Guide

How to Get a Penetration Test.

The actual procurement path, step by step, from the call that defines scope to the retest that closes findings out. Written for the person who has to buy one, not the person selling it.

File · Answer first

Answer first

Getting a penetration test is a seven-step path: define your scope and the reason you need the test, build a short vendor list, request written proposals, take a scoping call with the operator who will actually run the work, run the engagement, sit the report and readout, then remediate and retest. From the first call to a final report is usually four to eight weeks, most of which is scheduling and remediation rather than testing. The single decision that determines the quality of everything downstream is step four: whether the person scoping your engagement is the person who will run it. Everything below is how to walk the path without getting routed into a commodity engagement you did not mean to buy.

File · Step 1.

Step 1. Define your scope and your driver

Before you contact anyone, write down two things: what you want tested, and why you are testing it now. The "why" is not a formality. A SOC 2 or PCI deadline, an M&A diligence request, a board mandate, a customer security questionnaire, and a genuine "we think we have exposure" each point at a different scope, a different depth, and a different report. A compliance-driven test that has to satisfy an auditor is a different engagement from a red team built to answer "could someone actually get to our crown jewels." Name the driver and the scope follows.

What to write down before the first call: the applications, environments, and networks in scope; the compliance framework if there is one; whether you need a report an auditor will accept; and your hard date, if you have one. If you only have a rough idea, that is fine. A good vendor will tighten the scope with you on the scoping call. A vendor that scopes you blind off a web form is telling you something.

Operator Note

Watch for

Anyone who quotes a firm price before they understand your scope is quoting a template, not your environment.

File · Step 2.

Step 2. Build a two or three vendor shortlist

Three vendors is the right number. Two does not give you signal to compare; five wastes everyone's calendar, including yours. You are not looking for the most logos on a homepage. You are looking for firms whose public, named people take positions you can read and disagree with, because a firm whose only public voice is a marketing team has nothing to defend when the work gets hard.

Pull your shortlist from people who do the work in the open, referrals from peers who have actually been through an engagement, and firms whose published positions match the depth you need. If you want to compare named firms head to head, the seven side-by-side reads under /compare cover the largest offensive shops in the market on the dimensions that separate them.

File · Step 3.

Step 3. Request written proposals

Send the same scope to all three and ask for the proposal in writing. The fastest way to surface a vendor's real position is to send the twelve-question checklist and require written answers. If they will not commit in writing, that is the answer.

Read each proposal for four things specifically. Who is the named delivery operator, not the named sales contact. Whether the retest is unlimited and untimed or itemized and metered. What the artifact destruction policy is, in days, with a written attestation. And whether the price is fixed post-scoping or an hourly estimate that can drift. A proposal that names the operator, commits the retest policy, and fixes the fee is a proposal you can actually compare.

Operator Note

Watch for

A "platform" or a portal login offered as the primary deliverable instead of a report. The report is the deliverable. The platform is the upsell.

File · Step 4.

Step 4. Take a scoping call with the operator

This is the step that decides the engagement. Insist that the person on the scoping call is the senior operator who will run the test, not a sales engineer who hands you off after signature. A scoping call is a technical conversation: the operator is pressure-testing your scope, surfacing the attack surface you forgot to mention, and telling you where the real risk probably sits. A sales call is a commercial conversation about price and timeline. You need both, but if you never speak to the operator before you sign, you are buying a name on a cover and getting a bench you have never met.

At Alacrinet this is not an upgrade. The senior operator who scopes the engagement is the one who runs it. There is no junior bench staffed to senior names.

File · Step 5.

Step 5. Run the engagement

Once the SOW is signed and access is arranged, the operator runs the test. A real manual engagement is not a scanner pointed at your perimeter with the output pasted into a template. It is a senior operator chaining findings from first foothold to business impact, by hand, validating every result so you are not handed a wall of false positives to triage.

What you should expect during the engagement: a defined start and end, a clear line of communication to the operator, and immediate escalation if something critical and exploitable is found rather than a surprise at the readout. At Alacrinet, critical findings flagged within 24 hours is the standard, a < 24hr Critical Finding SLA. You should not learn about a live, exploitable hole for the first time when the report lands.

File · Step 6.

Step 6. Sit the report and the readout

A penetration test is only as useful as the report it produces and the conversation that explains it. The report should give you each finding with reproduction steps, real business impact rather than a raw CVSS dump, and remediation guidance an engineer can act on. The readout is where the operator walks your team and your leadership through what was found, what it means, and what to fix first.

Two things to weigh here. First, the report is the product, so read a sample before you sign, not after. Second, a firm that publishes no case studies is not hiding weak work; for many serious offensive firms, including Alacrinet, declining to turn client engagements into marketing is a deliberate confidentiality stance. Judge the report quality from a sanitized sample and from references on request, not from a logo wall.

File · Step 7.

Step 7. Remediate and retest

You fix what was found, then the operator validates the fixes. This is where a lot of buyers get quietly charged twice. Confirm before you sign whether retest is included or billed per finding. Per-finding retest charges create a perverse incentive and turn remediation into a metered transaction.

At Alacrinet, remediation validation is unlimited and untimed on every engagement. You remediate, the operator confirms the fix actually closed the hole, and you get a clean record for your auditor or your board. That closes the loop the test opened.

File · How long

How long does it take

Plan for four to eight weeks from first call to final report for a typical mid-market engagement, and budget more for a large multi-environment or red team scope. The testing window itself is often the shortest part. Scheduling the engagement, arranging environment access, and the remediation-and-retest cycle usually take longer than the active testing. If you have a hard compliance date, work backward from it and start the vendor conversations earlier than feels necessary, because the scoping call and proposal cycle alone can eat a week or two.

Operator Note

What you need before you start

Your in-scope assets listed; your compliance driver named, if any; a technical point of contact who can arrange access; and, if there is a deadline, the date in writing. That is enough to take a real scoping call.

File · FAQ

Frequently Asked Questions

Q1 How long does it take to get a pentest scheduled?

From the first call to a final report is usually four to eight weeks for a mid-market engagement, and longer for large multi-environment or red team work. Most of that time is scheduling, environment access, and the remediation-and-retest cycle rather than the active testing window. If you have a hard compliance date, start the vendor conversations earlier than feels necessary.

Q2 What do I need to provide before a pentest?

A list of the assets in scope, the compliance driver if there is one, a technical point of contact who can arrange access, and your deadline if you have a fixed one. You do not need a perfectly defined scope going in; a good operator will tighten it with you on the scoping call. A vendor that scopes you entirely off a web form, with no operator conversation, is a flag.

Q3 How much does a penetration test cost?

A manual, operator-led US penetration test in 2026 runs from about $12K for a small focused web app to $150K and up for a multi-environment, multi-vector engagement, with mid-market web app work landing in the $25K to $60K band and red team engagements starting near $75K. The full breakdown of what moves a number inside those ranges is in what a penetration test costs in 2026 (/guides/what-a-pentest-costs-in-2026).

Q4 What is the difference between a scoping call and a sales call?

A scoping call is a technical conversation with the operator who will run the test, pressure-testing your scope and surfacing attack surface you may have missed. A sales call is a commercial conversation about price and timeline, usually with a sales engineer who hands you off after signature. You need both, but if you never speak to the delivery operator before you sign, you are buying a name on a cover.

Q5 Do I need a penetration test for SOC 2?

SOC 2 does not name "penetration test" as a hard line item, but most auditors expect one as evidence for the relevant criteria, and many customer security reviews demand it outright. The framework-by-framework detail is on the compliance pages; see SOC 2 (/compliance/soc-2) for what an auditor actually expects.

Q6 Can I get a pentest fast if I am up against a deadline?

Sometimes, depending on operator availability and scope, but compressing the timeline usually compresses the remediation-and-retest window, not the testing. The better move is to start the conversation early. A firm that promises a deep manual engagement on an unrealistically short turnaround is either descoping quietly or routing the work somewhere the timeline does support.

Request a Penetration Test Talk to an Operator

Talk to an Operator

Ready to See Your Environment the Way Attackers Do?

Real operators. Real attack paths. Real business impact. Talk to us about your security goals.

Talk to an Operator

Keep reading

Pick the firm and price the work

The next decisions in the buying path: who to shortlist, what it costs, and the questions to put in writing.

Best Penetration Testing Companies

There is no single best firm. The framework for telling which one fits your scope and maturity.

Choosing a Pentest Vendor

Shortlist signals to weight, proposal questions to ask in writing, and red flags to walk away from.

What a Pentest Costs in 2026

Honest ranges, what actually drives them, and what to budget for the retest that should not cost extra.

Vendor Evaluation Checklist

Twelve questions any buyer can ask any vendor, including us. Require written answers.