Nightmare Experience With Redbot Security / Penenetration Test
I’m fairly new to my company and recently, my boss had a pentest performed and he searched for a pentesting company on Google and one of the first selections that came up was “redbot security.”
Never really heard of them and at the time, I didn’t have a say in his choice or even knew he was choosing a company for a pentest. I guess at first glance to my boss, Redbot Security seemed like a legitimate pentesting company but what I found out was quite concerning.
So the first page on Google had this company but the site was just a blog post about the best / top rated pentest company and of course, it was Redbot Security’s own blog post. (red flag)
Looking at this post I realized that it was just a blog post with every imaginable keyword related to penetration testing, etc etc. For example, “Important Penetration Testing Checklist when searching for the Best Penetration Testing Company for your Project.”
I also realized now after getting various Statement of Work (SOW) documents and quotes from other companies that Redbot uses a lot of wording from other companies. For example, when they describe their toolsets, in their “Redbot Security Featured Penetration Testing Services: Internal Penetration Testing”, it was a word-for-word copy of Rapid7’s wording with what tools they use. Weird?
I also found that they don’t have a giant pentesting team like the manager claimed on the phone.
The results? A pentest report full of false positives and worse, they didn’t catch the actual vulnerabilities that were there. When I brought this to the attention of the owner, he threatened us with legal action for mentioning to anyone. Crazy stuff and a hard lesson learned.