AUTHOR: MATT WILSON
Whether you’re a small business working through a client security requirement or an IT leader trying to mature your security posture, you’ve probably had to engage an outside vendor. Maybe for a penetration test. Maybe some form of security assessment. Maybe because your client threw a questionnaire at you on a Friday with a Tuesday due date and you needed help fast.
There’s no shortage of security vendors out there, all promising the same thing: “We keep your business safe.” You'll also hear the phrase "we want to be your trusted partner" quite a bit. As a consumer, your challenge is this: some absolutely can deliver (great!); others… well, let’s just say they’re better at marketing than they are at assessing risk.
If you’re not sure how to separate the professionals from the rest, here are some qualities to look for (and a few red flags to watch out for).
What Good Security Vendors Do
Ask meaningful questions before giving a price
Some cybersecurity services and solutions have a simple pricing structure that is easy to communicate and understand. However, jumping to pricing without understanding your environment, scope, goals, or constraints? Red flag. Good vendors want to understand the problem you’re trying to solve, not just how much you’re willing to pay to solve it. And a top-tier vendor? They'll listen to you communicate the problem you're trying to solve, and where appropriate, introduce helpful alternatives and/or additional options your organization may not have yet considered.
Quality vendors will ask about your environment, users, regulatory drivers, timelines, and even your internal cybersecurity capabilities. Why? Because context matters, and good security work isn’t one-size-fits-all.
Explain who they are and what they can do, at the right audience level
Whether it’s a penetration test, a virtual CISO engagement, or a tabletop exercise, your vendor should be able to explain their methodology in plain language. No hand-waving. No vague “trust us” answers. Even well-tread concepts like Penetration Testing and Security Assessments still have highly variable interpretations between vendors (some still call a vulnerability scan a "penetration test"… yikes). Be open to the vendor description of who they are and key elements and activities of their methodology. This is where you learn if they're deeply experienced or just moon-lighting as InfoSec consultants.
After a focused conversation, you should understand:
- What they’re doing, beyond technical jargon
- How they’re doing it
- What you’ll get at the end
- What you’re expected to do along the way
After speaking to a few vendors, you'll likely hear similar explanations for their respective services. Focus on what differs, and what you didn't hear from Vendor A versus Vendor B. Good vendors welcome questions like, "Vendor A includes XYZ, do you? If not, why?"
They focus on outcomes, not just deliverables
While a shiny PDF with a laundry-list of findings and recommendations often closes out the engagement as the final deliverable, your end goal isn't just a document; it's the maturation of your cybersecurity program. Good vendors provide human-readable, comprehensive deliverables that look beyond individual findings. Quality vendors highlight the underlying root causes of your risk along with the high-value priorities for you to action: what's immediate? what's mid-term? what's long-term? When everything is "critical," nothing is. Capable vendors provide a recommended path and stay available for questions along the way. Your business must ultimately decide how to navigate the path, but it starts with a useful report.
Find the vendor that earns the "trusted partner" label by driving better cybersecurity outcomes in your environment.
They right-size their findings and recommendations
Each organization, in many ways, is a "special unicorn" of business goals, challenges, personnel, and culture. Yes, there's a lot that makes them unique. However, many Information Security principles apply whether you're large or small, your InfoSec is inexperienced or mature, and have little care for industry vertical. Your "specialness" matters, but so do the InfoSec fundamentals.
Quality vendors find the nuance in those principles and clearly communicate how it applies to your organization. What may make sense for "Big Company" may or may not fit your organization. Aligning the findings and recommendations to the risk tolerance of the organization is an art, something good vendors do with ease. This is less "I'm too small to do that" and more "How do organizations like me address this?" An experienced provider will have answers.
What Less-Effective Security Vendors Do
They lead with FUD (Fear, Uncertainty, and Doubt)
Much of the cybersecurity marketing content exploits the natural human tendency to fear the unknown. "Buy this solution or the bad guys will get in" or "The ONLY way to stop an attack is with Acme Company's endpoint tool." Capable and mature Information Security professionals speak in terms of risk, as rarely is an outcome assured one direction or the other. The reality is that cybersecurity is a dynamic, continuous process and your vendor(s) should be helping you move your program forward… sometimes by an inch or two, and sometimes a few feet at a time, but never as a one-and-done transaction.
Flashy marketing materials with scary words might sell products, but it’s not how good partners operate. You want a vendor who brings calm, credibility, and a clear path forward—not one who tries to scare you into buying more.
They can't show you a sample report or cite recent engagements
Vendors that regularly deliver cybersecurity services also pretty frequently get asked for sample reports (at SEVN-X, we perform over 100 Penetration Tests a year). Providing a sample (redacted or otherwise sanitized) should be straightforward. If all they offer is a vague overview or a marketing slick, you should be asking why.
Similarly, asking for reference client contacts should be expected and welcomed. When a vendor delivers quality work, they should have more than a handful of existing clients happy to share their experience. You should talk to references and ask why they use your potential new vendor.
They can't explain their findings, risk ratings, recommendations
Anyone can copy-paste content out of a vulnerability scanner or other assessment tool, but unfortunately that language rarely feels human-readable. Findings, especially technical findings, often contain jargon (albeit sometimes necessary) to speak accurately about what the issue is. However, as someone who wants to fix the issue, you should understand what the finding means to properly evaluate the risk and impact to your organization.
A quick example: simply stating that a server is missing the "Critical" MS08-067 patch is an accurate finding. However, having the context of "if you don't apply this patch, an adversary can immediately gain elevated access to your environment and do whatever they want" enables better prioritization of remediation tasks.
Choosing the Right Partner
Here’s the thing: there’s no perfect vendor. It's a service business staffed by humans. When every vendor states "we have the best people" and every Penetration Test explanation sounds similar, it's exceedingly difficult as a consumer to know what vendor-speak is accurate, let alone which capabilities, services, solutions, jargon matter. Doubly so if you've never done a Penetration Test, Security Assessment, or otherwise had to engage a third-party for security services.
Listen for a vendor that makes you comfortable and don't be afraid to ask questions. A good vendor will take the time to explain (maybe even over-explain) everything to address your concerns. There's no such thing as a bad question. Ask it.
So when evaluating a security vendor, ask:
- Did they try to understand my business and my needs/goals?
- Are they transparent about scope, cost, and effort?
- Did they educate and empower, not just market?
- Will they still pick up the phone after the project is over?
Security is a long game (without end), and the right vendor will help you build smarter strategies—not just sell you a service.
Looking for a vendor who checks these boxes? Let’s talk. Or at least let us show you what “helpful” actually looks like.