:

  • same tooling, but very different manual depth
  • technically correct findings without clear prioritization
  • good certifications, but no proven project experience

What matters instead (expertise)

  • traceable methodology (e.g., OWASP, PTES, NIST 800-115)
  • reproducible findings and clear fix recommendations
  • named lead role and defined communication
  • legal and organizational boundaries clearly defined

Quick check: evaluate providers fast

CriterionSolidWeak
Methodologydocumentedunclear
Testingmanual + toolingscanner-only
Reportreproducible & prioritizedunstructured
Accountabilitynamed leadanonymous

Conclusion

Most selection mistakes are avoidable if scope, methodology, and accountability are clearly defined.
Choose a provider with clean methodology and clear outcomes over a cheap offer without substance.

This guide was created by security engineers with experience on both the client and provider side. It does not replace individual legal advice.

Next step

If you need support with selection, we can help in a neutral and structured way.

Get providers reviewed