The biggest difference between a real penetration test and a €2,000 scan comes down to a single question: does every finding ship with a reproducible proof of concept — or do you just get a list of alerts out of a scanner? The German market alone counts more than 70 pentest providers, from boutiques to TÜV bodies to international consultancies, and their quotes often look identical on paper. This article is the selection-criteria checklist that separates a usable engagement from an expensive snapshot — neutral, no sales pitch.
What separates a real pentest from a vulnerability scan?
An automated scanner finds known patterns and reports them as alerts. A pentest goes one step further: it actually attempts to exploit the weakness and backs the result with a reproducible proof of concept. That difference decides whether a finding is usable — or just noise.
The market's sharpest rule of thumb: quotes under €3,000 are typically automated scans, not manual pentests. Market overviews and pricing guides from providers draw this line consistently. Day rates for certified testers sit at €900–1,800 net in the DACH region — a single serious person-day plus reporting already blows past €2,000. Anyone charging €1,500 for "a pentest" is almost certainly selling a scan report under a false name. We break down the full pricing logic in the pentest cost post.
Ask every provider directly: does the report deliver a proof of concept for each finding — request, payload, response, reproduction steps? If the answer stays vague, you are buying a scan. This holds across every provider type equally.
Which provider types exist — and who fits which?
The market splits roughly into four categories. None is universally better; they differ in scope, pricing model, and speed. The job is to match the type to your requirement — not to pick the loudest.
| Provider type | Strength | Pricing model | Fits |
|---|---|---|---|
| Boutique / specialists | Depth in a niche, personal contact | Person-days, often negotiable | Complex single targets, unusual tech stacks |
| TÜV / audit bodies | Formal audit acceptance, reputation | Person-days, higher rates | Regulated industries, formal evidence |
| International consultancies | Breadth, red-team capacity, scale | Person-days, premium | Large enterprises, org-wide engagements |
| Autonomous platform | Speed, continuous testing, fixed price | Per engagement / subscription | Web/API, frequent deploys, budget clarity |
A mid-size company that needs a web application tested before a vendor review has different requirements than an enterprise running a four-week red team across the whole organisation. Both find their fitting type — but rarely the same one.
Which criteria actually matter in the selection?
This is the core of the decision. The following eight criteria separate a usable engagement from an expensive snapshot with no evidence. Run them as a checklist and have each one demonstrated concretely — not asserted.
| Criterion | What to check | Why it matters |
|---|---|---|
| Company certification | ISO 27001, ISO 9001, BSI qualification for pentest providers | Proves process and confidentiality at the org level |
| Tester certification | OSCP, OSCE, CEH, GPEN | Proves the hands-on exploit skill of the person testing |
| Methodology adherence | OWASP, PTES, BSI guide | Structured, traceable coverage instead of gut feel |
| Proof of concept per finding | Reproducible exploit, not just an alert | The hardest quality signal there is |
| Re-tests included | Re-verification after remediation, in the price | Confirms the fix actually works |
| Report audit-validity | Holds up for SOC 2, ISO 27001, BSI C5 | The report is often the real deliverable |
| Tester independence | Not involved in building/operating the target | BSI quality criterion — see below |
| Data-storage location | GDPR-compliant, EU/Germany documented | Findings and PoCs are highly sensitive data |
Two-tier certification. Separate company certs from tester certs. ISO 27001 or a BSI qualification say something about the organisation — process, confidentiality, repeatability. OSCP, OSCE, CEH, or GPEN say something about the person actually typing. A provider with a spotless company cert but unnamed tester qualifications is hiding the more important half.
Methodology adherence. Usable tests follow a recognised framework — OWASP for web applications, PTES as an end-to-end process, the BSI practitioner guide for IS penetration tests as the German standard. Ask which methodology the test follows and how coverage is documented. "We just test everything" is not a methodology.
Independence. The BSI explicitly names tester independence as a quality criterion: whoever built or operated the system should not be the one to test it. That holds for internal teams, external providers, and platforms alike.
"IS penetration tests must always be carried out by professionally qualified persons who are independent of the areas under examination and who were not involved in the design, construction, or operation of the information network under examination." (translated from German)
— BSI, practitioner guide for IS penetration tests (November 2016)
Data storage. Findings, payloads, and PoCs are a map of your weaknesses. Ask where this data is stored, for how long, and whether processing runs GDPR-compliant in the EU. A vague answer here is a red flag.
Which warning signs rule a provider out?
Some signals are clear enough to disqualify a quote — regardless of reputation or a glossy deck. If one of these five shows up, push back or walk.
- Uncapped hourly billing. An open hourly budget shifts the entire cost risk onto you. Insist on a fixed scope and a ceiling.
- A "pentest" under €3,000. Almost always an automated scan under a false name. Ask for the proof of concept per finding.
- No re-tests. If re-verification after remediation costs extra or is not offered at all, you never know whether your fix works.
- No proof of concept. A report without a reproducible exploit is scanner output with a logo. This is the single most important disqualifier.
- No fixed scope. Without a clearly defined scope, effort, price, and coverage are arbitrary — and disputes are pre-programmed.
The BSI helps here too: it stresses that a penetration test deliberately goes "one step further" than a scan and searches for ways to bypass the security measures in place. A provider who doesn't deliver that isn't selling a pentest. For more on market regulation, see the BSI on NIS-2-regulated companies — and our post on when a pentest is mandatory.
Point-in-time or continuous — what do you need?
This is the criterion most checklists miss. A classic pentest is a snapshot: it assesses the state on one day. Every deployment after it can introduce new vulnerabilities — and the expensive report ages from the first code change. For teams shipping monthly or weekly, the decisive question isn't "which provider" but "how often."
The BSI notes that after every change to an IT system, it should be re-verified whether the required security level is met. In a CI/CD world that means: an annual pentest does not cover the other 51 weeks. The answer isn't necessarily more manual tests — those scale linearly in price and wait time. This is where autonomous platforms come in.
An autonomous platform like DeepMantis runs recon, fingerprinting, attack-chain analysis, and exploit verification autonomously, and backs every finding with a reproducible proof of concept — fast enough to run again after each release instead of once a year. It is not a substitute for every scope: binary exploitation, mobile pentests, social engineering, and physical testing remain the domain of manual teams, and DeepMantis deliberately does not run these test types. But for web applications and APIs that deploy constantly, continuous frequency shifts the security posture from "snapshot" to "ongoing coverage."
So decide along your deploy frequency: a static product before an audit? A thorough snapshot is enough. A constantly deploying web/API platform? Plan for continuous testing.
Frequently asked questions about choosing a provider
Are a provider's certifications enough as proof of quality?
They are necessary but not sufficient. Company certs like ISO 27001 prove process; tester certs like OSCP prove the individual's skill. You should see both. The final word, though, belongs to the report: if it delivers a reproducible proof of concept per finding, the quality is there — if it doesn't, no certificate saves it.
How many quotes should I compare?
Three to five are enough if you evaluate them against the same criteria checklist. Comparability matters more than volume: identical scope, identical methodology requirement, identical question about PoC and re-tests. Otherwise you compare apples to oranges — and the cheapest apple is often a scan.
Is a local provider better than an international one?
Not inherently. Local boutiques score on proximity and GDPR clarity; international consultancies on red-team capacity and scale. What decides is the criteria above — certification, methodology, PoC, independence, data-storage location — not the postal code.
When is an autonomous platform the right choice?
When your target is a web application or API, you deploy frequently, and you need budget clarity. For org-wide red teams, binary or mobile pentests, a manual team remains the right answer. Choose along scope and frequency, not along the technology itself.
As of June 2026. Market figures per the linked sources; BSI quotes from the practitioner guide for IS penetration tests. DeepMantis methodology and scope limits are documented on the security page.
