Evaluating pentesters

[Tony Turner <tony_l_turner () yahoo com>]

Is there some kind of "Who's Who" of penetration testing firms? Right
now my primary methods for evaluating potential firms for pentest
engagements are requesting sanitized reports from past tests and asking
questions about their methodology. Is there some resource online I might
be able to use to locate quality testers? I've been burned in the past
with some real bad ones.. I'm looking for
network/systems/application/web/wireless from a PCI focused firm. Not so
much interested in physical security and social engineering tests at
this time but these services may be useful for future engagements. Also
not interested in paying good money for someone else to just do a
Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful
tools of course, but I've met a few idiots who thought that was what
penetration testing was. I am in the SE United States.

--

Tony L Turner
CISSP, CISA, GPEN, GCIA, GSEC, VCP, ITIL-F

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------