Why You Should Change Your Pentester

Most IT managers consider rotating penetration testing providers a best practice. The rationale is straightforward: by comparing different service providers, organizations can better evaluate the quality and scope of results — especially when the same attack vectors are tested. While there is some initial onboarding effort as the new analyst familiarizes themselves with the target environment, this investment pays off through fresh perspectives and additional findings. In practice, organizations also commission pentests from providers who specialize in specific testing areas.

Ideally, no information about previous pentests should be shared with the new provider. This creates a cross-organizational four-eyes principle, where different methodologies, experience, and tools come into play. At turingpoint, for example, we deploy proprietary scanners alongside established commercial and open-source tools. We believe that specialized experts bring deeper knowledge in their domain than generalists who must juggle multiple responsibilities. Furthermore, pentests should never be commissioned from the company that developed the solution being tested. In-house developers can be blind to certain weaknesses in their own code — which is why we always recommend complementary unit testing, peer code reviews, and independent quality assurance.

Advantages of Changing Providers

• Compare the quantity and quality of results
• Different methods yield broader insights
• Four-eyes principle across service provider boundaries
• New perspectives and alternative approaches
• Avoid operational blind spots

We consider a deliberate information barrier between different pentest providers a decisive advantage. It enables an objective, multi-layered assessment of the system under review. This allows the commissioning organization to better compare results and gain valuable new perspectives.