Penetration testing and vulnerability analysis is a practice that has become increasingly important for our companies. They are simply tests of security stress designed to discover and test the possible vulnerabilities that exist in a computer system.
These services come in very heterogeneous prices, prices that can vary from less than a thousand dollars to more than 20 thousand for the same test. So one of the main dilemmas for companies is to know how to evaluate if the price is right, and if that is what they need.
Who are the best?
Penetration testing is usually a part of the IT world that has been tried to be formalized and industrialized, however, in my experience, pentesting is an art, the best are not those who know how to execute a script repetitively and simply understand and explain the results (eg nessus), the best are those who have the ability to:
Think like sysadmin / programmer / user
Integrate multiple techniques into one attack to achieve a goal
Develop your own techniques and programs
** Not necessarily this will be tied to certifications. There are pentesting services that measure dexterity and non-knowledge. For example OSCP / OSCE is designed to assess skills rather than knowledge. In this matter, knowing the theory gives no guarantees of anything.