Cybersecurity Providers

The penetration testing service sector in the United States encompasses hundreds of firms operating across network, application, cloud, and physical security disciplines. This page documents the structure of the provider entries published on this provider network, what information is and is not included in each record, how verification status is determined, and where coverage gaps exist. Professionals and organizations evaluating providers in this sector will find the full scope of provider network methodology explained in Penetration Testing Providers.

How to read an entry

Each provider entry represents a single penetration testing firm or independent practice operating within the United States. Entries are organized by primary service category rather than geography, reflecting the national-scope nature of most contracted engagements. Within each category, entries are structured to surface qualification signals rather than marketing claims.

A standard entry contains the following fields, in this order:

1. Firm name and operating jurisdiction — the legal name under which services are contracted and the state of primary registration or incorporation.
2. Primary service category — one of five classification types: network penetration testing, web application penetration testing, mobile and API assessment, cloud security assessment, or red team operations.
3. Certification holdings — personnel-level credentials on record at time of provider, limited to named industry standards: Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH) from EC-Council, GIAC Penetration Tester (GPEN), or CREST membership.
4. Compliance alignment — regulatory frameworks the firm explicitly references in service documentation, drawn from standards including PCI DSS v4.0 Requirement 11.4, NIST SP 800-115, and CMMC Level 2 and Level 3 practices.
5. Engagement structure — whether the firm operates on fixed-scope, time-boxed, or continuous-assessment models, as disclosed in publicly available service documentation.
6. Contact and intake pathway — a direct URL to the firm's engagement inquiry page, not an aggregated contact page.

Entries do not include service levels, client lists, revenue figures, or subjective quality rankings. The provider network structure is explained in full on the Provider Network Purpose and Scope page.

What providers include and exclude

Providers cover firms that meet a minimum threshold of public documentation: at least one named certification holder, at least one explicitly described engagement methodology, and a publicly accessible rules-of-engagement or scoping disclosure. Firms operating solely under nondisclosure with no public methodology documentation are excluded by default.

Included:
- US-registered firms offering penetration testing as a primary or dedicated service line
- Firms with at least 1 named OSCP, GPEN, or CREST-credentialed practitioner in public documentation
- Managed security service providers (MSSPs) where penetration testing constitutes a discrete, separately contracted offering
- Boutique and sole-practitioner firms meeting the certification threshold

Excluded:
- Vulnerability scanning vendors without human-driven exploitation services
- General IT consulting firms provider "security assessment" without defined offensive methodology
- Firms whose only public credential is a vendor-specific certification unrelated to offensive security disciplines
- International firms without US operating presence or a US-registered subsidiary

The distinction between penetration testing and vulnerability scanning is drawn from NIST SP 800-115, which characterizes penetration testing as requiring assessors to mimic real-world attacks and demonstrate exploitability — not merely enumerate findings. Firms whose documented methodology does not extend to exploitation are classified as scanning vendors and excluded from this provider network.

Verification status

Providers carry one of three verification designations:

• Documented — the certification claims and methodology descriptions in the entry are traceable to publicly accessible sources: the firm's own website, a credentialing body's public registry (such as the CREST member network), or a regulatory audit attestation.
• Self-reported — the information derives from firm-submitted intake data that has not been independently cross-referenced against a third-party registry. Self-reported entries are labeled accordingly.
• Unverified — the entry was generated from secondary source aggregation and no primary documentation has been located. Unverified entries are flagged and queued for review.

Verification against the CREST member registry and the Offensive Security certification lookup is performed at intake. EC-Council's CEH verification requires direct registry access, which is not publicly open; CEH credentials in entries default to self-reported status unless corroborated by a secondary source. No entry is represented as verified unless at least 1 specific credential has been cross-referenced against a named public registry.

Coverage gaps

The provider network does not claim complete coverage of the US penetration testing market. Identified gaps include the following:

• Regional boutique firms — firms operating in geographic markets outside the 10 largest US metropolitan areas are underrepresented. Smaller markets in the Mountain West and rural Southeast have fewer than 5 documented entries each.
• Federal contractor specialists — firms whose work is conducted exclusively under federal contracts and whose methodology documentation is classified or controlled unclassified information (CUI) under 32 CFR Part 2002 cannot be fully documented in a public provider network.
• Red team operators — full-scope red team engagements, which simulate adversarial persistent access campaigns, are provided by a narrower subset of firms than standard penetration testing. This category has fewer than 30 documented entries nationally as of the most recent intake cycle.
• OT and ICS specialists — firms focused on operational technology and industrial control system assessments, governed by NIST SP 800-82, constitute a distinct specialty category that is currently underrepresented relative to IT-focused providers.

Professionals seeking context on how to use this provider network for provider evaluation should consult How to Use This Penetration Testing Resource for methodology and field definitions.

References

• NIST SP 800-59: Guideline for Identifying an Information System as a National Security System
• NIST SP 800-124 Rev. 2 — Guidelines for Managing the Security of Mobile Devices
• NIST Special Publication 800-124 Rev. 2 — Guidelines for Managing the Security of Mobile Devices in
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-53, Rev 5 — Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-82 Rev. 3 — Guide to Operational Technology Security
• NIST SP 800-12 Rev. 1 — An Introduction to Information Security