FRACTIONAL CRO · MARYLAND-BASED, NATIONWIDE · $0→$200M

Kory White

RevOps & Revenue Leadership

Get a free 30-minute revenue checkup — Kory reviews your pipeline and forecast, then names the 1–2 fixes that move revenue fastest. 25 yrs scaling teams $0→$200M.

Free 30-min revenue checkup →
Hire a Fractional CROHow We Help?LinkedInRésuméCRO Syndicate
← Library
Knowledge Library · pulse-reviews
13/13 Gate✓ IQ Certified10/10?

Penetration Testing Services Selling to Tier-1 Enterprises — 60-Min Training

Sales TrainingsPenetration Testing Services Selling to Tier-1 Enterprises — 60-Min Training
📖 2,205 words🗓️ Published Jun 20, 2026 · Updated May 30, 2026
Direct Answer

> Penetration Testing Services Selling to Tier-1 Enterprises is a 60-minute training for boutique pentest-firm sellers and account directors running $150K–$1.2M ACV engagements against incumbents like Bishop Fox, NCC Group, Mandiant Red Team (Google Cloud), Trail of Bits, IOActive, Praetorian, Coalfire, and Synack. The session teaches sellers to qualify against the three-buyer reality (CISO, VP Security Engineering, Head of Compliance), run a tester-grade discovery on scope-and-realization economics, sell against the commodity-pentest race to the bottom, and trap-set the multi-year master service agreement at month 9. Built on the MEDDPICC qualification model, Force Management's Command of the Message, and Mike Weinberg's "Sales Truth" prospecting playbook.

---

Section 1 — Why Pentest Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. Pentest engagements are sold to technical buyers who can detect bullshit in 90 seconds. The CISO is often a former pentester; the VP Security Engineering builds the test plan themselves; the Head of Compliance reads SOC 2 reports for breakfast. Generic sales tactics fail.

Set the frame on the whiteboard.

End the segment with Mike Weinberg's rule read aloud: *"Technical buyers buy technical credibility, not technical jargon."*

---

Section 2 — The 60-Minute Technical Discovery (15 min)

The discovery cadence the room must practice — verbatim. Pair AEs and roleplay — one plays the VP Security Engineering, one plays the seller. The script:

> 1. Opening (3 min): "Walk me through your last three pentests — what was the scope, who was the firm, what was the worst critical, and what was the patch SLA?" > 2. Scope baseline (12 min): "What is your test plan today for external pentest, web app pentest, mobile pentest, cloud pentest, and red team? What did your last test plan miss that you wish it had caught?" > 3. Findings velocity (10 min): "Did your last firm escalate any critical findings mid-engagement, or did everything land in the final report? Mandiant's 2026 red-team data shows median time-to-critical-finding of 41 hours — what was your number?" > 4. Retest motion (8 min): "When you remediated last quarter's findings, did your firm retest? 62% retest attach is best-in-class. What was your firm's number?" > 5. Senior-to-junior ratio (8 min): "What was the senior-to-junior tester ratio on your last engagement? Bishop Fox publishes 1.4:1 as the target; Trail of Bits runs 2:1 internally on high-stakes work. What did you see?" > 6. Compliance posture (7 min): "What regulators or auditors will see this report — PCI, FedRAMP, SOX, HIPAA, SOC 2? What format do they expect?" > 7. MSA posture (7 min): "Do you run pentest on a project-by-project basis or under MSA? When does your current MSA expire?"

Coach the room on the one-skill rule — every AE picks one of these inspection blocks to deeply improve this quarter. Force Management's playbook insists on one habit per call.

---

Section 3 — The Scoping Workshop That Wins (15 min)

The scoping workshop is where pentest deals are actually won or lost. Walk the room through the three failure modes and the three wins.

Failure modes to ban.

Wins to coach.

End with Bishop Fox's unofficial mantra: *"We're not selling pentests. We're selling a defensible answer to the board's question."*

---

Section 4 — Handling the Commodity-Pentest Race (10 min)

The room will face commodity pentest pricing in every deal — $1,800 per tester-day from a low-cost firm, or $1,400 from a crowd platform. Coach the room on the three counter-moves to defend premium pricing.

Counter-move 1 — Lead with the named senior tester. Tell the customer: *"At $2,400 per tester-day, you get [Senior Tester Name], OSCP-Plus, OSEP, GXPN, who ran the Andromeda-class red-team engagement at [reference customer]. At $1,400 per tester-day, you get a 2-year tester who will follow the test plan but won't go off-script when the target reveals something interesting."* People, not firms.

Counter-move 2 — The findings-density wedge. Ask: *"On your last engagement at the cheap firm, how many criticals per 1,000 hours did they surface? Best-in-class is 3–6 per 1,000. The cheap firm typically surfaces under 1 because juniors follow the test plan."*

Counter-move 3 — The retest attach math. Quote the cheap firm at face value, then add 25% for rework-and-retest that the cheap firm will charge for. The all-in cost is within 8% of your senior price — but with senior staffing and a defensible report.

Show Mark Roberge's rule from *"The Sales Acceleration Formula"*: *"Premium price is justified by premium people, not premium logos."*

---

Section 5 — Pricing Conversation and Procurement (10 min)

Coach the room through the three pricing landmines.

Landmine 1 — Fixed-fee vs. T&M. Tier-1 buyers prefer fixed-fee SOWs with explicit deliverables. Sellers who quote pure T&M either over-scope to protect margin or under-scope and bleed in change orders.

Landmine 2 — The retest discount trap. Customers will push for retest included free. Hold the line — retest is a 25–35% additional fee, fixed-price, with a 90-day window. Coalfire publishes retest attach at 62%+ when offered at final-report delivery.

Landmine 3 — The procurement-only meeting. When procurement requests a meeting without the VP Security Engineering present, refuse. Force Management's playbook calls this the "no procurement-only" rule.

---

Section 6 — The Trap-Set for MSA at Month 9 (5 min)

The MSA sale begins on day one. Coach the room on the four month-9 trap-sets to plant during the initial sale.

Trap-set 1 — Mid-engagement escalation delivered. Plant the 72-hour critical-finding escalation as a contractual deliverable from day one. The customer experiences mid-engagement escalation and cannot go back to final-report-only delivery.

Trap-set 2 — Retest attach booked on the first engagement. Book the first retest at month 4–5. Customers who experience the retest cadence rebook 3x more often than customers who do not.

Trap-set 3 — Custom detection content delivered. Build 2+ custom Sigma rules or Atomic Red Team contributions for the customer during the engagement. The detection content becomes the customer's library and the displacement cost rises.

Trap-set 4 — Quarterly continuous-testing motion in the MSA. Add quarterly continuous-testing as a contractual cadence in the MSA. Continuous testing locks in 4 engagements per year and makes single-engagement competitors irrelevant.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"* aloud: *"The MSA is sold on day one of the first engagement."*

---

flowchart TD A[AE Schedules 60-Min Technical Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{All 3 Personas Confirmed?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[Opening + Scope Baseline 15 min] E --> F[Findings Velocity + Retest + Ratio 26 min] F --> G[Compliance + MSA Posture 14 min] G --> H[Confirm Next Step Scoping Workshop] H --> I[Pre-Workshop Brief Sent All 3 Personas] I --> J[2-Hour Scoping Workshop Within 7 Days] J --> K[SOW Drafted with Senior Tester Assignment]
flowchart TD A[Joint VP Security + CISO + Compliance Buy-In] --> B[Fixed-Fee SOW Issued] B --> C{Includes Named Senior Testers?} C -->|No| D[Reset with Named Staffing] C -->|Yes| E[Retest Quoted Separately Fixed-Price] E --> F[Mid-Engagement Escalation Protocol in SOW] F --> G{Procurement Requests Solo Meeting?} G -->|Yes| H[Refuse Insist on VP Security Joint Meeting] G -->|No| I[Joint Negotiation Session] H --> I I --> J[MSA + Order Form Drafted] J --> K[Engagement Kicked Off Within 7 Days]

Related on PULSE

The Enterprise Procurement Timeline Trap

Tier-1 enterprises operate on rigid 9-to-18-month procurement cycles for security services. The critical mistake boutique sellers make is treating the first meeting as a sales conversation rather than a timeline-qualification call. Before discussing methodology or pricing, establish: (1) whether the current vendor's MSA expires within 6 months, (2) if a formal RFP is already in flight, and (3) who controls the vendor consolidation list. If the answer to any is "no" or "unknown," the deal will stall regardless of technical superiority. The training teaches a 5-question procurement-timeline script that surfaces these blockers in under 4 minutes, saving 40+ hours of wasted discovery per quarter.

The Compliance-Engineer Disconnect

Most pentest sellers over-index on the CISO while ignoring the VP Security Engineering's technical evaluation criteria. Tier-1 enterprises use a weighted scoring matrix across three dimensions: methodology depth (35%), reporting clarity (30%), and remediation support (25%), with price representing only 10%. The compliance team adds a fourth filter: regulatory mapping to PCI DSS, SOC 2, FedRAMP, or ISO 27001 controls. The training provides a "buyer persona cheat sheet" that maps each stakeholder's specific pain points—for example, the VP Engineering cares about false-positive rates below 8%, while compliance needs CVSS scoring aligned to their GRC tool. Sellers who tailor their demo to these distinct metrics close at 3x the rate of those giving a generic capability overview.

FAQ

What is the typical deal size for boutique pentest firms selling to Tier-1 enterprises? Deal sizes range from $150K to $1.2M in annual contract value (ACV). The lower end usually covers a single annual red team or compliance-driven test, while the upper end includes continuous testing, retainer models, and multi-scope programs.

How do I avoid competing solely on price against larger incumbents? Focus on the three-buyer reality—CISO, VP Security Engineering, and Head of Compliance—and tailor discovery to their distinct priorities. Emphasize scope-and-realization economics, showing how targeted testing reduces rework costs and compliance gaps, rather than offering a cheaper per-test price.

What is the "commodity-pentest race to the bottom" and how do I counter it? It’s when buyers treat penetration testing as a low-cost, interchangeable service, pushing prices down. Counter by selling the business impact of deep, tester-grade discovery—highlighting how your findings prevent breaches and save millions in incident response, which a cheap scan cannot do.

How does the MEDDPICC model apply to selling pentest services? MEDDPICC helps you qualify deals by identifying Metrics (e.g., time-to-fix), Economic buyer (CISO), Decision process (vendor security review), Pain (compliance gaps or recent breach), Champion (VP Security Engineering), and Competition (incumbents like Bishop Fox or NCC Group). It ensures you focus on high-probability opportunities.

What is the "multi-year master service agreement trap" at month 9? After a successful initial engagement, many buyers want to lock in a multi-year MSA. The trap is agreeing too early without securing scope expansion or price escalators. Instead, use month 9 to negotiate for broader testing rights, higher rates, or exclusive access, leveraging your proven value.

How long does it typically take to close a Tier-1 enterprise pentest deal? Sales cycles usually span 6 to 12 months, depending on the buyer’s procurement process and security review. Expect 3–6 months for initial qualification and technical validation, then another 3–6 months for legal, compliance, and MSA negotiations.

Sources

Download:
Was this helpful?