Cybersecurity Listings

The listings published on this directory cover penetration testing firms, practitioners, and service providers operating across the United States. Each entry represents a discrete cybersecurity service entity classified by engagement type, specialization, and documented qualification credentials. The scope and purpose of this reference are detailed in the cybersecurity directory purpose and scope overview, which defines the standards applied to inclusion decisions. Understanding how entries are structured, what they contain, and where gaps exist is essential to using this resource accurately.

How to read an entry

Each listing in this directory is organized around 5 primary data fields: entity name, primary service classification, engagement scope, qualification indicators, and geographic reach. These fields are populated from publicly verifiable information — firm websites, certification body registries, regulatory filings, and published engagement documentation.

Primary service classification follows the engagement typology used across this directory:

1. Network penetration testing — assessments of external and internal infrastructure, including routers, firewalls, VPN concentrators, and segmentation architecture
2. Web application penetration testing — HTTP/HTTPS attack surface analysis, authentication bypass, injection testing, and session management review
3. Mobile application penetration testing — iOS and Android application security evaluation, including binary analysis and API interaction
4. Cloud penetration testing — configuration assessment, privilege escalation paths, and identity and access management review within cloud-hosted environments
5. Red team operations — adversary simulation engagements that combine network, physical, and social engineering vectors over extended timeframes

The classification system aligns with engagement categories recognized by the Penetration Testing Execution Standard (PTES), an industry-consensus framework that defines phases from pre-engagement through reporting. Listings may carry more than one classification where the provider's documented service portfolio spans multiple engagement types.

Qualification indicators within entries reference certifications from recognized credentialing bodies. The most common credentials in this sector include the Offensive Security Certified Professional (OSCP) issued by Offensive Security, the GIAC Penetration Tester (GPEN) issued by GIAC, and the Certified Ethical Hacker (CEH) issued by EC-Council. A comparison of credential rigor and industry recognition is available at CEH vs OSCP vs GPEN.

What listings include and exclude

Listings document service providers with a verifiable US operational presence offering penetration testing as a primary or substantial secondary service line. Providers appearing in this directory have been identified through public registration records, published credential verification pages maintained by certification bodies, or formal regulatory disclosures.

Included categories:

• Dedicated penetration testing firms offering structured, scoped engagements under signed rules of engagement
• Managed security service providers (MSSPs) with a documented, standalone penetration testing practice
• Boutique and specialist firms operating in regulated verticals including healthcare, financial services, and federal contracting
• Independent practitioners credentialed at the OSCP, GPEN, or equivalent level operating as named consultants or sole proprietors

Excluded categories:

• Vulnerability scanning vendors offering automated-only assessment products without human-driven exploitation
• General IT services firms without documented offensive security capability or credentialed personnel
• Firms operating exclusively outside the United States
• Bug bounty program operators — a distinct service model addressed separately at bug bounty programs vs penetration testing

The distinction between penetration testing and vulnerability assessment is a recurring source of classification error in this sector. Penetration testing vs vulnerability assessment provides the full definitional boundary used to make inclusion decisions. A provider that enumerates vulnerabilities without demonstrated exploitation capability is classified under vulnerability assessment, not penetration testing, regardless of how it self-describes.

Compliance-driven engagements under PCI DSS v4.0 Requirement 11.4, HIPAA Security Rule 45 CFR § 164.308(a)(8), and FedRAMP's continuous monitoring requirements represent the primary regulatory drivers for penetration testing procurement in the US market. Providers documented as operating in these compliance contexts may carry a compliance-context tag within their listing.

Verification status

Entries in this directory carry one of 3 verification states:

• Verified — credential claims confirmed against a named certification body registry (e.g., Offensive Security's public certification lookup, GIAC's verification portal) and service classification confirmed against publicly available engagement documentation
• Claimed — information sourced from the provider's own public-facing materials without independent credential cross-check
• Unresolved — entry flagged due to conflicting information across sources; credential verification pending or inconclusive

No entry is presented as an endorsement. Verification status reflects the state of available public documentation at the time of indexing, not an ongoing audit function. Organizations evaluating providers for engagements requiring regulatory compliance should independently confirm credential validity and review the hiring a penetration testing firm reference, which covers qualification due diligence and contract checklist criteria.

Coverage gaps

This directory does not claim exhaustive coverage of the US penetration testing market. The sector includes an estimated 3,000 to 5,000 active firms and independent practitioners at any point in time, based on certification body enrollment data published by Offensive Security and GIAC — a population that shifts with new credential issuance, firm formation, and market exits.

Identified structural gaps in current coverage include:

• Specialized OT/ICS firms — providers focused on SCADA and ICS penetration testing are underrepresented relative to their share of critical infrastructure engagements
• Small and mid-market specialists — firms operating below 10 full-time practitioners and serving small business clients are indexed at lower rates due to limited public documentation
• Government-exclusive contractors — firms operating under FedRAMP or CMMC compliance mandates whose work is not publicly disclosed are partially or entirely absent
• PTaaS platforms — Penetration testing as a service platforms that blend automated and manual testing occupy a classification boundary that is handled inconsistently across the directory at this stage

Geographic coverage is national in scope but concentrates around established cybersecurity market centers including the Washington DC metro area, San Francisco Bay Area, New York metropolitan area, and Austin, Texas — regions where documented firm density is highest based on state business registration data and certification body location disclosures.