Is Your Pen Test Vendor a Security Weak Link? Verify Their Infrastructure Before You Sign
Many security leaders assume their penetration testing vendors practice the same robust security they preach. But what if the tools and infrastructure your vendor uses are outdated and insecure?
Imagine a scenario where a “drop box” device shipped to your office for an internal pen test is itself a ticking time bomb: unencrypted, running on old firmware with no Secure Boot, and connecting via a legacy VPN. If that device gets lost or tampered with, the sensitive data it holds could become an attacker’s roadmap into your network. In one Black Hat study, researchers warned that an ill-secured penetration tester can become “a clear and present danger” – effectively a vulnerable extension of your network’s attack surface.
This blog is an urgent call to action for CISOs, CTOs, compliance leads, and procurement decision-makers: demand better from your penetration testing vendors.
The Hidden Risk of Insecure Pen Test Infrastructure
It is ironic and alarming that firms hired to improve your security might introduce new risks through outdated tools and dangerous business operations. Common issues include:
Outdated VPNs: Legacy VPN technologies, shared credentials, and weak or no MFA increases exposure and complicates access revocation. If your pen test provider is tunneling into your environment via an antiquated VPN or weak remote access setup, that’s a glaring red flag.
Insecure Boot Processes: Testing appliances are often shipped as small “drop boxes” placed inside your network. If those devices lack Secure Boot or BIOS protections, an attacker could load unauthorized software or firmware. Without Secure Boot, a device will blindly execute whatever sits on the boot device instead of checking for trusted signatures.
No Device Hardening: Too often, these appliances have no BIOS passwords, no encryption, and no tamper safeguards. That means anyone with physical access could reboot from a USB stick or even steal the hard drive. If a pen test device is lost or stolen in transit and its drive isn’t encrypted, an adversary could easily extract credentials, network maps, and findings.
Offshore Resource Risks: A growing number of U.S.-based penetration testing firms quietly rely on offshore resources. You may pay U.S. rates to a U.S. company, but the actual testing occurs overseas with no data custody, oversight, or contractual control. This creates significant gaps in accountability and exposes your organization to cross-border data handling and compliance risks.
Privately Managed Infrastructure Risks: Some firms lack formal corporate infrastructure altogether. Their consultants (or 1099 contractors) use personal cloud accounts like DigitalOcean, Linode, or AWS free-tier instances, along with privately owned password crackers. Client data may be processed or stored in these uncontrolled environments with no assurance of monitoring, access logging, or data destruction at the end of the engagement.
Ad Hoc Logistics: Poor chain of custody, inconsistent imaging, and weak return or wipe procedures lead to device loss, data spillage, and operational surprises.
As a security leader, it’s on you to hold vendors to the same standards you enforce internally. If a practice or technology wouldn’t pass your own risk assessment, don’t accept it from a third-party pen tester.
Demand Transparency and Accountability From Vendors
Before signing any penetration testing contract, pause and probe. It’s not enough to assume a vendor “has it covered.”
You have every right—and a duty—to ask pointed questions about how they secure their testing infrastructure. During an engagement, testers often have deep access to your network and data. If their device or connection is compromised, it’s your organization on the line.
Reputable vendors will welcome transparency. If a vendor is evasive or dismissive, treat that as a warning sign. Too much is at stake to accept blind trust.
Five Critical Questions To Ask Your Pen Test Provider
Before you sign any agreement, ask these five critical questions to assess a vendor’s operational security maturity. If they can’t answer confidently, walk away.
1. Are all testing systems encrypted at rest with strong full disk encryption, and who controls the keys?
If devices or VMs were compromised or stolen, robust encryption is your last line of defense. Best practice: use proven encryption (e.g., LUKS or BitLocker) with client-held keys.
2. Do your testing appliances enforce Secure Boot and BIOS protections?
Secure Boot ensures only trusted, signed code runs. Each device should have a locked BIOS and unique password. If they can’t verify this, their hardware is vulnerable to tampering.
3. What remote access method is used, and how is it secured and audited?
Demand details on their VPN or remote access. Look for identity-based controls, MFA, and modern encryption—not shared credentials or legacy VPN/reverse SSH tunnels.
4. Where is your testing infrastructure hosted and who monitors it?
If they can’t clearly state where their jump hosts or cloud instances reside, that’s a problem. You need full visibility into data paths and monitoring practices.
5. How do you manage device lifecycle and logistics end to end?
Expect documented imaging, shipping with tracking, tamper evidence, chain of custody, in-field incident playbooks, and verifiable wipe on return.
The Minimum Baseline You Should Require For Shipped Devices
- Secure Boot enabled with a verified, signed boot chain
- Locked BIOS or UEFI with unique credentials and blocked external boot
- Full disk encryption for all storage that may contain client data
- Tamper-evident design or seals and tracked chain of custody
- Documented return and verifiable wipe or destruction process
If your vendor cannot meet this baseline, either require them to harden immediately or decline the engagement.
How ARROW by VTEM Labs Raises the Bar
If those questions made you uneasy, there is a better path. ARROW by VTEM Labs is a modern platform that brings security and discipline to remote testing logistics without adding friction for your teams. It is purpose-built for penetration testing firms, incident responders, and IT managed service providers that care about protecting their clients’ data while maintaining operational efficiency.
If you are a CISO, CTO, or compliance leader looking to hire a penetration testing firm, we’re happy to refer you to one of our customers who uses ARROW as their secure testing infrastructure. These are firms that have already invested in doing it right: encrypted systems, secure boot, hardware-backed integrity, and complete auditability.
Quick Comparison
| Capability | Legacy or Ad Hoc Approach | ARROW Approach |
|---|---|---|
| Boot integrity | Often disabled or inconsistent | Secure Boot enforced and verified |
| Data at rest | Spotty encryption, shared keys | LUKS encryption with client-held keys |
| Remote access | Legacy VPN, shared creds | IdP-integrated VPN, role based, auditable |
| Device lifecycle | Manual imaging and tracking | Centralized request, imaging, shipping, recovery |
| Audit and visibility | Limited or fragmented | End-to-end audit logs and operational telemetry |
| Deployment form factor | Single option, rigid | Hardened hardware or VM with consistent controls |
ARROW’s Security Architecture at a Glance
ARROW devices implement comprehensive security layers including Secure Boot validation, TPM integrity checks, BIOS lockdown, and encrypted storage with client-controlled access
ARROW’s zero trust model uses identity-based access controls, peer-to-peer WireGuard tunnels, and role-based security groups to ensure secure, auditable remote access
Conclusion: Insist on Secure Testing
Penetration tests are supposed to reduce your risk, not add to it.
As security leaders, we need to ensure that every vendor we hire adheres to the same rigorous standards we enforce internally. The days of shipping unencrypted “black box” testing devices or relying on decade-old VPNs should be over.
Before your next engagement, ask the hard questions.
And if your vendor can’t confidently demonstrate that their testing infrastructure is protected from supply chain, tampering, and data loss risks—urge them to evaluate a hardened solution like ARROW by VTEM Labs.
Let’s set the bar higher for the entire industry.
Learn More About ARROW’s Security Features
Ready to see how ARROW addresses these critical security concerns? Learn about our comprehensive approach to hardware security, including Secure Boot, TPM protections, and encrypted storage in our detailed security overview.
Schedule a demo today and see how ARROW can help your organization or preferred penetration testing vendor maintain the highest security standards while accelerating operations.