Apples, Pears, and Oranges: Not All Pentest Firms Are the Same

Penetration testing is not a commodity service. If you are a procurer of penetration tests and have ever received wildly different quotes for the "same" engagement, you've likely encountered this issue at some point. The truth is, not all pentesting firms follow the same methodology, level of depth, or ethics when it comes to their testing methodology. Some firms run a few automated scans, perhaps get a compromise or two, compile a templated report, and call it a day. Others, like TrustedSec, adhere to a framework such as the Penetration Testing Execution Standard (PTES).

The difference between a truly effective penetration test and a checkbox exercise comes down to methodology, technical expertise, ethics and depth of coverage. Let’s take a closer look at how PTES defines a penetration test, and where some firms cut corners.

The PTES Standard: A True Apples-to-Apples Comparison

PTES is a security framework that ensures a structured and repeatable approach to penetration testing. Established by cybersecurity experts in 2009, PTES provides organizations with clear guidelines to conduct effective penetration tests, aiming to identify and address security vulnerabilities systematically. It consists of seven phases:

1. Pre-Engagement Interactions: Defining scope, setting rules of engagement, and aligning business objectives with testing.
2. Intelligence Gathering: Conducting reconnaissance to understand an organization’s attack surface.
3. Threat Modeling: Identifying likely attack vectors based on assets, business operations, and adversary capabilities.
4. Vulnerability Analysis: Discovering security issues beyond automated scans.
5. Exploitation: Actively demonstrating exploitation to showcase risk.
6. Post-Exploitation: Privilege escalation, lateral movement, and persistence techniques
7. Reporting: Delivering actionable findings that go beyond just listing CVE scores

When you hire a pentest firm, you should be able to match their process against PTES. Many firms will claim to follow a methodology, but if they are skipping key elements of PTES, you're not getting an in depth penetration test.

Where Many Firms Fall Short

Pre-Engagement: Rushed Scoping Leads to Poor Results

Many security firms rush through the Pre-Engagement phase, offering generic assessments that pigeonhole clients into “Predefined Engagement Packages” without truly understanding the client’s actual security concerns, business risks, and operational challenges. This one-size-fits-all approach often leads to surface-level findings that fail to address the actual threats that organizations face. Without careful scoping, critical attack paths can be overlooked, security investments can be misaligned, and clients may be left with a false sense of security. At TrustedSec, we take a different approach, one that starts with listening. We engage with our clients to understand their specific pain points, industry challenges, and security priorities, ensuring our assessments align with what matters most to their organization. By tailoring each engagement to the client’s environment and technical landscape, we provide meaningful, actionable results that go beyond compliance checklists, helping organizations make informed decisions to strengthen their overall security posture.

Intelligence Gathering: OSINT and Reconnaissance Get Overlooked

Effective adversarial testing requires reconnaissance, intelligence gathering, and a true attacker's mindset. Our approach includes subdomain enumeration to identify forgotten assets, credential leak analysis to detect exposed login details from past data breaches, API secrets and other misconfigurations that expose organizational data. These steps are critical because real-world attackers don’t just rely on known CVEs. Many firms gloss over these critical steps in the test, which leads to assessment reports that fail to capture an organization’s true attack surface and business risk. TrustedSec ensures that every engagement is rooted in current attack methodologies, providing clients with actionable intelligence that reflects how threats actually operate in their environment.

Vulnerability Analysis: Scanners ≠ Manual Testing

Often times, even well-known penetration testing firms rely on a paint-by-numbers approach where testers simply follow the output of vulnerability scanners instead of using manual analysis and attacker intuition to uncover real issues. This results in engagements where the tester’s job becomes little more than confirming what automated tools have already identified, rather than independently discovering vulnerabilities, understanding how they relate to the environment, and identifying critical issues that automation alone would never catch. True penetration testing requires skill, experience, and creativity that goes beyond just interpreting scanner results. Real attackers don’t follow pre-defined checklists; they exploit misconfigurations, chain together multiple medium or low risk CVE’s, and take advantage of unique security gaps in each individual environment. When firms ignore this reality, they leave clients with a false sense of security and reports that lack real-world relevance.

TrustedSec consultants rely on technical knowledge and adversarial thinking to manually validate vulnerabilities, eliminate false positives, and uncover the kinds of deficiencies that are attractive to attackers. More importantly, we look beyond individual flaws and examine how they can be combined to create chained attacks that demonstrate how privilege escalation, lateral movement, and access to sensitive data could occur in a real compromise. This kind of manual, attacker-minded testing produces more accurate results, realistic adversary scenarios, and clearer insights into your organization's actual risk exposure.

Instead of handing over a templated report full of scanner output, TrustedSec delivers context-driven findings with clear risk explanations and practical, prioritized recommendations. Our goal is not just to identify technical issues but to help clients understand their impact and how to fix them in a way that improves overall security posture. This blend of technical depth and strategic guidance makes our engagements valuable long after the assessment is complete.

Exploitation: No Exploit Policy? No, Thanks.

Some penetration testing firms choose to avoid exploitation entirely, often citing concerns around system stability, risk, or internal policy. While it's important to protect client environments and exercise caution, refusing to perform exploitation fundamentally limits the value of the assessment. Identifying a vulnerability without proving its impact leaves a significant gap in understanding. How can you accurately assess risk if you don’t know what an attacker could actually impact with that vulnerability? Simply reporting that an issue exists without demonstrating its potential consequences can result in security teams deprioritizing findings due to insufficient context on real-world impact.

At TrustedSec, we believe exploitation is an essential part of meaningful penetration testing. Our team performs controlled, targeted exploitation in a safe and deliberate manner, designed to mirror the actions of real-world attackers without disrupting business operations. This might include showing how a low-severity vulnerability could be chained with other weaknesses to gain access to sensitive data, escalate privileges, or move laterally through the environment. In many cases, the path to compromise isn’t obvious until exploitation reveals the true reach of an attacker.

Exploitation provides critical context. It turns theoretical vulnerabilities into tangible threats that clients can understand, prioritize, and remediate effectively. By proving what's possible, we help organizations make informed security decisions based on evidence, not assumptions.

Post-Exploitation: "Got Shell" is Not Enough

For some firms, the engagement is complete the moment they “get a shell” on a system, as if simply gaining initial access is the ultimate goal. In reality, that’s just the beginning. A true penetration test doesn’t stop at demonstrating access to a single system; it goes further to evaluate what an attacker could do next. Can they escalate privileges? Can they move laterally to other systems? or compromise Active Directory? Is there a path to persistent access in the cloud environment? Can business data be exfiltrated without detection? These are the questions that define true risk. Unfortunately, they often go unanswered if a firm stops at initial access.

Post-exploitation is where the real value of a penetration test emerges. Once access is established, TrustedSec takes a controlled and methodical approach to emulate what an attacker would do after breaching the perimeter. This includes mapping trust relationships, identifying privilege escalation paths, testing for lateral movement opportunities, and attempting to access data that matters to the business. We examine both on-premises and cloud infrastructure to evaluate persistence techniques, identity compromise, and overall susceptibility to compromise. Our approach helps clients understand not just how an attacker gets in, but what the consequences could be if they’re not detected.

By going beyond the initial compromise and assessing the full scope of impact, we provide clarity into what a real breach would look like in your environment. The result is a results-focused, narrative-driven report that helps prioritize remediation based on actual business impact, not just technical severity.

Reporting: Templated PDFs Don’t Help You Secure Anything

A penetration test deliverable is the bridge between technical findings and gaining support and visibility from management to make security improvements that matter. Too often, firms deliver templated outputs that list issues without context, leaving internal teams to decipher what matters and how to fix it. Our reports are designed to be both technically thorough and easily digestible by various stakeholders, from security engineers to executives.

Each report includes detailed attack paths that show how vulnerabilities were discovered and exploited, connecting the dots between seemingly minor issues and larger, systemic risk. We provide clear, real-world impact assessments that describe how the findings affect your business operations, brand reputation, or data security. This way, you’re not just seeing what’s broken, but why it matters. Most importantly, every report includes practical, step-by-step remediation guidance, tailored to your environment, that your security team can take immediate action on. Whether it’s misconfigurations, patching gaps, or access control issues, we help you understand the “how” and “why” behind each finding. TrustedSec’s reports are designed to drive outcomes, not just document problems. Our ultimate goal isn’t just to find vulnerabilities, it’s to help you reduce risk in a way that aligns with your business.

Demand More from Your Pentest Firm

If your pentest provider is not following a structured methodology like PTES, you are not getting an apples-to-apples comparison of what a real pentest should be. TrustedSec doesn’t cut corners. We ensure every engagement follows industry-recognized standards, with seasoned consultants performing real-world attack simulations, not just running tools.

Before signing off on a penetration test, ask your provider:

• Do you follow PTES or another structured methodology?
• How do you approach intelligence gathering beyond scanning?
• Do you perform real exploitation, or just stop at vulnerability identification?
• What does post-exploitation look like? Do you evaluate business impact?
• Will the final report provide more than just a list of vulnerabilities?

If they can’t answer those questions with confidence, they probably aren’t delivering a real pentest.

At TrustedSec, penetration testing is about security, not just compliance. If you're ready to see the difference a real engagement can make, reach out to us. Because when it comes to pentesting, you deserve more than a checkbox.