Hiring a penetration tester: Guidelines for HR professionals


Penetration testing is the process of assessing an application or infrastructure for vulnerabilities through rigorous manual testing to exploit those vulnerabilities and circumvent or defeat the security features of system components.

Misconfiguration, insecure code, poorly designed architecture, or the disclosure of sensitive information, among other things, can lead to vulnerabilities. Penetration testing will uncover vulnerabilities that would not have been discovered otherwise, such as a vulnerability scan.

Penetration testing will also put a company’s cyber defenses to the test. It can be used to evaluate web application firewalls (WAF), intrusion detection systems (IDS), and intrusion prevention systems (IPS) (IPS). When a penetration test is running, these systems should generate alerts and trigger internal procedures, resulting in a response from the organization’s security operations teams.

Qualified internal resources or qualified third-party resources must perform an effective penetration test. The following guidelines may be useful when hiring a penetration tester (or team) to understand their qualifications to perform penetration testing.


Certifications by penetration testers can indicate a potential penetration tester’s or company’s skill level and competence. While these are not required certifications, they can indicate that the candidate has a common body of knowledge.

The following are some examples of common penetration testing certifications:

  • Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC Certified Penetration Tester (GPEN), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) or GIAC Web Application Penetration Tester (GWAPT))
  • Offensive Security Certified Professional (OSCP)
  • CREST Penetration Testing Certifications
  • Certified Ethical Hacker (CEH)
  • Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification


Certifications alone will not satisfy the requirements for appropriate penetration testing experience and qualifications. As a result, verification of additional criteria is required. Organizations should inquire about the penetration tester’s years of experience. Assume the penetration tester is in his or her first year of testing. In that case, the following questions should be carefully considered to ensure that the penetration tester has sufficient knowledge and is properly trained to conduct the penetration test. Examining the organization’s training and QA processes to ensure the penetration tester is qualified should also be considered.

Ask the following questions to assess the qualifications and competency of a penetration tester or team.

  • How many years has the organization been performing the penetration tests?
  • Does it have references from other customers?
  • Has the penetration tester conducted tests on organizations of comparable size and scope?

It’s critical to assess a tester’s ability to work in environments with high availability constraints, unstable system components, or large infrastructures (bandwidth constraints, time constraints, etc.). As a result, it’s important to consider the penetration tester’s or team’s experience with the technologies in the target environment ( such as operating systems, hardware, web applications, highly customized applications, network services, protocols, etc.).

When choosing a penetration tester, consider the tester’s previous testing experience with the organization for which he or she works, especially regarding technologies deployed in the target environment.

Even if a penetration tester hasn’t assessed against specific technologies, if he or she has managed, maintained, trained on, or developed those technologies, the tester may be qualified to perform the penetration test.

Consider the other skills/qualifications of the penetration tester to assist them in assessing the environment. Does the penetration tester have any industry-standard penetration testing certifications? What kind of network-layer penetration testing experience does the penetration tester have? Does the penetration tester have any application-layer penetration testing experience?

Along with seeking answers to the above questions, the interviewer should also discuss the organization’s network penetration testing efforts and the penetration tester’s familiarity with OWASP Top 10, other similar applications, standards, and examples of penetration testing efforts. All these may lead to identifying the best penetration tester (or team) for your company.