The penetration testing market in 2026 is flooded with providers, and the quality variance is enormous. Some firms deliver thorough, manual assessments that find the vulnerabilities your developers missed. Others run an automated scan, wrap the output in a branded PDF, and charge you $15,000 for work that a $200 monthly tool could do.
Choosing the wrong provider does not just waste money. It creates a dangerous false sense of security. You believe your application has been tested. It has not. This guide helps you evaluate pentest providers based on the criteria that actually matter and avoid the ones that will leave your application exposed.
The questions you should ask every provider
Before signing with any pentest provider, ask these questions. Their answers will tell you more about the quality of their work than any sales presentation or marketing website.
Who will actually perform the test?
This is the most important question. Some firms sell the engagement with senior consultants and then staff it with junior testers. Ask for the name and qualifications of the person who will be doing the work. You want someone with relevant certifications (OSCP, OSWE, GWAPT, or similar), multiple years of web application testing experience, and a track record that goes beyond running tools.
At Lorikeet Security, we tell you exactly who will be testing your application before the engagement starts. Our consultants are the same people you talk to during scoping and debrief. There is no bait-and-switch.
What percentage of the test is manual versus automated?
A quality web application pentest is 70-80% manual work supplemented by automated tools. The automated portion handles reconnaissance, vulnerability scanning for known issues, and coverage verification. The manual portion handles authorization testing, business logic, chained attack paths, and the complex vulnerabilities that are unique to your application.
If a provider cannot clearly articulate their manual testing methodology, or if they deflect to tool names when asked how they test for authorization flaws, they are likely running a scanner with minimal human analysis.
Can I see a sample report?
Any reputable provider should be willing to share a redacted sample report. Review it for detail in findings (do they include full reproduction steps?), quality of remediation guidance (are recommendations specific and actionable?), depth of testing (are there business logic findings or only tool-detectable issues?), and overall professionalism and clarity.
Is retesting included?
A pentest without retesting is an incomplete service. Your provider should include a retest window where they verify that critical and high findings have been properly remediated. Some providers include this in the base price. Others charge extra. Either way, confirm this before signing.
How are findings communicated during the engagement?
The best providers do not wait until the final report to tell you about critical vulnerabilities. They communicate high-severity findings in real time as they are discovered, giving your team the opportunity to start remediation immediately. Ask whether the provider offers real-time findings delivery or holds everything until the end.
Provider types and what to expect from each
| Provider Type | Strengths | Weaknesses | Price Range |
|---|---|---|---|
| Large consulting firms | Brand recognition, broad capabilities, established processes | Junior staffing, slow timelines, high prices, low personalization | $25,000 - $100,000+ |
| Boutique security firms | Senior consultants, deep expertise, personalized service | Smaller capacity, less brand recognition | $7,500 - $40,000 |
| PTaaS platforms | Continuous testing, platform integration, fast delivery | Variable quality, may lack depth on complex apps | $12,000 - $50,000/year |
| Freelance consultants | Low cost, flexible scheduling | No QA process, limited insurance, single point of failure | $3,000 - $15,000 |
| Scanner-as-a-service | Low cost, fast results | No manual testing, misses critical vulnerabilities | $500 - $5,000 |
For web application pentesting specifically, boutique security firms and specialized PTaaS providers tend to deliver the best depth-to-cost ratio. Large consulting firms are better suited for enterprise-scale programs that require multiple concurrent engagements across different security domains.
Red flags that should disqualify a provider
- No scoping process. If a provider quotes you a price without asking detailed questions about your application, they are not planning a thorough test.
- Guaranteed findings. No legitimate provider guarantees they will find a specific number of vulnerabilities. The number of findings depends on your application's security posture, not the provider's effort.
- Unwillingness to share methodology. A provider should be able to describe their testing approach in detail. If they treat their methodology as a trade secret, they may not have one.
- No insurance. Professional liability insurance and errors and omissions coverage are standard for reputable pentest firms. Uninsured providers expose you to risk if something goes wrong during testing.
- Pricing that is too good to be true. If a provider quotes $3,000 for a web application pentest, they are not performing a manual assessment. The labor alone for even a basic engagement costs more than that.
- No references available. Any established provider should be able to connect you with references from similar engagements. If they cannot, ask why.
The evaluation scorecard
When comparing providers, score each one on the following criteria. Weight the scores based on what matters most to your organization.
- Consultant quality: Experience level, certifications, and web application specialization of the assigned tester.
- Methodology depth: Manual testing percentage, authorization testing approach, business logic testing capability.
- Report quality: Actionable findings, clear reproduction steps, specific remediation guidance.
- Communication: Real-time findings delivery, accessibility during the engagement, debrief quality.
- Retesting and remediation support: Whether retesting is included and how remediation questions are handled.
- Pricing transparency: Clear scope and pricing with no hidden fees or unexpected add-ons.
- Compliance readiness: Report formatting for SOC 2, ISO 27001, PCI DSS, or other frameworks you need.
- References and reputation: Client references, case studies, and independent reviews.
Why companies choose Lorikeet Security
Lorikeet Security is a boutique offensive security firm that specializes in web application and API penetration testing for SaaS companies and growth-stage organizations. Here is why our clients choose us over larger alternatives.
Senior consultants on every engagement. You know exactly who is testing your application, and that person has deep web application security expertise. No junior staffing, no bait-and-switch.
Real-time findings delivery. Critical and high findings are reported immediately through our platform. Your team starts remediating on day one, not two weeks after the engagement ends.
Transparent pricing. Our prices are published. Web application pentests start at $7,500. No discovery calls required to learn what we charge.
Retesting and remediation support included. Every engagement includes a retest window and ongoing access to the testing team for remediation questions.
Ready to Choose a Pentest Provider?
We are happy to answer any questions about our methodology, our team, and our pricing. No sales pitch required.
