Penetration Testing is the final word in proving that technical compliance and good security practices are in place – or so it should be. What is the impact on quality if the consultant is overworked? The trouble with asking questions like these is that there’s no tick box to check when choosing your supplier. Is it good quality for the consultant to do a quick portscan, and not cover all 65k ports for example? Doing a full port scan takes time, and usually turns up nothing, a quick portscan wouldn’t find. Is it good quality, to identify ‘autocomplete’ on an application as low risk, because that’s the standard classification, without taking in to account the context of the application and the business – e.g. a banking application?