FedRAMP Penetration Testing Providers
Federal Risk and Authorization Management Program · North America
FedRAMP is the US federal government programme that provides a standardised approach to security authorisation for cloud service providers (CSPs). Cloud providers seeking to offer services to federal agencies must achieve FedRAMP authorisation, which requires rigorous security assessment including penetration testing.
FedRAMP requires annual penetration testing as part of the continuous monitoring programme, with testing conducted by an accredited Third Party Assessment Organisation (3PAO). Penetration testing must cover the cloud service offering's external and internal networks, web applications, and API endpoints. FedRAMP testing requirements are based on NIST SP 800-53 controls and follow the FedRAMP Penetration Test Guidance, which specifies attack scenarios, testing methodology, and reporting requirements.
The programme has three impact levels (Low, Moderate, High) with increasingly stringent testing requirements at each level. Achieving FedRAMP authorisation is essential for CSPs that want to serve the federal government market, which represents a significant revenue opportunity. The programme's rigorous security requirements also provide confidence to commercial customers about a provider's security posture.
Particularly relevant for Government pen testing providers.
Mandiant
World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.
Coalfire
Compliance-focused cybersecurity advisory firm and FedRAMP 3PAO specializing in penetration testing that meets stringent regulatory requirements.
GuidePoint Security
US-headquartered cybersecurity consultancy with 800+ employees, serving ~40% of the Fortune 500. FedRAMP 3PAO, PCI QSA, and HITRUST accreditations.
Thales Cyber Solutions
Cybersecurity division of the Thales Group, with ANSSI, CREST, FedRAMP 3PAO, and NATO-cleared personnel. Defence, government, and critical infrastructure penetration testing worldwide.
HackerOne
World's largest ethical hacker platform with over one million researchers, offering bug bounties and structured penetration testing to the US DoD and Fortune 500.
Tevora
CREST-accredited California consultancy blending compliance expertise with penetration testing. First to earn ISO 17020 for MITRE ATT&CK and PTES frameworks.
Schellman
The largest CPA-firm-based cybersecurity assessor in the US. Unique in holding FedRAMP 3PAO, PCI QSA, HITRUST, ISO 27001, and SOC attestation authority simultaneously.
CrowdStrike
Global cybersecurity leader leveraging world-class threat intelligence from the Falcon platform to deliver intelligence-led penetration testing and red teaming.
SpecterOps
Adversary-focused security firm created by former DoD red team operators. Creators of BloodHound. CREST-accredited for penetration testing, red teaming, and purple team assessments.
Praetorian
Offensive security firm founded by former DoD professionals. Combines deep offensive testing with the Chariot attack surface management platform and its Exploit validation engine.
Synack
FedRAMP-authorized crowdsourced penetration testing platform combining the vetted SRT researcher community with AI-powered Hydra technology for continuous security testing.
FedRAMP FAQs
Who performs FedRAMP penetration testing?+
FedRAMP pen testing must be performed by an accredited 3PAO (Third Party Assessment Organisation) as part of the initial assessment and annual reassessment.
What does FedRAMP pen testing cover?+
Testing covers the cloud service offering's network infrastructure, web applications, API endpoints, and administrative interfaces. Testing must include both external and internal perspectives.
How often is FedRAMP pen testing required?+
Annual penetration testing is required as part of the continuous monitoring programme, with additional testing required after significant changes to the cloud service offering.