Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Beyond the Findings: What Quality Above All Really Means in Penetration Testing

Penetration Testing

Published: Sep 17, 2025

TL;DR 

Schellman’s core value of "quality above all" means understanding your business and comprehending why you need any given compliance service. In the case of penetration tests, it's not just about counting how many vulnerabilities we find. Good pen testing gives you risk ratings that fit your actual setup, shows we understand your specific business and technology, keeps communication clear throughout the project, and provides advice you can actually use. We focus on being your security partner and helping you understand real business risk instead of just checking compliance boxes. 

You'll hear "quality above all" around Schellman so often that it might sound like marketing talk. But to us, there's real meaning behind those words. When it comes to penetration testing, quality has very little to do with how many vulnerabilities were found during your assessment. 

There's no promise that any penetration test will find major security problems. Your applications might be well-built with your network set up correctly and your security controls working exactly as planned. A pen test that finds only small issues or zero high-risk problems can still be valuable. 

So, what does quality actually mean to us? And more importantly, what should it mean to you? 

We Start by Understanding Why You're Seeking a Pen Test

Before we run a single scan or login to your application, we spend time understanding why you're doing this assessment. We put ourselves in your shoes to understand the business pressures, time limits, and expectations that brought you here. 

For example, if we hear that you’re hoping to pursue a SOC 2 Type 2 attestation and need clean pen test results for your auditors, we build our approach, report format, and timeline around that need. We understand which requirements connect to your pen test and document findings in a way that clearly shows your auditors you're doing your job. 

Maybe a large customer requires annual security assessments before they agree to work with you. We know this assessment shows you take security seriously and gives your customer confidence that their data stays safe. The report becomes a tool that helps your customer relationships, and we focus our testing on areas that would have the biggest business impact if they were to be exploited. 

Or perhaps you’re seeking an assessment because of a security incident, a close call, or worrying findings from your own security review. In these cases, we focus on confirming that fixes work and find system-wide issues that might point to bigger security gaps. 

Lastly, maybe you're getting ready for a company sale, going public, or entering a regulated market where people will look closely at your security. We adjust our timeline, scope, and reporting based on these factors. 

We ask more than "what do you want us to test?" We dig deeper to understand what you are trying to accomplish, and to identify how we can set up your assessment to give you the most value within your budget and goals. 

Risk Ratings That Make Sense in Your World 

A clear sign of thorough and effective assessment work is how we figure out and present risk ratings. Many firms work like vulnerability scanners with people running them. They find a cross-site scripting issue and immediately call it "High Risk" without thinking about the business impact or existing protections. 

Schellman’s approach is different in that we understand that risk depends on context. That XSS vulnerability in your internal admin panel behind multiple login steps, protected by a web application firewall, only accessible to trusted employees, and containing non-sensitive setup data carries different risk than an XSS vulnerability in your public customer portal that handles payment information. 

We look at what protections you already have in place, considering what security controls are implemented, how users access this system, what data the system handles, and what happens if someone exploits this vulnerability. We adjust our risk ratings based on these factors and communicate our thoughts clearly. 

This approach goes beyond individual findings to your overall risk picture. We help you understand how findings relate to your threat model, which vulnerabilities pose the biggest business risk, and how to prioritize fixes given your resource limits. 

The Importance of Learning Your Environment

Generic assessments follow the same playbook whether they're testing a fintech startup's mobile app or a manufacturing company's industrial control systems. Instead, we demonstrate an understanding of your specific environment, technology setup, and business model. 

This manifests in how we plan our testing, the types of attack scenarios we run, and the business context we provide around our findings. When we explain how a vulnerability could impact your specific customer workflow, reference your compliance requirements, or show understanding of your industry's threat landscape, we're proving that we've spent time learning about your world. 

We test your applications the same way an attacker familiar with your business would. We understand your revenue streams, customer touchpoints, and valuable data. Our recommendations reflect this business awareness and provide guidance that makes sense within how you actually operate. 

Communication That Actually Helps 

Technical skills mean nothing without clear delivery. Good assessments feature ongoing communication throughout the project. 

We use the kickoff call to confirm scope, set expectations, understand business context, and establish how we'll communicate. We treat this as the start of working together, not just a checklist review. 

During the assessment, we provide regular status and progress updates, flag scope questions as they arise, and remain responsive to your questions. We know that silence can cause worry and that working together in real-time often leads to better findings and recommendations. 

When we find issues, we give immediate notification for high-risk findings rather than waiting until the final report. You’ll have direct access to team members who will remain available for clarification, additional testing, or scope changes as needed. 

Reports That Drive Action 

The final report reveals assessment quality most clearly. Our reports provide steps to reproduce issues that actually work, risk ratings that make sense in your context, and recommendations that are specific and doable. 

Instead of generic advice like "implement input validation," we provide specific guidance, such as: "implement server-side validation for the user role parameter in the /admin/users endpoint using your existing authorization framework, similar to your implementation in the /billing module." 

We write for our audience. Our executive summaries focus on business risk and fix priorities. Our attack path narrative provides the story of how the assessment was executed and all findings include the level detail your developers need to understand and fix issues.  

Partnership Over Transactions 

Good penetration testing feels like establishing a partnership with a security professional rather than buying a commodity service. We remain invested in improving your security beyond just completing our contracted work. 

This kind of partnership shows up in practical ways: no surprise costs for final delieverables including the report and customer-facing attestation letter. Retesting of all originally identified findings, responsive communication during fix efforts, and willingness to clarify findings or provide additional context as needed. 

We value keeping pricing transparent, contracting smooth, and expectations clear in statements of work. Conduct meaningful close out calls that review findings, discuss fix priorities, and provide guidance for future security work. 

We stay honest about what we can and cannot accomplish within the project scope and timeline. Most importantly, won't oversell capabilities or make unrealistic promises about finding guaranteed vulnerabilities. 

Beyond Standard Checklists 

Everyone tests against OWASP Top 10 and everyone follows established methods. The difference lies in how these frameworks are applied to your situation. 

We use the latest revision of the OWASP Web Security Testing Guide and other frameworks to understand how each test case applies to your business. All while customizing our approach based on your technology setup, threat model, and business requirements. 

When discussing findings, we connect vulnerabilities to your business operations. Explaining how an attacker might use discovered issues within your specific environment and business model. Then provide remediation tips that fit within your development practices and operational constraints. 

What Quality Means in Practice 

The pen testing market has become commoditized, meaning many organizations select providers based mainly on cost and basic compliance with RFP requirements. This approach doesn't serve anyone well. Clients gain minimal value, and skilled security professionals get reduced to running automated tools and generating template reports. 

Rather than applying a blanket approach, we treat each project as unique. Spending time understanding your needs and delivering insights that expand beyond basic vulnerability identification. We know that our job involves improving your security through strategic guidance and business-aware recommendations. 

When choosing penetration testing providers, focus on their approach to understanding your business context, their process for contextual risk assessment, the quality of their communication practices, and their track record of delivering actionable insights. 

Ask about their method for tailoring assessments to business needs, how they handle risk rating in context, and what their typical client feedback covers. Look for transparency in pricing and contracting. Understand what's included in the base project and what might cost extra. 

Choosing a Pen Test Partner Who Prioritizes Quality 

"Quality above all" means we focus on what matters to your business. We make the effort to understand your environment. We pride ourselves on communicating clearly. We provide actionable recommendations. We recognize that good security assessment work requires understanding your business context and constraints. 

Quality pen testing provides strategic value, contextual assessment, collaborative engagement, and business-focused insights. The goal involves finding a partner who will provide valuable security insights within your business context and constraints. 

When you work with us, you get more than a vendor. You get a security partner who understands your business and helps you make informed decisions about security risk beyond your pen test findings. That includes guiding you through your future compliance journey with SOC 2, ISO, PCI, HIPAA, HITRUST, FedRAMP, and much more. Contact us or fill out our penetration testing scoping questionnaire today to learn more. 

Discover more insights on how to secure a successful pen test engagement in these additional resources: 

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.