CMMC Penetration Testing Providers
Cybersecurity Maturity Model Certification · North America
CMMC is the US Department of Defense cybersecurity framework that requires defence contractors and their supply chain to demonstrate cybersecurity maturity at specified levels. CMMC 2.0 establishes three levels of cybersecurity maturity, with Level 2 and Level 3 requiring organisations to implement NIST SP 800-171 and NIST SP 800-172 controls respectively.
Penetration testing is relevant across multiple CMMC practice areas including security assessment (CA.L2-3.12.1), which requires periodic assessment of security controls to determine if controls are effective. At Level 3, organisations handling the most sensitive Controlled Unclassified Information (CUI) face enhanced security requirements that include advanced testing practices.
Achieving CMMC certification is mandatory for organisations bidding on DoD contracts that involve CUI, making it essential for the US defence industrial base. Regular penetration testing helps organisations validate their security controls, identify gaps in their implementation of NIST 800-171 requirements, and prepare for CMMC assessments by Certified Third Party Assessment Organisations (C3PAOs).
Particularly relevant for Defense pen testing providers.
Mandiant
World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.
TrustedSec
Offensive security firm founded by former NSA operator David Kennedy, delivering CREST-accredited penetration testing, red teaming, and adversary simulation to Fortune 500 and government clients.
Coalfire
Compliance-focused cybersecurity advisory firm and FedRAMP 3PAO specializing in penetration testing that meets stringent regulatory requirements.
GuidePoint Security
US-headquartered cybersecurity consultancy with 800+ employees, serving ~40% of the Fortune 500. FedRAMP 3PAO, PCI QSA, and HITRUST accreditations.
Thales Cyber Solutions
Cybersecurity division of the Thales Group, with ANSSI, CREST, FedRAMP 3PAO, and NATO-cleared personnel. Defence, government, and critical infrastructure penetration testing worldwide.
Tevora
CREST-accredited California consultancy blending compliance expertise with penetration testing. First to earn ISO 17020 for MITRE ATT&CK and PTES frameworks.
Black Hills Information Security
Community-driven penetration testing firm known for free security education, open-source tools, Wild West Hackin' Fest, and practical offensive security services.
Schellman
The largest CPA-firm-based cybersecurity assessor in the US. Unique in holding FedRAMP 3PAO, PCI QSA, HITRUST, ISO 27001, and SOC attestation authority simultaneously.
CrowdStrike
Global cybersecurity leader leveraging world-class threat intelligence from the Falcon platform to deliver intelligence-led penetration testing and red teaming.
SpecterOps
Adversary-focused security firm created by former DoD red team operators. Creators of BloodHound. CREST-accredited for penetration testing, red teaming, and purple team assessments.
Praetorian
Offensive security firm founded by former DoD professionals. Combines deep offensive testing with the Chariot attack surface management platform and its Exploit validation engine.
Synack
FedRAMP-authorized crowdsourced penetration testing platform combining the vetted SRT researcher community with AI-powered Hydra technology for continuous security testing.
CMMC FAQs
Does CMMC require penetration testing?+
CMMC Level 2 requires security assessments that include testing of security controls. While pen testing is not explicitly named, it is the most effective way to validate that technical security controls are working as intended.
What CMMC level do most contractors need?+
Most DoD contractors handling CUI will need CMMC Level 2, which requires implementation of 110 NIST SP 800-171 controls. Level 3 is required for the most sensitive programmes.
How does pen testing help prepare for CMMC assessment?+
Penetration testing identifies gaps in security control implementation, validates that controls are effective, and provides evidence of mature security practices that support a successful CMMC assessment.