September 19, 2025
Join us in Orlando, October 14-16, for the VISIONS CIO Summit, hosted by Quartz Network. Be our guest when you use code NWG-VIP.
We hear it all the time. “I had a decent experience with my last penetration testing vendor, but I’m reaching out to you guys because we have a policy to switch things up every year.” Or, the one that makes us silently scream into the void, “We’re really happy with NWG but my board wants us to rotate to another company just to get a fresh perspective.”
The idea of switching vendors every year may seem tempting. After all, isn’t it good to have a new set of eyes on your environment to catch what others may have missed? But while this feels logical on the surface, it’s really a common misconception that can actually do more harm than good — especially once you find a vendor who you know is doing it right.
You’ve probably heard (or maybe even wondered) if having a vendor who knows your environment really well is a negative. But there are actually some significant advantages to working with the same pentesting company over time, especially if you know and trust their people and their work.
For one, you don’t have to spend time researching, meeting with and evaluating a slew of new vendors, dealing with pushy salespeople, and figuring out who takes security seriously and who’s going to put the intern on your engagement before the ink on your DocuSign is even dry.
But more importantly, when you work with a trusted vendor for multiple years, they get to know your environment in a way that serves as a strategic advantage. They know where all the trapdoors are. They know the nuances of your security program’s strengths and weaknesses, and can show you the vulnerabilities and specific attack paths that are most likely to lead to your crown jewels. They can show you where you’re stronger today than you were during your last engagement, allowing you to build on your mitigation efforts over time.
As we’ve discussed in our e-book, there’s a massive range in quality when it comes to pentests. A high-quality pentest hits differently, giving you a comprehensive look into your environment across different domains. But “comprehensive” shouldn’t mean that you get a dense tome of a report that you essentially have to rewrite in order to explain your findings to the board. It should be digestible AND practical, allowing you to quickly understand which “Matters Requiring Attention” actually require your attention, and in what order of priority. Ideally, it should also present you with a clear roadmap for mitigation so that if you get a report at 3pm, you can start implementing changes by 3:15.
That might sound like a tall order… because it is. We often hear that people switch vendors because they think they have to, and then feel frustrated when the new company can’t get domain access or acts as if they’re trying to capture the flag instead of helping you get better.
If your current vendor isn’t giving you that kind of experience, you should shop around. But once you find someone who’s delivering a quality result that you’re consistently happy with, there’s no real reason to shake things up.
Keep in mind that even if you stick with the same company year-over-year, you can still get fresh perspectives with each pentest. A good vendor will have a deep bench of ethical hackers, with a range of skills and specialties.
For example, at NWG, we have experts including former military and cyberwarfare leaders, offensive security experts in finance and healthcare, ex-CISOs in government and emergency management, and even former academics with backgrounds in scientific analysis and bioengineering. This breadth of experience ensures that whoever we assign to lead an engagement will be lending a unique perspective to their approach, while tapping into the collective brainpower of a diverse team.
If your vendor doesn’t offer, ask for a different tester to lead your engagement each year. This allows you to have the benefit of new vantage points while maintaining the quality, valuable continuity and knowledge of your environment.
The other real advantage to sticking with the same vendor is that, when someone knows your environment, your team and your business goals, you can grow together. Things will inevitably change with your business, whether you expand to a new location, switch to a new system or technology (shadow AI, anyone?), or add new third-party vendors, suppliers or contractors into the mix. Threats will also continue to evolve at a dizzying rate, requiring defenders to constantly up their game to keep pace.
A valued partner can adapt alongside you. They can change their approach as needed, focusing in on specific areas of concern as they emerge. They can also make recommendations that are more specifically tailored to your needs as they shift and change.
As mentioned, there are still some instances when it may be time to find someone new. In addition to the warning signs we touched on above, you should switch vendors if:
While many people think it’s a *MUST* to switch pentest vendors every year, it’s definitely not essential, and can come with significant risk if you’re already working with someone great.
Yes, we offer high-quality, full-scope pentesting. And yes, we realize that maybe we’ve just convinced you not to call us because you have a vendor you love and you want to stick it out. Hey, if that’s the case, we’re happy we saved a happy relationship.
But if you’re feeling like you still haven’t found a pentest that knocks your socks off, let’s chat. This might be the beginning of a beautiful friendship.
Security news, tips, webinars, and more straight to your inbox.
