Company

Provider selection

The choice of an IT security provider is not a price question. Quality, methodology, and experience determine whether you receive defensible results - or a formally correct but practically unhelpful outcome.

On this page we explain transparently which criteria we use to evaluate providers and why those criteria are decisive in practice.

Our approach

We evaluate providers using a clear, repeatable criteria model. We combine:

  • technical competence
  • methodological approach
  • process and communication quality
  • trust and transparency factors

Our goal is realistic recommendations - not marketing promises or rankings.

Criteria we look at

1) Professional qualification

Certifications are a useful indicator, but not a sole criterion. What matters most is the combination of qualification and real project experience.

  • Offensive Security: OSCP, OSCE/OSWE, GXPN, GPEN
  • Incident Response & Forensics: GCIH, GCFA, GREM
  • Management & GRC: CISSP, CISM, CRISC
  • ISMS & processes: ISO 27001 Lead Implementer / Auditor
2) Methodology & execution
  • clear scoping process with documented rules of engagement
  • safe execution without unnecessary operational risk
  • verifiable findings with reproducible results
3) Experience & specialization
  • proven project experience (e.g., cloud, AD, web, OT)
  • specialization that fits your use case (e.g., red team vs pentest)
4) Process quality & communication
  • structured coordination before, during, and after the engagement
  • clear points of contact and escalation paths
  • understandable results that are operationally usable
5) Legal & compliance
  • NDA, data processing, and privacy processes
  • secure handling of sensitive data, artifacts, and logs

Typical pitfalls from practice

  • certifications without relevant project experience
  • standardized reports without prioritization or context
  • unclear responsibilities for critical findings
  • methodology not aligned with the actual risk

We see these regularly - and they are often the reason for disappointing outcomes.

Evidence & quality assurance

Where possible, we review:

  • anonymized sample reports
  • methodology and approach descriptions
  • references or typical client profiles

We do not promise what we cannot verify. Quality beats quantity.

Independence & transparency

We accept no paid placements and do not sell rankings. Providers are not listed higher because they pay - but because they deliver.

Re-evaluation & freshness

Provider profiles are reviewed regularly. If quality, team, or methods change, we update the entry or remove the provider from the overview.

Responsibilities

We support orientation and pre-selection. The final decision remains with you. This page does not replace individual due diligence or legal advice.

Next step

Support with selection

If you need help with classification or pre-selection, we support you neutrally, structured, and without sales pressure.

Related pages