That's a line every consultancy that ever had to compete with another consultancy has told at least one client. But the truth is, for the overwhelming majority of application software, and particularly for any software that would procure a pentest through a market like this, the Bishop Fox "F-Team" is perfectly up to the task and far more reliable than a talented rando.

The software pentesters with gold-plated resumes do high-value targets (because there are more high-value targets than there are pentesters to service them). Google is not going to source Google Mail pentesters on DICE. Adobe doesn't source pentesters for Reader on DICE. Microsoft doesn't source pentesters for SCHANNEL.DLL on DICE. Apple doesn't source pentesters for the iPhone bootloader on DICE. That's where the A-Team ends up.

What transparency are you adding here?

If the argument behind this was, "we're going to drive down the price of pentesting", that would be a coherent pitch, although I'd still want to hear how you expect this service will do that; again, the market is supply-constrained.

The transparency of who actually is good. The talent in companies ebbs and flows and the scores will reflect the work they are doing now, not what they did in their best or worst days.

There are many boutique companies that are excellent, but don't have a fair share at the market.

Companies that are 'all things to all men' tend to have quality issues over time... like the big security giants of the last decade. Eventually people get tired of it and look for specialists. That's where this will help.

Help me understand how what you're doing allows me to spot which Bishop Fox testers are "actually good"?

I'm not talking about "big security giants" like IBM and Deloitte. I'm talking about boutique application security firms that do little other than test software. They're already specialized.