Back to Blog
Founder's Note

Good Pentesters Lose Clients Too

By David Mockler · April 16, 2026 · 5 min read

TL;DR

Most pentesters assume they lose clients because of price, competition, or bad luck. The real reason is simpler and more fixable: clients can't see how good you are. ScopeProof is building the data layer that changes that — and we're trying to prove it.

I've been on both sides of this.

I've been the client who got a bad pentest and had to fight to get a refund and a do-over with a different firm. I've also been the pentester on the other side — doing good work, genuinely caring about coverage, and still watching clients drift away.

This post is about the second one. Because it's the problem nobody talks about.

The Slack update problem

When I worked as a pentester, some clients would ask for an end-of-day Slack update. What did you test today? Find anything new?

It makes sense. They're spending real money and they want to know something is happening. So we'd send a message. "Tested the authentication flows, moved onto the API endpoints, flagged something interesting in the session handling."

Here's the thing though — I could have sent that message without doing a single thing all day.

I could have opened Burp, looked at it for ten minutes, and typed the same update. Nothing in that Slack message proved I tested anything. It was a trust exercise dressed up as a status report. The client felt informed. They weren't.

Now, sometimes we were on the client's VPN. So technically they could verify. They could pull the logs, cross-reference the traffic, and confirm that yes, David was actually hitting those endpoints he mentioned.

But think about what that actually means. You've just paid a firm to run a pentest, and now your team has to audit the auditors. You're spending internal engineering time verifying that your vendor is doing the job you hired them to do. That's not a solution — that's the problem wearing a different hat. The burden of proof got shifted onto the client, which is exactly where it shouldn't be.

Verification shouldn't be the client's job. It shouldn't require VPN logs and a technical team member willing to wade through them. It should come with the engagement, automatically, as a byproduct of the work itself.

That's the gap ScopeProof closes.

The 500-page report nobody asked for

Clients who wanted more transparency usually got one of two things.

Either a vague methodology section that said something like "testing was conducted in alignment with OWASP Top 10" — which tells you almost nothing about actual coverage. Or, if they pushed harder, an appendix. Weird bugs, anomalies, things that caught our attention but didn't rise to a finding. The stuff that itched that part of your brain but couldn't be written up as a vulnerability.

We tried to give clients the fuller picture. We genuinely did.

But nobody was asking for a raw dump of Burp Suite traffic. If we included every HTTP request from a two-week engagement the report would be 500 pages, 99% of it unreadable to anyone without a deep technical background, and it would take us three times as long to produce. That's not a report. That's a liability.

So clients got the summary. The highlights. The findings list. And somewhere between the actual testing and the PDF that landed in their inbox, all the proof of work disappeared.

The dirty secret of pentesting

A great pentest and a mediocre pentest produce roughly the same artifact.

Maybe yours has better findings. Cleaner PoCs. More thorough coverage. But from where the client sits — a CTO who skimmed the executive summary, a compliance officer who filed it away for the auditors — it's the same document. Pages of technical detail they don't have the background to evaluate.

So how do they decide who to hire next year? The same way they decided the first time. Referrals. Price. Who they already know.

Your three days on that API nobody asked you to look at? Gone. Your 94% coverage when the contract only required 70%? Invisible. The finding you caught that three other firms missed? Buried in a PDF that's already been archived.

Good pentesters lose clients because the evidence that makes them good never survives delivery.

This is a data problem, not a fairness problem

I'm not complaining that clients don't appreciate good work. The point is there's no mechanism for good work to be visible in the first place.

No verified track record. No way for a client to see that one firm averaged 89% scope coverage across their last ten engagements and another averaged 61%. No way to see who actually finds critical vulnerabilities versus who writes up the same OWASP list every single time.

So good pentesters compete on the same playing field as mediocre ones. And then they wonder why retention is hard.

What we're building — and what we're trying to prove

ScopeProof captures real testing activity at the request level, automatically, as you test. Not a Slack update you typed. Not a methodology paragraph you copy-pasted. Actual coverage data — which endpoints were hit, how deeply, with what tools — tied directly to the findings that came out of them.

But there's a hypothesis underneath that we haven't talked about publicly yet: we think transparency directly drives retention.

Pentesters whose clients can see their coverage data, track their methodology over time, and watch their security posture improve engagement over engagement — we believe those pentesters keep clients significantly longer than those who deliver a PDF and go quiet.

We don't have the numbers to prove it yet. We're building the instrumentation to measure it right now. But the mechanism makes sense: a client who can see the work isn't taking it on faith anymore. And a pentester with a verified track record has something no competitor can take away.

One more thing we're thinking about

Some clients rotate pentest vendors on a schedule. Every two or three years, regardless of the quality of the relationship. Sometimes it's policy. Sometimes it's the belief that fresh eyes find more.

We think ScopeProof changes that calculation.

Once a client has a workspace with real coverage data — trends over time, scope compliance scores, verified proof of every engagement — switching vendors doesn't just mean changing suppliers. It means starting from zero. New firm, blank workspace, no baseline, no history.

And when the new firm delivers a PDF with twelve findings and no coverage data, no trend lines, no proof of anything — we think clients come back. Not because they're locked in. Because they've seen what proof actually looks like, and a summary document doesn't cut it anymore.

We haven't proven this yet. It's part of the hypothesis. And we're building the data to find out.

If you're a good pentester, this is built for you

Bad actors in this industry will avoid transparency instinctively. That's fine — they're not who we're building for.

We're building for the pentesters already doing great work who just can't prove it. The ones sending Slack updates they know are unverifiable. The ones on a client's VPN knowing the client could check but shouldn't have to. The ones writing appendices trying to give clients something more. The ones losing clients they should have kept.

If that's you — we'd love to have you involved early. Not just as a user, but as part of proving the hypothesis. The pentesters who join now are the ones whose data will tell us whether we're right.

Ready to prove your work?

Join the waitlist — free to start, no credit card required.