Terrible Penetration Testing Companies

PhillyPhantoms

New Member
Thread author
Apr 27, 2022
1
I usually just read articles but never post but I felt like I had to on this one about this scam/poser of a company called redbot security. I'm fairly new to my company and recently, my boss had a pentest performed and he searched for a pentesting company on Google and one of the first selections that came up was "redbot security." Never really heard of them and at the time, I didn't have a say in his choice or even knew he was choosing a company for a pentest. I guess at first glance to my boss, Redbot Security seemed like a legitimate pentesting company but what I found out was quite concerning.

So the first page on Google had this company but the site was just a blog post about the best / top rated pentest company and of course, it is was Redbot Security's own blog post. (red flag)


How original. Looking at this post I realized that it was just a blog post with every imaginable keyword related to penetration testing, etc etc. For example, "Important Penetration Testing Checklist when searching for the Best Penetration Testing Company for your Project." I also realized now after getting various Statement of Work (SOW) documents and quotes from other companies that Redbot uses a lot of wording from other companies. For example, when they describe their toolsets, in their "Redbot Security Featured Penetration Testing Services: Internal Penetration Testing", it was a word-for-word copy of Rapid7's wording with what tools they use. Weird?

Ok, so looking further in their blog post is about their certifications? Looks like they just listed every type they could find and some aren't even certs. What about their LinkedIn? Well, come to find out, just a few real profiles and for pentesters, ALL FAKE. For example:

Security Solutions Architect at Redbot Security

Sr. Cyber Security Consultant at Redbot Security

Engineering Group - Private-Redbot Security

Pentester Group at Redbot Security

All of the above are "private" but with a little magic with LinkedIn and Google, I can see what their profiles are or who is in the groups and guess what? All bogus.

Yea, these are fake profiles. So then I started using LinkedIn more and got some odd/interesting facts when doing some reverse imaging and searches about these people to include ones that did work for them. Well for one, the only pentester I saw wasn't even an employee with Redbot, he works elsewhere and he seems to only be a contractor for redbot security. There is a female who works at a different company and only seems to be a contractor with them. Odd, because on the phone, they made it sound like they had 20 or 30 people on their pentesting team.

Seems that they wanted to hide the fact of how small they are. Then, if that wasn't enough, I thought, "hey maybe we'll get a good pentest still." NOPE. Nothing. They did a web app pentest for us after charging top dollar and guess what they found. Tons of things. How many of those things were real? Zero. All false positives. Looks like they just ran an automated scan and not even a good one and we got this giant scan output that they called a report. Then worse yet, we later got compromised because they told us everything is good-to-go. And to think we were charged top dollar by these clowns.

What a bunch of scammers. I'm itching to just call them up and ask for a copy of all of their certs they listed just to watch them spin in circles over it. And think about this, they say they "specialize" in OT/SCADA networks for energy companies. No wonder they are getting hacked.