If you've landed here, you're probably evaluating security vendors after reconsidering your relationship with Prescient Security — whether due to the Delve compliance scandal, a service quality concern, or simply a regular vendor review. This guide is designed to help you evaluate any penetration testing and security advisory partner, with criteria grounded in what actually differentiates quality providers. We'll also tell you where Lorikeet Security fits in that picture — honestly, not as marketing copy.
Quick context on the Delve situation: In March 2026, Delve — a YC-backed compliance platform used by several CPA firms including Prescient Security to deliver SOC 2 reports — was found to have fabricated or templated nearly 500 audit reports with nearly identical language. If Prescient Security delivered your SOC 2 report through Delve, your report integrity is in question. Full details: Are You a Prescient Security Client Who Got SOC 2 Through Delve?
Criterion 1: Separate Your Audit Function from Your Pentest Provider
One of the lessons from the Delve situation is the risk of consolidating compliance audit and security testing delivery through a single platform or provider ecosystem. When the same firm delivers your SOC 2 audit and your penetration test, the auditor is evaluating their own team's work — which is an independence concern that most audit standards acknowledge and most sophisticated buyers notice.
The cleaner model: use an accredited, independent CPA firm for your SOC 2 audit, and a specialized security-first firm for your penetration testing. Your auditor then reviews pentest evidence from an independent party — which is how it should work. This separation is standard practice at companies that have been through multiple compliance cycles and multiple customer security reviews.
Criterion 2: Ask Specifically About Manual Testing vs Automated Scanning
This is the most important quality question in any penetration test evaluation and the one most commonly obscured by vague scoping language. There is a significant difference between a provider who runs automated scanners (Nessus, Burp Suite in automated mode, Qualys) and delivers a report of the output, versus a provider who uses those tools as a starting point and then conducts substantive manual testing — multi-account authorization testing, business logic exploration, chained exploit development, custom attack path analysis.
Automated scanning catches known vulnerability patterns reliably and efficiently. Manual testing finds BOLA, BFLA, authentication logic flaws, race conditions, and attack chains that no scanner produces. The highest-severity findings in mature applications are almost always the result of manual testing, not automated scanning.
Ask any prospective provider: "How many hours of manual testing are included in this engagement, and what does the tester actually do manually beyond running tools?" If the answer is unclear or they can't distinguish their manual activities from their tool outputs, the engagement is likely predominantly automated.
Criterion 3: Evaluate Scope Practices
Scope determines what gets tested. A narrow scope — external perimeter only, single application, staging environment — can satisfy an auditor while leaving your actual risk surface entirely untested. The right scope for a meaningful pentest includes: production systems (not staging), the application and API your enterprise customers actually use, authentication and authorization mechanisms, admin interfaces, and recent features shipped since the last test.
Red flags in scope discussions: defaulting to staging, excluding the API "for a separate engagement," scoping out recently deployed features, excluding internal admin functionality, or proposing a test window so short that comprehensive manual testing is physically impossible.
Criterion 4: Real-Time Findings Access vs Report-at-the-End
Traditional penetration testing works like this: the assessment runs for one to two weeks, the firm writes a report, it's reviewed internally, and then delivered to the client four to six weeks after the engagement started. You're paying for a security assessment but not learning anything until it's over.
PTaaS (Penetration Testing as a Service) models — which Lorikeet Security uses — make findings available in a client portal as they are discovered. This means your engineering team can begin remediating critical findings during the assessment window, not six weeks later. It also means you can ask questions about specific findings while the tester has the context fresh. The transparency is better, and the remediation timeline is shorter.
Security Partner Evaluation Criteria Checklist
| Criterion | What to Ask / Check | Red Flag |
|---|---|---|
| Manual vs automated testing | How many manual hours? What specifically do testers do manually? | Can't quantify or distinguish manual from tool output |
| Scope practices | Does scope include production? API? Auth mechanisms? Recent features? | Defaults to staging, excludes API, very short test window |
| Audit independence | Is your auditor independent from your pentest provider? | Same firm conducts both SOC 2 audit and pentest |
| Findings delivery | Real-time portal or end-of-engagement PDF? | Report only, delivered weeks after engagement ends |
| Remediation support | Do they help you fix findings or just report them? | Findings documented, no remediation guidance or support |
| References and industry experience | Can they provide references from similar-stage companies in your vertical? | Only enterprise references; no startup/mid-market experience |
| Pricing transparency | Is pricing published or available without a sales cycle? | Everything requires custom quotes with no guidance on ranges |
| Delve/compliance platform exposure | Was your prior provider connected to Delve for compliance delivery? | Prior reports delivered through Delve; verify integrity |
Where Lorikeet Security Fits
Lorikeet Security is a strong fit if your priority is real security outcomes — genuine vulnerability discovery, real-time findings visibility, and security evidence that holds up in enterprise vendor reviews. Our PTaaS platform, transparent pricing, and startup-through-growth-stage packaging are designed for companies that have outgrown compliance theater but don't yet have the budget or justification for a legacy enterprise firm.
We're not a CPA audit firm and we don't do SOC 2 audits directly — if you need a new audit firm after the Delve situation, we can refer you to independent CPA firms we work with and respect. We provide the pentest evidence package that your independent auditor will review. This model maintains independence and gives you the best of both: a security-first firm testing your environment, and an independent auditor evaluating the results.
If you'd like to understand what a Lorikeet Security assessment would look like for your environment — scope, timeline, cost, and what the deliverables look like — a consultation takes 30 minutes and has no obligation.
Ready to evaluate Lorikeet Security as an alternative?
Talk to our team about your environment, compliance requirements, and what a security-first assessment looks like. No sales script — just an honest conversation about fit.
