Updated On 7 March, 2023

Pentest Vendor Retention or Rotation & the Right Approach

Pentest Vendor Retention or Rotation

With recent research showing the average cost of a data breach in 2021 reached a whopping $4.35 million, there is little debate on why organizations need to establish cybersecurity best practices. For US-based companies, the average cost of a security breach comes in at an astounding $9.44 million – the highest of any country. These breach costs pose financial risks to any organization and require a proactive, proven risk management strategy that includes penetration testing.

One of the primary goals of a penetration test is to build a cyber resilient security posture. By investing in a penetration testing service, organizations can take proactive steps to avoid preventable data breaches by discovering vulnerabilities in IT assets before they are exploited by hackers that result in expensive breaches.

In this article, we will cover why choosing a pentest vendor is a big decision for your business, what are the triggers for having to change vendors, and what is the right approach when it comes to the retaining your current vendor or rotating to a new vendor.

Choosing a Pentest Vendor Is a Risk Management Decision

Choosing a pentest vendor for your organization can be a difficult decision that will impact overall cybersecurity risk management. You are transferring security testing to your pentest vendor. The selected vendor will provide you with new insights into the security posture, thereby providing a fresh perspective which was not available earlier.

After a pentest vendor has fulfilled their contractual obligations, your contract will eventually conclude. While you can continue to work with the same vendor, there can be multiple reasons for switching your penetration testing vendor. It can be because of unsatisfactory or unreliable service, mandated vendor rotation, or following the RFP (request for proposal) process every time.

When to Use a Pentest Vendor vs. the In-House Team

Security and IT leaders might not know if they should run an internal pentest using their in-house team or run an external pentest using a trusted penetration testing provider. The answer depends on the organization’s goals and requirements that are triggering the request for the pentest engagement in the first place. Both internal and external penetration testing exercises help companies manage cybersecurity risks across the network’s infrastructure, users, systems, and applications. However, compliance requirements, such as HIPAA Penetration testing, GDPR penetration testing, and PCI DSS penetration testing, will drive the engagement, including vendor selection and pentest scope.

The in-house security team that can conduct internal pentests are already familiar with your IT infrastructure. They interact with your IT assets daily. In-house teams may be biased by repeatedly testing the same infrastructure. Security experts usually advise conducting external pentests with external providers, along with internal pentests performed by your in-house team.

Most organizations opt for external pentest vendors to assess their security posture with a vendor assessment in order to fulfill regulatory obligations that mandatorily require a third-party security audit. Selecting an external vendor for penetration testing for third-party security assessments has become a frequent practice across many industry verticals. An external penetration testing service provider simulates its penetration tests in the same manner as the attackers would to ensure third-party compliance requirements have been met on a tested system.
Additional requirements that can be used in the external vendor selection process include market reputation, team members, dependability, trustworthiness, response times, experience, and achievements. In the decision-making process, you can also check if the vendor has certifications like ISO 27001, SOC 2 Type, and CREST, among others.

Pentest Vendor Retaining v. Rotating: What should you do?

There can be no generalized answer to this question. Companies may opt to retain a penetration testing vendor if they are satisfied with the service. Some companies have vendor and third-party supplier restrictions; in these cases, the decision-maker may be required to change vendors on occasion. This is where ‘rotating’ the vendor is an option to make a change in your pentesting services. These decisions typically occur annually or every few years.

It would help if you considered a range of factors that will positively or negatively impact the outcomes of a new pentest vendor decision.

Retaining Your Current Pentest Vendor – the pros and cons

If you continue with the same penetration testing vendor, there are benefits and drawbacks to consider to inform those involved with the decision-making process.

Pros include:

  • Since the existing pentest vendor has already onboarded you and your team, you do not need to participate in the full onboarding process again.
  • Your current pentest vendor has in-depth knowledge of the findings from the last pentest and the following remediation process.
  • The existing pentest vendor is aware of your security posture, for example, by conducting regular vulnerability assessments.

Cons include:

  • Continuing with the same pentest vendor can limit the comprehensiveness of findings.
  • Because existing pentest vendors are familiar with your IT assets and recent pentest findings, they may introduce biases in testing methodologies, which hinders the efficiency of test results.
  • Continuing with the same penetration testing vendor may result in future exercises becoming a replica of past exercises. In a long-term pentest engagement, this can decrease the value of return on investment.

Finally, when an organization has testing requirements for regular changes in your infrastructure, it is worth considering penetration testing as a service – aka PTaaS – for the continuous quality penetration testing with one pentest service provider. Streamlining penetration testing with PTaaS delivers ROI on full-stack pentesting that traditional pentest vendors cannot provide.

Rotating Your Current Pentest Vendor – the pros and cons

Continuing with the same penetration testing vendor can raise questions about quality of these exercises over time. For that reason, organizations consider rotating their pentesting vendors. This approach can have negative and positives that need to be considered before rotating pentest vendors.
Pros include:

  • An organization can compare the quality of testing results and support provided with the next pentesting vendor’s report.
  • In the next cycle of tests, an organization can also hire multiple vendors with specializations such as web, API, infrastructure, etc.

Cons include:

  • You will have to go the routine effort involved with setting up a new vendor, including ensuring the vendor meets the third-party compliance requirements your organization requires.
  • Your organization will require extra effort to build the insights, document the testing rules, and share the necessary knowledge about your IT assets with the new pentest vendor.
  • You and the internal stakeholders involved will have to onboard the new vendor’s platform and tools. This typically will require training for your in-house teams and stakeholders.

Alternatives to Vendor Retention and Rotation

There are industry recommendations that promote both retaining and rotating vendors. Here, you retain one vendor while rotating the second one. Apart from the increased costs, this approach also adds extra overhead for your internal teams as they are expected to coordinate with different vendors for the same exercise. Instead of benefits, this approach can result in more friction in your security operations.

The actual decision on this issue should not be taken when your contract is due for renewal. When hiring a vendor, it is critical to assess their talent’s skillset and experience, in addition to the vendor’s reputation, credibility, and certifications. Seeking a trusted penetration testing vendor with expert human hackers, best-in-class technology, and industry recognition will provide a solid choice for the long run.

Start Your Pentest Vendor Relationship with BreachLock

To enable a long-term partnership with our clients, BreachLock’s Pentest as a Service (PtaaS) approach, a SOC 2 Type 2 certified service, combines the power of machine intelligence and certified hackers. This approach helps our clients and us solve cost and scalability issues through an agile SaaS cloud platform while conducting third-party security assessments. Our unique approach combines automated and manual vulnerability discovery methods in line with the industry best practices.
Once a pentest is completed, we retest your remediation measures and generate a certificate for executing a penetration test. This is continuously followed by monthly scans through our SaaS platform. You get access to our platform throughout this process, and our security experts help you find, fix, and prevent the next cyber breach.
With BreachLock’s award-winning innovative approach to pentesting, the security of your IT assets is looked after by experts who are redefining cybersecurity resilience testing for some of the largest companies in the world. Whether you are looking for a long-term pentest vendor or in the process of rotating your vendor, schedule a discovery call here.




Penetration Testing

Penetration Testing Service

Cloud Penetration
Testing Services

Network Penetration Testing

Application Penetration

Web Application
Penetration Testing

Social Engineering

Learn more about BreachLock. Read our

FAQ Page