Unmasking the Great Penetration Testing Deception: Are You a Victim?

In the realm of cybersecurity, penetration testing is a critical element, providing organizations with a proactive approach to safeguarding their digital assets. However, as with many professional services, not everything is always as it seems. One of the growing concerns in the penetration testing industry is the “bait-and-switch” approach. In this post we will explore how to identify the “bait-and-switch” and how to avoid it when choosing a penetration testing service.

What is the Bait-and-Switch Practice?

At its core, the bait-and-switch tactic in penetration testing involves showcasing a company’s top talent during the sales or proposal process, only to then delegate the bulk of the actual testing to junior or less-experienced personnel. While the seasoned experts may make the initial pitch and outline the methodology, it’s the less experienced people who are left with the “heavy lifting.”

Why Does it Matter?

  1. Quality of Work: Penetration testing is a nuanced task. Seasoned testers have often honed their skills through years of real-world experience, dealing with various scenarios and systems. Junior testers, while mostly skilled, may lack the depth of experience to identify certain vulnerabilities or nuances in complex systems.
  2. Trust and Transparency: When an organization is pitched by senior experts but later receives services from junior staff, it can lead to a perception of dishonesty and can harm the trust built during the initial phases.
  3. Cost Implications: Organizations pay premium prices for top-tier expertise. If they’re receiving work from less experienced professionals, there’s a discrepancy between the cost and the actual service value.

Identifying the Bait-and-Switch

Several red flags can alert an organization to this tactic:

  • Unwillingness to Specify Testers: If a firm is unwilling to provide CVs or specific details about who will be conducting the tests, it may be a sign of their intention to switch the team.
  • Change in Point of Contact: If, after the initial pitch, all communications shift away from the initially presented experts to other team members without a clear explanation, it might be cause for concern.

Navigating the Bait-and-Switch

  1. Clear Contracts: Clearly outline in the contract the qualifications and experience required or names of the penetration testers working on your project.
  2. Direct Communication: Establish a line of communication with the actual testers, not just the sales or managerial team. Engaging with them can provide insights into their experience and capabilities.
  3. Ask for Profiles: Before finalizing any agreement, ask for the CVs or professional profiles of the testers who will be assigned to your project.
  4. Seek Recommendations: A firm’s reputation can be a strong indicator. Seek recommendations and reviews from trusted sources and industry peers. And don’t forget to ask them who actually performed most of the heavy lifting during the penetration test.
  5. Trust, but Verify: While trust is essential in any professional relationship, verifying claims and promises is equally crucial.


While the bait-and-switch tactic isn’t exclusive to the cybersecurity field, its implications here can be profound, given the critical nature of safeguarding organizational assets. By being informed and vigilant, organizations can ensure that they are getting the expertise and value they pay for, maintaining the integrity of their security and the trust in their service providers.