14 minute read


On June 4th, 2022 - I gave the talk “Buying Security: A Client’s Guide” at BSidesSF. I simultaneously released a guide on the same topic over on tldrsec. Both the talk and guide relied on almost 200 different resources, in addition to a survey of over 100 security professionals.

This post serves as the bibliography for this work. Shout-out to Zotero.


5 Tips for selecting a penetration testing company in 2021. (2020, June 8). Virtue Security. https://www.virtuesecurity.com/5-tips-for-selecting-a-penetration-testing-company-in-2020/

20 Tips on How to Make the Most of Your Penetration Test. (n.d.). Bishop Fox. Retrieved May 7, 2022, from https://bishopfox.com/blog/20-tips-to-make-the-most-of-pen-test

44CON Information Security Conference. (2012, March 15). Penetration Testing Considered Harmful, Haroon Meer—44CON 2011. https://www.youtube.com/watch?v=GvX52HPAfBk

2020 Penetration Testing Report. (n.d.). CoreSecurity. Retrieved May 7, 2022, from https://static.helpsystems.com/core-security/pdfs/guides/cs-2020-pen-testing-survey-report-guide.pdf?__hstc=220751815.f3cb1418dff72fa8eb1e2efcdebb5106.1636503081447.1636503081447.1637729548639.2&__hssc=220751815.2.1637729548639&__hsfp=3089203511

2020 Rapid7 Under the Hoodie Report. (n.d.). Rapid7. Retrieved May 7, 2022, from https://www.rapid7.com/research/report/under-the-hoodie-2020/

2021 Penetration Testing Report. (n.d.). CoreSecurity. Retrieved May 7, 2022, from https://static.helpsystems.com/core-security/pdfs/guides/cs-2021-pen-testing-report.pdf

A Buyer’s Guide to Penetration Testing.pdf. (n.d.). Retrieved May 7, 2022, from https://cdn2.hubspot.net/hubfs/3017156/Downloadable%20Assets/A%20Buyer%27s%20Guide%20to%20Penetration%20Testing.pdf?t=1537971043448

A Comprehensive Guide to Building a Pentest Program. (n.d.). Retrieved May 7, 2022, from https://www.securitymagazine.com/articles/93045-a-comprehensive-guide-to-building-a-pentest-program

Abdel-Aziz, A. (n.d.). Scoping Security Assessments—A Project Management Approach. SANS Institute. Retrieved May 7, 2022, from https://www.sans.org/white-papers/33673/

Adapting Penetration Testing for Software Development Purposes CISA. (n.d.). Retrieved May 7, 2022, from https://www.cisa.gov/uscert/bsi/articles/best-practices/security-testing/adapting-penetration-testing-software-development-purposes

Adrian Crenshaw. (2014, September 27). T203 How not to suck at pen testing John Strand. https://www.youtube.com/watch?v=Yo4oP2eyDtI

Adrian Crenshaw. (2016, September 25). 215 Recharging Penetration Testing to Maximize Value James Jardine. https://www.youtube.com/watch?v=w_GuV1V5-rA

Adrian Crenshaw. (2019, June 14). ShowMeCon 2019 14 Penetration Testing The Good Bad and the Ugly of Vendor Management Reporting and R. https://www.youtube.com/watch?v=pvzD6_fKdJA

adrian_rt. (2020, November 16). What documents do I need for a new pentest company (UK)? [Reddit Post]. R/AskNetsec. www.reddit.com/r/AskNetsec/comments/jvf65m/what_documents_do_i_need_for_a_new_pentest/

Arkin, B., Stender, S., & McGraw, G. (2005). Software penetration testing. IEEE Security and Privacy Magazine, 3(1), 84–87. https://doi.org/10.1109/MSP.2005.23

Arnold, M. (2020a, May 8). I Want a Pentest, Part 1. Lares. https://www.lares.com/blog/i-want-a-pentest-part-1/

Arnold, M. (2020b, December 15). How to Scope Your Next (or First) Pentest. Lares. https://www.lares.com/blog/penetration-testing-as-a-journey/

ASCEND, T. (n.d.). The Complete Guide to Penetration Testing. Retrieved May 7, 2022, from https://blog.teamascend.com/the-complete-guide-to-penetration-testing

Banks, T., & Carric. (n.d.). The pentest is dead, long live the pentest!

BAS and Red Teams Will Kill The Pentest. (2018, February 14). Augusto Barros. https://blogs.gartner.com/augusto-barros/2018/02/14/bas-and-red-teams-will-kill-the-pentest/

Bishop, M. (2007). About Penetration Testing. IEEE Security & Privacy Magazine, 5(6), 84–87. https://doi.org/10.1109/MSP.2007.159

Blakley, B. (2021, September 15). Purchasing Managed Security Services: Strategies for Client References. Dark Reading. https://www.darkreading.com/vulnerabilities-threats/purchasing-managed-security-services-strategies-for-client-references

Bork, K. (2019a, February 22). How to Reduce the Cost of a Penetration Test » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/how-to-reduce-costs-on-a-penetration-test/

Bork, K. (2019b, May 6). What to Look For in a Penetration Testing Proposal? » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/what-to-look-for-in-a-penetration-testing-proposal/

Bork, K. (2019c, June 3). What to Look For in a Penetration Testing Statement of Work? Triaxiom Security. https://www.triaxiomsecurity.com/what-to-look-for-in-a-penetration-testing-statement-of-work/

Bork, K. (2020a, January 24). Reasons For a Penetration Test » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/reasons-for-a-penetration-test/

Bork, K. (2020b, February 28). Measuring the Effectiveness of a Penetration Test » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/measuring-the-effectiveness-of-a-penetration-test/

Bork, K. (2020c, May 19). Writing an Effective Penetration Testing RFP » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/how-to-write-and-effective-penetration-testing-rfp/

BSides Boston. (2020, November 1). Dmitry Zagadsky - Don’t end up with a pencil: Tips for shopping for pen tests. https://www.youtube.com/watch?v=Wr4UxdUa2aI

BSidesCHS. (2017, November 12). BSidesCHS 2017: “Hacking the ROI: How to maximize your value from a Pentest” by Mike Hodges. https://www.youtube.com/watch?v=1vHNOiBlSL4

Bulletproof—Annual Cyber Security Report 2019. (n.d.). 23.

Bulletproof—Annual Cyber Security Report 2020. (n.d.). Retrieved May 7, 2022, from https://www.bulletproof.co.uk/industry-reports/2020.pdf

Bulletproof—Annual Cyber Security Report 2021. (n.d.). Retrieved May 7, 2022, from https://www.bulletproof.co.uk/industry-reports/2021-report.pdf

BUYERS GUIDE: 6 QUESTIONS TO ASK EVERY PENTEST COMPANY. (n.d.). Retrieved May 7, 2022, from https://rhinosecuritylabs.com/wp-content/uploads/2017/12/RSL_6-questions-ask-every-pentest-company.pdf

Caudill, A. (2020, March 27). Checklist: Starting a Security Consulting Firm. https://adamcaudill.com/2020/03/27/checklist-starting-a-security-consulting-firm/

Chiappetta, J. (2020, November 3). How to Prevent Security Breaches With AppSec Pentesting. Medium. https://betterappsec.com/how-to-prevent-security-breaches-with-appsec-pentesting-ba4100645994

Choosing A Manual Pentest Program Provider – Digitalmunition. (n.d.). Retrieved May 7, 2022, from https://web.archive.org/web/20200825062838/https://www.digitalmunition.me/choosing-a-manual-pentest-program-provider/

Collins, Q. (n.d.-a). Catch and Release: Executive’s Guide to Penetration Testing—3 of 4 LinkedIn. Retrieved May 7, 2022, from https://www.linkedin.com/pulse/catch-release-executives-guide-penetration-testing-3-collins/
Collins, Q. (n.d.-b). The Day After: Executive’s Guide to Penetration Testing 4 of 4 LinkedIn. Retrieved May 7, 2022, from https://www.linkedin.com/pulse/day-after-executives-guide-penetration-testing-4-quincey-collins/
Collins, Q. (n.d.-c). The Overview: Executive’s Guide to Penetration Testing—1 of 4 LinkedIn. Retrieved May 7, 2022, from https://www.linkedin.com/pulse/overview-executives-guide-penetration-testing-1-4-quincey-collins/
Collins, Q. (n.d.-d). The Paperwork: Executive’s Guide to Penetration Testing—2 of 4 LinkedIn. Retrieved May 7, 2022, from https://www.linkedin.com/pulse/paperwork-executives-guide-penetration-testing-2-4-quincey-collins/

CONSULTING, L. (2018, November 9). Getting Value out of your 'Penetration Test" https://vimeo.com/299981617

Creasey, J. (n.d.). Penetration Testing Services Procurement Guide. Retrieved May 7, 2022, from https://www.crestapproved.org/wp-content/uploads/2014/11/PenTest-Procurement-Buyers-Guide.pdf

Creasey, J. (2017, April). A guide for running an effective Penetration Testing programme. https://www.crestapproved.org/wp-content/uploads/CREST-Penetration-Testing-Guide-1.pdf

CYBERSECURITY TECHNOLOGY EFFICACY: Is cybersecurity the new “market for lemons”? (2020, October). Debate Security. https://www.debatesecurity.com/downloads/Cybersecurity-Technology-Efficacy-Research-Report-V1.0.pdf

Dalalana Bertoglio, D., & Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23(1), 2. https://doi.org/10.1186/s13173-017-0051-1

Daleksandrova. (2015, July 13). How to develop a structured approach to penetration testing. IT Governance UK Blog. https://www.itgovernance.co.uk/blog/how-to-develop-a-structured-approach-to-penetration-testing

Davis, R. (2020, March 3). What is a Penetration Tester? Medium. https://manningbooks.medium.com/what-is-a-penetration-tester-c9fc4bad4913

Developing a Security Assessment Program. (2014, December 19). Security Sift. https://www.securitysift.com/developing-a-security-assessment-program/

Elliott & 2020. (2020, June 8). 5 Tips for selecting a penetration testing company in 2020. Security Boulevard. https://securityboulevard.com/2020/06/5-tips-for-selecting-a-penetration-testing-company-in-2020/

Emagined Security Ultimate Guide to Penetration Testing RFP Creation. (n.d.). Retrieved May 7, 2022, from https://static1.squarespace.com/static/5a68804eedaed82645e54e2a/t/5f86ed4f8ae6d9031b440d38/1602678096533/Emagined++Security+Penetration+Testing+RFP+Creation+Template.pdf

Engagement Economics and Security Assessments The Guerilla CISO. (n.d.). Retrieved May 7, 2022, from http://www.guerilla-ciso.com/archives/1854

Envoyproxy/envoy. (2022). [C++]. Envoy Proxy - CNCF. https://github.com/envoyproxy/envoy/blob/8f4c0069f3861631038194065daac47cb52b313b/docs/security/audit_cure53_2018.pdf (Original work published 2016)

Evaluating Penetration Testing Companies Requires Smart Questions. (2017, June 23). https://www.solvereone.com/pages/evaluating-penetration-testing-companies/

Evolution of Penetration Testing: Part 1 The Guerilla CISO. (n.d.-a). Retrieved May 7, 2022, from http://www.guerilla-ciso.com/archives/540
Evolution of Penetration Testing: Part 2 The Guerilla CISO. (n.d.-b). Retrieved May 7, 2022, from http://www.guerilla-ciso.com/archives/545

FAQ - The Penetration Testing Execution Standard. (n.d.). Retrieved May 7, 2022, from http://www.pentest-standard.org/index.php/FAQ

Firch, J. (2020, October 5). What Are The Different Types Of Penetration Testing? PurpleSec. https://purplesec.us/types-penetration-testing/

FIVE METRICS TO SHOWCASE THE ROI OF PENTESTING. (n.d.). NETSPI. Retrieved May 7, 2022, from https://www.netspi.com/wp-content/uploads/netspi-five-metrics-to-showcase-the-roi-of-pentesting-whitepaper.pdf

Geer, D., & Harthorne, J. (2002). Penetration testing: A duet. 18th Annual Computer Security Applications Conference, 2002. Proceedings., 185–195. https://doi.org/10.1109/CSAC.2002.1176290

Getting maximum value out of your Penetration Testing. (n.d.). Context Information Security. Retrieved May 7, 2022, from https://www.contextis.com/en/blog/getting-value-from-pentesting

Getting the Most from a Security Consultant. (2009, January 27). Security Info Watch. https://www.securityinfowatch.com/home/article/10541753/getting-the-most-from-a-security-consultant

Ghassemlouei, A. (n.d.). ANATOMY OF A PEN TEST: Understanding the [ Mindset Toolset ] of Penetration Testers. https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20presentations/DEF%20CON%2022%20-%20Alijohn-Ghassemlouei-Anatomy-of-a-Pentest-Updated.pdf

Google—Outsourcing Portal. (n.d.-a). Retrieved May 7, 2022, from https://partner-security.withgoogle.com/docs/annex/provider_selection.html

Google—Outsourcing Portal. (n.d.-b). Retrieved May 7, 2022, from https://partner-security.withgoogle.com/docs/pentest_guidelines

Graduated and incubating projects. (n.d.). Cloud Native Computing Foundation. Retrieved May 7, 2022, from https://www.cncf.io/projects/

grugq, thaddeus t. (2016, October 17). Cyber: Ignore the Penetration Testers. Medium. https://medium.com/@thegrugq/cyber-ignore-the-penetration-testers-900e76a49500

Hardy, G. (1997). The relevance of penetration testing to corporate network security. Information Security Technical Report, 2(3), 80–86. https://doi.org/10.1016/S1363-4127(97)89713-0

Hexway. (2022a, March 5). Checklist: What Should Be Considered When Ordering a Pentest. Medium. https://hexwayteam.medium.com/checklist-what-should-be-considered-when-ordering-a-pentest-e1ac52347119

Hexway. (2022b, March 29). How to Write an Effective Pentest Report: 5 Key Sections. Medium. https://hexwayteam.medium.com/how-to-write-an-effective-pentest-report-5-key-sections-71bc2c68709f

How much does a Penetration Test Cost? (n.d.). Retrieved May 7, 2022, from https://www.secureideas.com/knowledge/how-much-does-a-penetration-test-cost

How Slack Hires a Red Team (and you can too!). (2019, May 7). Slack Engineering. https://slack.engineering/how-slack-hires-a-red-team-and-you-can-too/

How to build a security assessment program. Dan Boucaut—PDF Free Download. (n.d.). Retrieved May 7, 2022, from https://docplayer.net/8652026-How-to-build-a-security-assessment-program-dan-boucaut.html

How to choose a penetration testing provider wisely. (2022, March 5). Content+Cloud. https://contentandcloud.com/how-to-choose-a-penetration-test-provider-wisely/

How to choose your Security / Penetration Testing Vendor? (2019, September 3). CISO Platform. https://www.cisoplatform.com/profiles/blogs/how-to-choose-your-security-penetration-testing-vendor-1

How to Get the Most Out of Penetration Testing. (n.d.). SEI Blog. Retrieved May 7, 2022, from https://insights.sei.cmu.edu/blog/how-to-get-the-most-out-of-penetration-testing/

How to order a pen test. (, 57:00). https://citadelo.com/de/blog/how-to-order-a-pen-test/

How to select a credible Penetration Testing Vendor. (n.d.). Secforce. Retrieved May 7, 2022, from https://www.secforce.com/assets/downloads/How_to_select_a_vendor.pdf

How to Select a Penetration Testing Provider. (n.d.). Retrieved May 7, 2022, from http://webcache.googleusercontent.com/search?q=cache:5QiZMi2ylAYJ:rss.peakspan.io/gartner_reports/_Gartner20200914/How_to_Select_a_Pene_723076_ndx.pdf

How to Select the Right Third-Party Pen Testing Service Core Security Blog. (n.d.). Retrieved May 7, 2022, from https://www.coresecurity.com/blog/how-select-right-third-party-pen-testing-service

How To Use Pen-Test Reports to Improve Security. (n.d.). IANS. Retrieved May 7, 2022, from https://www.iansresearch.com/resources/all-blogs/post

Inc, C. (n.d.). State of Pentesting 2020. Retrieved May 7, 2022, from https://resource.cobalt.io/ptaas-impact-report-2020

International Conference on Cyber Warfare and Security, A. & Nasser (Eds.). Proceedings of the 14th European Conference on Cyber Warfare and Security ECCWS-2015.

International Council of E-Commerce Consultants (Ed.). (2011). Penetration testing. Course Technology, Cengage Learning.

Is Penetration Testing Worth it? - Schneier on Security. (n.d.). Retrieved May 7, 2022, from https://www.schneier.com/blog/archives/2007/05/is_penetration.html

IT Security Procedural Guide: Conducting Penetration Test Exercises CIO-IT Security-11-51. (2020, July 27). https://www.gsa.gov/cdnstatic/Conducting_Penetration_Test_Exercises_%5BCIO_IT_Security_11-51_Rev_5%5D_07-24-2020docx.pdf

Johnson, J. (2019, July 17). What Reports Will You Get Following a Penetration Test? Triaxiom Security. https://www.triaxiomsecurity.com/what-reports-will-you-get-following-a-penetration-test/

Johnson, J. (2020, January 27). What Makes a Good Penetration Testing Company? » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/what-makes-a-good-penetration-testing-company/

Julio. (2022). Public penetration testing reports [CSS]. https://github.com/juliocesarfort/public-pentesting-reports (Original work published 2016)

Klima, T., & Tomanek, M. (2015, January 1). Project Management of Complex Penetration Tests.

Knowles, W., Baron, A., & McGarr, T. (n.d.). Analysis and recommendations for standardization in penetration testing and vulnerability assessment. 20.

Knowles, W., Baron, A., & McGarr, T. (2016). The simulated security assessment ecosystem: Does penetration testing need standardisation? Computers & Security, 62, 296–316. https://doi.org/10.1016/j.cose.2016.08.002

Kugler, R., & Paz, J. (n.d.). The State Of Pentesting 2021. Cobalt. Retrieved May 7, 2022, from https://go.cobalt.io/assets/img/state-pentesting-report/Cobalt-State-of-Pentesting-2021.pdf

Layer 8. (n.d.). Retrieved May 7, 2022, from https://web.archive.org/web/20080117164808/layer8.itsecuritygeek.com/index/layer8/comments/ways-to-annoy-your-pentester/

Making sense of pen testing, part one Black Swan Security. (2012, May 29). https://blog.blackswansecurity.com/2012/05/making-sense-of-pentesting-part-one/
Making sense of pen testing, part two Black Swan Security. (2012, May 31). https://blog.blackswansecurity.com/2012/05/making-sense-of-pen-testing-part-two/

MalcomVetter, T. (2018, September 3). Penetration Testing vs. Red Teaming: PCI Edition. Medium. https://malcomvetter.medium.com/penetration-testing-vs-red-teaming-pci-edition-504e9b8125f9

Manship, R. (n.d.). 7 Pro Tips To Get the Most Out Of Your Penetration Test. Retrieved May 7, 2022, from https://www.redteamsecure.com/blog/7-pro-tips-to-get-the-most-out-of-your-penetration-test

Matasano Chargen » Blog Archive » More on Pen Testing. (2008, August 28). https://web.archive.org/web/20080828062742/http://www.matasano.com/log/719/more-on-pen-testing-2/

Matasano Chargen » Blog Archive » Seven Deadly Pen Test Sins. (2008, August 21). https://web.archive.org/web/20080821161033/http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/

McGeehan, R. (2019, February 20). Measuring a red team or penetration test. Starting Up Security. https://medium.com/starting-up-security/measuring-a-red-team-or-penetration-test-44ea373e5089

Mcwresearch.com » Pen testing. (2008, November 20). https://web.archive.org/web/20081120002120/http://mcwresearch.com/archives/438

Miller, M. (2019a, March 6). Should I Change Penetration Testing Companies Each Year? Triaxiom Security. https://www.triaxiomsecurity.com/change-penetration-testing-companies/

Miller, M. (2019b, May 22). What to Expect After a Penetration Test (Part 1 of 2) » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/what-to-expect-after-a-penetration-test-part-1-of-2/

Miller, M. (2019c, May 24). What to Expect After a Penetration Test (Part 2 of 2) » Triaxiom Security. Triaxiom Security. https://www.triaxiomsecurity.com/what-to-expect-after-a-penetration-test-part-2-of-2/

Missing Critical Vulnerabilities Through Narrow Scoping. (n.d.). Trustwave. Retrieved May 7, 2022, from https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/missing-critical-vulnerabilities-through-narrow-scoping/

Moyer, S. (n.d.). Revolving Door Pentesting. Atredis Partners. Retrieved May 7, 2022, from https://www.atredis.com/blog/2018/10/18/revolving-door-pentesting

Nordli, B. (n.d.). What Is Penetration Testing? A Complete Guide Built In. Retrieved May 7, 2022, from https://builtin.com/cybersecurity/penetration-testing

nVisium. (n.d.). AppSec Basics: Your First Pentest. Retrieved May 7, 2022, from https://blog.nvisium.com/p231

Olson, C. (n.d.). Penetration Testing in the Financial Services Industry. Egnyte. Retrieved May 7, 2022, from https://sansorg.egnyte.com/dl/QBmHP3E54h

OWASP DevSlop. (2020, November 15). Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint Gibler. https://www.youtube.com/watch?v=GoeONtFx0bA

OWASP Foundation. (2018, March 19). APPSEC Cali 2018—Hunter – Optimize your Pentesters Time. https://www.youtube.com/watch?v=-nX61x5xzrs

Partner, K. W. F., President, COO, July 05, C., & 2016. (2016, July 5). How Not To Write A Pen Test RFP. Dark Reading. https://www.darkreading.com/vulnerabilities-threats/how-not-to-write-a-pen-test-rfp

Patrawala, F. (2018, May 14). 5 penetration testing rules of engagement: What to consider. Packt Hub. https://hub.packtpub.com/penetration-testing-rules-of-engagement/

Penetration Testing. (n.d.-a). Retrieved May 7, 2022, from https://www.ncsc.gov.uk/guidance/penetration-testing

Penetration Testing – PwnDefend. (n.d.). Retrieved May 7, 2022, from https://www.pwndefend.com/2021/08/17/penetration-testing/

Penetration Testing 101. (n.d.). Retrieved May 7, 2022, from https://www.vanta.com/blog/penetration-testing-101

Penetration Testing: Buyers Survey. (n.d.-b). Retrieved May 7, 2022, from https://www.surveymonkey.co.uk/r/pentestcrest

Penetration testing methodologies—OWASP. (n.d.). Retrieved May 26, 2022, from https://wiki.owasp.org/index.php/Penetration_testing_methodologies

Penetration Testing Policy. (n.d.). GitLab. Retrieved May 7, 2022, from https://about.gitlab.com/handbook/engineering/security/penetration-testing-policy.html

Penetration Testing Vendors Choosing A Pentesting Vendor. (n.d.). Retrieved May 7, 2022, from https://www.redteamsecure.com/blog/choosing-a-penetration-testing-vendor

PentesterLab. (2017, March 10). Scoping a pentest. Medium. https://blog.pentesterlab.com/scoping-f3547525f9df

Pentesting: Benefits, Legal Compliance And Costs. (n.d.). SEC Consult. Retrieved May 7, 2022, from https://sec-consult.com/blog/detail/pentesting-benefits-legal-compliance-and-costs/

Pre-engagement—The Penetration Testing Execution Standard. (n.d.). Retrieved May 7, 2022, from http://www.pentest-standard.org/index.php/Pre-engagement

Pros and cons of vendor rotation for security testing. (2015, September 23). Foresite. https://foresite.com/blog/pros-and-cons-of-vendor-rotation-for-security-testing/

Providing More Value in Pen Test Reports (Part 1). (2015, September 4). https://attactics.org/2015/09/providing-more-value-in-pen-test-reports-part-1/

Quantum, G. R. A. (2018, January 23). 3 Warnings to Watch for When Selecting a Penetration Testing Vendor. GRA Quantum. https://graquantum.com/find-the-best-penetration-testing-vendors/

Radichel, T. (2020a, October 4). Effective security testing. Cloud Security. https://medium.com/cloud-security/effective-security-testing-93aff57b2858

Radichel, T. (2020b, October 4). Getting value from security testing. Cloud Security. https://medium.com/cloud-security/getting-value-from-security-testing-3dd54faeaf8c

Ranum, M. J. (n.d.). The Dumbest Ideas In Computer Security. 29.

Rea, A. (2021, August 10). Tips for a Successful Cloud Security Consulting Engagement. Medium. https://blog.scalesec.com/tips-for-a-successful-cloud-security-consulting-engagement-eb6fd8cbc696

Revolving Door Pentesting. (n.d.). Atredis Partners. Retrieved May 7, 2022, from https://www.atredis.com/blog/2018/10/18/revolving-door-pentesting

Ring, T. (2014). Why bug hunters are coming in from the wild. Computer Fraud & Security, 2014(2), 16–20. https://doi.org/10.1016/S1361-3723(14)70463-4

Root Cause Analysis in penetration testing. (n.d.). Retrieved May 7, 2022, from https://raesene.github.io/blog/2004/03/23/root_cause_analysis/

RSA Conference. (2014, April 14). Making Penetration Tests Actually Useful. https://www.youtube.com/watch?v=Rv9tBNnOfeo

RSA Conference. (2019, May 17). Schrodinger’s Pentest: Scoping Entanglement. https://www.youtube.com/watch?v=cw6U2_N_aKA

RSA Conference. (2020a, May 6). How to Get the Most Value out of Your Penetration Test. https://www.youtube.com/watch?v=LnC7Kcp3odY

RSA Conference. (2020b, May 6). How to Get the Most Value out of Your Penetration Test. https://www.youtube.com/watch?v=LnC7Kcp3odY

Sanabria, A. (n.d.). IT’S TIME TO KILL THE PEN TEST. 95.

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical Guide to Information Security Testing and Assessment (NIST Special Publication (SP) 800-115). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-115

Schneier, B., & Ranum, M. (n.d.). Pentesting Sucks. Retrieved May 7, 2022, from http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html

Securealities: 2nd Annual Penetration Risk Report 2019 by Coalfire - Issuu. (n.d.). Retrieved May 7, 2022, from https://issuu.com/coalfire/docs/coalfire_securealities-penetration-risk-report_201

Secured, S. (2018, November 20). Should you alternate pen-testing companies? Medium. https://medium.com/@softwaresecured/should-you-alternate-pen-testing-companies-91a8c2e31904

Security Review—Workplace—Documentation. (n.d.). Facebook for Developers. Retrieved May 7, 2022, from https://developers.facebook.com/docs/workplace/third-party-apps/security-review/

Should I Provide Access to Source Code During a Penetration Test? (2021, September 14). NetSPI. https://www.netspi.com/blog/executive/penetration-testing/consider-a-source-code-assisted-pentest/

Should We Switch Vendors Annually? (n.d.). Retrieved May 7, 2022, from https://www.secureideas.com/knowledge/should-we-switch-vendors-annually

Skoudis, E. (n.d.). 5 pen testing tips. Secure360. Retrieved May 7, 2022, from https://secure360.org/2015/03/5-pen-testing-tips/

Smith, J. (n.d.). The Why Behind Web Application Penetration Test Prerequisites. Retrieved May 7, 2022, from https://research.nccgroup.com/wp-content/uploads/2020/07/the-why-behind-web-application-penetration-test-prerequisites-v-1-0.pdf

Sockol, D. (n.d.). How to Write a Penetration Testing RFP. CyberSecurity Services. Retrieved May 7, 2022, from https://www.emagined.com/blog/penetration-testing-rfp

Spithoff, M. M. B. (n.d.). Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata. 48.

Sqreen. (n.d.). Pentest Best Practices Checklist. Retrieved May 7, 2022, from https://paper.bobylive.com/Security/pentest-best-practices-checklist.pdf

Starke, N. (2017, January 12). Scoping for your first security assessment. ^Lift Security. https://medium.com/lift-security/scoping-for-your-first-security-assessment-57fd9f1a633c

Tang, A. (2014). A guide to penetration testing. Network Security, 2014(8), 8–11. https://doi.org/10.1016/S1353-4858(14)70079-0

The Art of Scoping Application Security Reviews (Part 1)—The Business « Mark Curphey—SecurityBuddha.com. (2007, December 7). https://web.archive.org/web/20071207150024/http://securitybuddha.com/2007/08/22/the-art-of-scoping-application-security-reviews-part-1-the-business/

THE BUYER’S GUIDE TO PENETRATION TESTING. (n.d.). Synack. Retrieved May 7, 2022, from https://em360tech.com/sites/default/files/2020-09/2020-Buyers-Guide-Report.pdf

THE CHALLENGE OF FINDING THE RIGHT PEN TESTING VENDO. (n.d.). Retrieved May 7, 2022, from https://risksense.com/wp-content/uploads/2019/12/Finding-the-Right-Pen-Testing-Vendor-RiskSense.pdf

The Economics of Penetration Testing for Web Application Security. (n.d.). Outpost24. Retrieved May 7, 2022, from https://outpost24.com/sites/default/files/2019-06/Economics-of-Pen-Testing-Whitepaper.pdf

The History of Penetration Testing Alpine Security. (n.d.). Retrieved May 7, 2022, from https://web.archive.org/web/20200426042416/https://alpinesecurity.com/blog/history-of-penetration-testing/
Three Action Items to Consider After Completing a Pen Test Core Security. (n.d.). Retrieved May 7, 2022, from https://www.coresecurity.com/blog/three-action-items-consider-after-completing-pen-test

TIBER-EU Framework Services Procurement Guidelines. (2018, August). https://www.ecb.europa.eu/pub/pdf/ecb.tiber_eu_services_procurement_guidelines.en.pdf

Under the Hoodie 2018. (n.d.). Retrieved May 7, 2022, from https://www.rapid7.com/globalassets/_pdfs/research/rapid7-under-the-hoodie-2018-research-report.pdf

Understanding the Driving Factors of a Pen Test. (n.d.). Bishop Fox. Retrieved May 7, 2022, from https://bishopfox.com/blog/driving-factors-of-a-penetration-test

Velimirovic, A. (2021, March 2). What is Penetration Testing? {Steps, Methods, Types}. PhoenixNAP Blog. https://phoenixnap.com/blog/penetration-testing

Webcast: What to Expect When You’re Expecting a Penetration Test. (2020, August 21). Black Hills Information Security. https://www.blackhillsinfosec.com/webcast-what-to-expect-when-youre-expecting-a-penetration-test/

What Is A Penetration Test And Why Do I Need It? (n.d.). Retrieved May 7, 2022, from https://www.redteamsecure.com/blog/penetration-test-need

What is penetration testing? What is pen testing? (n.d.). Cloudflare. Retrieved May 7, 2022, from https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/
What is Penetration Testing (Pen Testing)? CrowdStrike. (n.d.). Crowdstrike.Com. Retrieved May 7, 2022, from https://www.crowdstrike.com/cybersecurity-101/penetration-testing/

What to Look For in a Penetration Testing Company. (n.d.). HackerOne. Retrieved May 7, 2022, from https://www.hackerone.com/vulnerability-management/what-look-penetration-testing-company

Whitaker, T. (2022, March 14). Turning Penetration Tests Into Sales Artifacts. Medium. https://theporkskewer.medium.com/turning-penetration-tests-into-a-sales-artifacts-917dfc26e73f

White Box Testing CISA. (n.d.). Retrieved May 27, 2022, from https://www.cisa.gov/uscert/bsi/articles/best-practices/white-box-testing/white-box-testing

Wickenden, M. (2016, September 5). The Commoditisation of Penetration Testing. 4ARMED Cloud Security Professional Services. https://www.4armed.com/blog/penetration-testing-commoditisation/

Wickenden, M. (2018, May 24). Scoping a penetration test. 4ARMED Cloud Security Professional Services. https://www.4armed.com/blog/scoping-a-penetration-test/

Williams, J. (n.d.). Decide Where to Do Manual Penetration Testing: Production or Dev/Test. Retrieved May 7, 2022, from https://www.iansresearch.com/docs/default-source/ians-documents/sample-euds-content/ians-decide-where-to-do-manual-penetration-testing-production-or-devtest.pdf?sfvrsn=aaa8c9e_3

Williams, J. (2013a, June 25). Penetration Testing Scope—Murky Waters Ahead! MalwareJake. https://malwarejake.blogspot.com/2013/06/penetration-testing-scope-murky-waters.html

Williams, J. (2013b, August 6). MalwareJake: Need help pen testing a web app? Ask the client! MalwareJake. https://malwarejake.blogspot.com/2013/08/need-help-pen-testing-web-app-ask-client.html

Wong, C., & Shema, M. (n.d.). Pen Test Metrics 2018. Cobalt. Retrieved May 7, 2022, from https://resource.cobalt.io/hubfs/Pen%20Test%20Metrics%202018.pdf

yeeted_account. (2019, May 3). So they want me to start a pentesting program [Reddit Post]. R/AskNetsec. www.reddit.com/r/AskNetsec/comments/bk6iqb/so_they_want_me_to_start_a_pentesting_program/

Your Reporting Matters: How to Improve Pen Test Reporting. (2019, July 29). Black Hills Information Security. https://www.blackhillsinfosec.com/your-reporting-matters-how-to-improve-pen-test-reporting/

Yüce, E. (n.d.). Overview of Penetration Testing Methodologies and Tools. 41.

Zeltser, L. (n.d.). Information Security Assessment RFP Cheat Sheet. 1.

Zusman, M. (n.d.). 5 Ways to Increase Pen Testing ROI Carve Systems. Retrieved May 7, 2022, from https://carvesystems.com/news/5-ways-to-increase-pen-testing-roi/