Choosing a pentest vendor: TLPT, red team, classical pentest

Who owns this decision

CISO is owner. Compliance and Audit in the steering group for TLPT.

Key criteria to weight

• Discipline specialisation

  TLPT vendors are not necessarily good web-app testers and vice versa.

• Tester qualification

  OSCP, OSEP, CRT, GIAC GXPN, GCFA. Minimum filters, not gold standard.

• Methodology

  TIBER-EU, NIST 800-115, OWASP WSTG, MITRE ATT&CK.

• EU sovereignty and data handling

  Findings must not flow to US platforms.

• Escalation and confidentiality path

  On critical findings the communication path must be clear.

• Report depth and reproducibility

  PoC per finding, reproduction steps, business-language risk rating.

Step-by-step decision flow

1. 1

   Scope and discipline

   What exactly is to be tested? Web app, cloud, internal network, AD, red team, TLPT?

2. 2

   Vendor longlist per discipline

   TLPT: NCC Group, WithSecure, KPMG, Deloitte, EY, Mandiant. Web app / cloud: Cure53, SySS, secunet, NVISO, Bishop Fox. DACH: cirosec, ERNW, Compass Security.

3. 3

   Methodology review

   Which methodology does the vendor run? Which tools, reporting structure, re-test clauses?

4. 4

   Contract clauses

   Confidentiality, data sovereignty, GDPR Art. 28 DPA, re-test inclusion, findings ownership.

5. 5

   Memo, commission, test, report

   Decision memo with vendor pick plus engagement letter plus testing window.

Compliance note

DORA Art. 24-27 (TLPT every 3 years), NIS2 Art. 21 (f), ISO 27001 A.12.7 and A.18.2, BAIT BTO 5.

Common pitfalls

• !Web app pentest is commissioned but a red team use case is meant. Wrong methodology.
• !TLPT without TIBER-EU experience. BaFin does not accept that.
• !Findings land in US SaaS platforms without EU DPA.
• !Re-test not fixed in the contract. Later upcharge.

FAQ