10 Questions to Ask Continuous Penetration Testing Vendors Before Signing

The PTaaS / continuous pentest market has exploded. Every vendor claims "real engineers," "continuous coverage," and "actionable findings." Most pitches are indistinguishable. These 10 questions break that.

1. Who personally writes the findings?

Why it matters. Many vendors sell senior expertise but staff with juniors. Get the actual name and seniority of the engineer assigned to your account.

Good answer. "Your account lead is [name], senior pentester with 8+ years. They write every critical and high finding personally."

Bad answer. "Our team handles it."

2. Will you show me a real sample report from a recent engagement?

Why it matters. Reports are the deliverable. If the vendor refuses to share an anonymized example, walk away.

Good answer. "Here's a sanitized PDF — note the reproducer scripts and verification artifacts."

Bad answer. "We can't share due to confidentiality."

3. What's your false-positive rate?

Why it matters. False positives are expensive — they waste engineering time and erode trust in the program.

Good answer. A specific number with methodology. ("Under 5%, measured by client-marked-invalid findings divided by total.")

Bad answer. "Very low."

4. Is retest included in the subscription?

Why it matters. Some vendors charge extra for retest. That's a profit center disguised as a service.

Good answer. "Unlimited retests included. Fix-verified-closed is the default."

Bad answer. "Retests are billed at $X per finding."

5. How do you handle business logic vulnerabilities?

Why it matters. Scanners can't find business logic flaws — they're the bugs that require understanding what the app *should* do. This is where senior engineers earn their keep.

Good answer. Specific recent example: "Last month we found a checkout flow where canceling and re-submitting could double-apply a discount code."

Bad answer. "We use [tool] to scan for them."

6. What's your engagement model when you find a critical?

Why it matters. Criticals can't wait for a weekly report.

Good answer. "We page your on-call directly within 30 minutes. Draft fix recommendation within 4 hours. We hold report draft until you ack."

Bad answer. "It goes in the next report."

7. Can you integrate with our existing tools?

Slack, Linear, Jira, GitHub Issues, PagerDuty. If the answer is "we have our own portal," that's a yellow flag — engineers won't context-switch to check it.

8. What does your senior engineer time look like per month?

Why it matters. "Continuous" can mean 1 hour of manual testing per week or 20. Get a number.

Good answer. "8–12 senior engineering hours per app per month, more during release-heavy weeks."

Bad answer. "As much as needed."

9. How do you handle scope changes and new applications?

Why it matters. Your stack will grow. The contract should make that painless.

Good answer. "Add applications at any time. Pricing adjusts on the next billing cycle."

Bad answer. "Each new app requires a fresh statement of work."

10. What compliance frameworks have your reports satisfied?

Why it matters. If you're SOC 2 or ISO 27001-bound, your auditor must accept the report.

Good answer. Specific list with anonymized client examples: "SOC 2 Type II (12 clients), ISO 27001 (4 clients), HIPAA (3 clients), PCI DSS (2 clients)."

Bad answer. "Yes, we cover all frameworks."

The bonus 11th: How does this engagement end?

The right vendor is happy to walk away when you outgrow them or when you take security in-house. If exit terms are punishing or the contract auto-renews silently, treat it as a red flag.

Want a vendor that answers all 10 cleanly?

Get a free initial audit — three findings, ranked, delivered in 3 business days. No commitment. From there decide if our answers to these questions match what you need.