Does your company’s IT security really deserve its name? You have two options: Either you leave it to cyber criminals to find security vulnerabilities. Or you can be proactive and hire a pentest provider to put your IT security to the test. 

With 1,577 cyber attacks reported to Switzerland’s National Cyber Security Center (NCSC) 2025 in just one week in April 2025 alone, that might not be the worst idea. But how can you decide which pentest service provider is actually qualified given the wide range on offer? This guide contains all the important information on key selection criteria and everything else you need to know about the costs, duration and procedure of pentests.

How do you choose the right pentest provider?

A good pentest service means that potential vulnerabilities in your systems are located with absolute reliability and you receive a comprehensive security assessment. On this solid basis, your IT department or external IT partner can then address and eliminate any risks in a targeted manner. There are a few important selection criteria for pentest providers that you should take into account to ensure this:

1. sufficient experience & good track record

Like any specialist, a good pentesting provider should have experience – but also check whether they have already successfully carried out sophisticated penetration tests and ask to see examples. Positive customer reviews that attest to the pentesting provider’s competence and reliability also speak for themselves.

You can tell that the service provider is technically up to date (keyword AI), for example, by the fact that they actively use AI tools themselves and may even develop software.

2. extensive expertise in cyber security & IT infrastructure

There are certifications that prove that a pentest provider is not satisfied with mediocrity. These include the BACS certification in Switzerland or the BSI certification in Germany.

However, certificates for pentest services are not everything: deep insights into a company’s IT infrastructure and software applications are just as important. This helps the pentest provider to optimize the type and scope of the test.

3. individual consulting & reliable organization

IT security and software security are individual to each company. The same applies to penetration tests. A service provider should already ask detailed questions about your IT infrastructure during the quotation process. This should be followed by a detailed consultation in which a reputable pentest provider asks you questions such as 

• What information and results do you want to receive? 
• How aggressively should the pentest be carried out? 
• And how much transparency do you want in the analysis?

In addition, the provider should provide you with a structured process for the pentest service and clearly agree the time schedule, contact person, etc. with you.

4. clearly defined scope & transparent pricing

A qualified pentest provider adapts the scope and effort of the pentest to the IT infrastructure to be tested and chooses a clearly defined implementation format. The process should be based on the individual protection requirements of your systems and be individually designed – off-the-shelf solutions usually cannot offer this.

The same applies to penetration tests: the cheapest provider does not necessarily offer the best service. Apparently “cheap” prices can cost you dearly if you end up with ransomware encrypting your systems and receiving extortion letters. However, you should always expect the same from reputable service providers in any price category: Transparent pricing and a reliable offer.

5. comprehensive documentation

To ensure that you can actually put a stop to cyber criminals with the help of a pentest, the vulnerabilities and security risks discovered in your IT infrastructure must be fully and comprehensively documented. Only then can you take appropriate measures. A reputable pentest provider will provide you with a detailed presentation afterwards or draw up recommendations for action in various versions for management and the IT department.

As a software development partner, Cybersecurity is a top priority for Riwers. We carry out pentests in collaboration with a certified pentest provider (in accordance with OWASP, OSSTMM and ISO: 27002). Would you like to find out more about our pentest services?

How much does a pentest cost?

The cost of a pentest depends on various factors such as the scope and complexity of the pentest. License fees for scanning tools and any effort required for retesting also influence the overall price. A solid pentest for a simple network or web application (2 to 5 days’ work) is offered from around 5,000 euros.

How long does a pentest take?

The duration of a pentest depends, among other things, on the size of the network, the complexity of the application and whether it is carried out internally or externally. Another decisive factor is whether network information and user login information are available to the pentest provider in advance. Depending on the scope, a pentest can be carried out in one day, but can also take a few weeks.

What types of pentests are there?

In order to uncover potential gaps or vulnerabilities in IT security, a pentest provider carries out a structured attack on software applications or IT systems. The pentest service specialists use the same techniques as real cyber criminals. The details of the implementation concept are based on various criteria:

How much information is available to the pentest provider? 

If it only knows the target address, it is a black box test. In contrast, a white-box test simulates an attack in which the attacker has extensive information about hardware and software as well as internal IP addresses. The most common type of test is the grey-box test, in which the pentester already has some information and determines further data independently.

What techniques and tools does the pentest provider use?

This depends on which infrastructure is to be tested:

• In an IT infrastructure penetration test, servers, firewalls, WLAN networks and VPN access are checked for security vulnerabilities.

• A web application penetration test examines the security of websites, web stores and customer management portals.
• Application or API tests are used for software applications and programming interfaces.
• When extending pentests with red teaming scenarios, security risks from social engineering (i.e. the skillful manipulation of people) are also checked.

Differentiation by starting point

In an external pentest, the testers simulate an attack on areas that are accessible from the Internet. In order to then penetrate further into your company’s IT infrastructure, they have to find their way around the internal structures unprepared.

For an internal penetration test, the testers assume a scenario in which the attackers already have access to the internal IT infrastructure following successful phishing or the introduction of malware. It is therefore a risk assessment in the event that the worst-case scenario does occur.

This is how it works: the 5 phases of a pentest 

In principle, it makes sense to schedule penetration tests on an annual basis or to use the services whenever there has been a significant change in the IT infrastructure. The process can be broken down into 5 phases:

1. Preparation: before the test begins, the pentest provider gains access to the relevant test areas (including documents, login information, URLs, etc.), checks and confirms the functionalities.
2. Information gathering: The pentest provider obtains precise information about the systems to be tested and prepares the relevant test tools.
3. Actual penetration test: The provider carries out the test comprehensively or according to the order.
4. Final report: This is first validated by the pentest provider’s team.
5. Presentation of the test results: Presentation of the final report with recommendations and the opportunity for the customer to ask questions.

Also a good idea: If you implement measures or make changes after the pentest, we recommend that you validate them in a subsequent test.

The right pentest provider detects security gaps before hackers do!

Hire a pentest provider – yes or no? There is really only one answer to the dramatic increase in cyberattacks: make sure you hire a good pentest provider. Here is an overview of the most important criteria: 

• Look for expertise (certifications, qualified publications or positive customer experiences)
• Pentest services individually adapted to the IT infrastructure to be tested with a clearly structured procedure
• Sound documentation of the test results with specific recommendations for action

Would you like to find out more about how you can proactively stand up to cyber criminals with a reputable pentest provider at your side?