Contact

Penetration Testing Authority operates as a public reference provider network for the penetration testing and offensive security service sector in the United States. This page covers how to reach the provider network's administrative office, the geographic scope of the resource, what information to include when submitting a message, and what to expect in terms of response handling. Inquiries related to provider network providers, corrections to published information, and research or editorial matters are handled through the channels described below.

How to reach this office

The administrative office for Penetration Testing Authority receives inquiries through its web-based contact page, which is the primary channel for all inbound communication. Email correspondence is also accepted for provider-related, editorial, and research-oriented matters.

Provider Network operations fall within a defined administrative scope that does not include provision of penetration testing services, security assessments, or professional advice. The provider network functions as a reference index — comparable in structural role to professional registries maintained by standards bodies such as NIST's National Cybersecurity Center of Excellence or the CISA Cybersecurity Resource Hub — organizing the service landscape rather than participating in it.

Correspondence categories accepted by this office include:

  1. Provider submissions — requests to add a qualified penetration testing provider to the Penetration Testing Providers index
  2. Provider corrections — factual corrections to existing provider network entries, including credential updates, address changes, or scope revisions
  3. Editorial inquiries — questions about the classification methodology, provider network structure, or reference framework described in Penetration Testing Provider Network Purpose and Scope
  4. Research and data requests — academic or industry research inquiries referencing published provider network content
  5. Compliance and regulatory references — questions about how provider network categorization aligns with frameworks such as PCI DSS v4.0 Requirement 11.4 or NIST SP 800-115

Inquiries that fall outside these categories — including requests for penetration testing quotes, vulnerability assessments, or incident response referrals — are outside the administrative scope of this office.

Service area covered

Penetration Testing Authority maintains national scope across the United States, with provider network coverage organized around the 50 states and the District of Columbia. The provider network indexes providers operating in all major US metropolitan markets as well as remote-delivery firms serving clients without geographic restriction.

The provider network does not restrict providers to providers physically located within a single state. Federal contracting contexts — governed by frameworks including FedRAMP authorization requirements and NIST SP 800-37 risk management standards — frequently involve providers delivering services across state lines or entirely through remote access. Provider Network coverage reflects that operational reality.

Providers distinguish between providers with a physical headquarters presence in a given state and those serving that state through remote delivery. This distinction matters for regulated industries: PCI DSS v4.0 requires organizations to use qualified security assessors meeting specific credentialing standards, and verifying a provider's operating jurisdiction is one element of due diligence.

International providers operating in the US market but headquartered outside the country are assessed on a case-by-case basis for provider network inclusion, with US regulatory compliance documentation serving as a primary inclusion criterion.

What to include in your message

Incomplete submissions are the primary cause of delayed processing. Structured message content reduces handling time and improves the accuracy of the provider network's published information.

For provider submissions, include:

  1. Service type classification: network penetration testing, web application testing, red team operations, social engineering assessments, or other defined categories per the NIST SP 800-115 testing taxonomy

For provider corrections, include:

For editorial and research inquiries, include:

Messages that omit contact information, describe only a general topic without a specific question, or request services rather than provider network information are not actionable by the administrative office.

Response expectations

The administrative office operates on standard US business days, Monday through Friday, excluding federal holidays as defined by the Office of Personnel Management. The target review process for complete, actionable inquiries is 3 to 5 business days.

Response timelines by inquiry type reflect complexity differences:

Submissions that require third-party verification — such as confirming a provider's active PCI SSC Qualified Security Assessor (QSA) status through the PCI SSC Assessor and Solutions Provider — may extend beyond the standard window. Submitters are notified if additional information is required before a provider decision is finalized.

Incomplete messages receive a single follow-up request for missing information. If the required information is not received in a timely manner of that follow-up, the submission is closed without action and may be resubmitted at any time.

The provider network does not provide individual security recommendations, assess the suitability of any specific provider for a given engagement, or interpret regulatory requirements as they apply to a specific organization's compliance posture.

Report a Data Error or Correction

Found incorrect information, an outdated fact, or a broken link? Use the form below.

Interested in becoming a verified provider?

[email protected]

Include your business name, location, and services offered.

References

Read Next

CEH vs. OSCP vs. GPEN: Comparing Certifications ANA › Professional Services Authority › National Cyber › Penetration Testing Authority CEH vs. Penetration Testing Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › Penetration Testing Authority Penetration Testing Network: Purpose and Scope... Penetration Testing Listings ANA › Professional Services Authority › National Cyber › Penetration Testing Authority Penetration Testing Providers The providers...