BIPI
BIPI

Five Questions to Ask Before You Buy a Pentest

Cybersecurity

Most pentests produce a PDF that sits in a drawer. A year later the organisation buys another one. The finding counts might differ. Very little else changes. The problem isn't the testing. The problem is the procurement.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 22, 2026 · 6 min read

#penetration-testing#procurement#security-program

Most pentests produce a PDF that sits in a drawer. A year later the organisation buys another one, and that one sits in the drawer next to the first. The finding counts might be different. The pages might be different. Very little else changes.

The problem isn't the testing. The problem is how pentests get procured. Here are five questions we ask every vendor before signing.

1. What is in scope, really?

Scope is where most engagements fail before they start. 'Web application pentest of app.example.com' looks clear until you ask. Does that include the admin portal at admin.example.com? The mobile app that hits the same backend? The third-party auth server? The internal API that the web app calls?

A vendor who quotes a fixed price off a one-line scope is going to under-deliver. Expect a written scope document that lists every URL, every API endpoint, every authenticated role, and every assumption about what is out of scope. If the vendor hasn't thought about scope before quoting, they haven't planned the engagement.

2. Who is on the team, and where are they based?

Pentest quality is a function of the humans doing the work, not the brand name on the proposal. A good vendor will tell you, in writing, the names and OSCP or CREST certifications of the testers assigned to your engagement. They will tell you where those testers are based. They will tell you whether your engagement will be delivered by the senior names in the pitch deck or by a junior team billing at senior rates.

If the sales call is with a director, ask for a call with the lead tester before the contract is signed. Any vendor that refuses that is selling you a logo.

3. What methodology?

'We follow OWASP' is not a methodology. It is a reading list. Ask specifically. What is your testing playbook for this engagement type? For a web app test, that should include at minimum authenticated and unauthenticated scans, manual business logic testing, session handling analysis, and input validation across every role. For an API test, it should include schema-based fuzzing, auth bypass attempts, and rate-limit probing.

Ask for a sample playbook from a past similar engagement, with sensitive data redacted. Vendors that are proud of their methodology will share it.

4. What does retest look like?

The moment the report is delivered, the engagement is half over. A finding you don't retest is a finding you haven't fixed. Ask upfront. What is included in retest? How many rounds? How long do we have to fix before the retest window closes? Is the retest free or an add-on?

The healthiest vendors include one round of retest in the base price and bill for subsequent rounds. Vendors who charge per retest without including at least one are telling you they optimise for the initial engagement, not the outcome.

5. What does the deliverable actually look like?

Ask to see a redacted past report. Look for an executive summary under two pages, findings organised by severity, each finding with proof-of-concept, reproduction steps, CVSS, and remediation guidance. Look for attacker narrative sections that walk you through what a full chain looked like, not just a flat list of CVEs.

Reports that are 80 pages of auto-generated scanner output with a human-written cover letter are a tell. Reports that have a short executive layer, a medium technical layer, and a reproduction-quality proof layer are what you actually want.

The same scope, tested by two different teams, will produce wildly different outputs. Ask these five questions early and you will filter out the bottom half of the market before you waste budget.

Closing

Pentests are not a commodity. The output is a direct function of the people, the scope, and the methodology. Treat procurement like you would a hiring loop. Ask specific questions, ask for artefacts, and demand a conversation with the people doing the work. The difference between a great pentest and a mediocre one shows up in the first 20 minutes of that conversation.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.