What motivated me (Demyd) to do this research?

I was reading Ross Anderson’s Security Engineering, and somewhere between the chapters on system failures and risk models, I came across a concept from economics: Information Asymmetry.

Simple idea. Huge consequences.

It got me thinking: What happens when security vendors know a lot more than their buyers?

Spoiler: buyers often choose poorly. Not because they’re reckless—but because the market makes it hard to tell good from bad.

The cost of a bad pick isn’t just wasted budget.

It’s regulatory fines, data exposure, lost trust—and a boardroom nightmare.

That’s a textbook case of adverse selection.

And it’s everywhere.

So, I opened Google and searched:

“Top penetration testing companies”

Here’s what I saw:

Sponsored pages show up first, as always.

This is getting interesting.

You probably know what I’m about to say. But let’s break it down anyway.

What You’ll Find on Google’s First Page

Let’s categorize what shows up when you search for “Top Cybersecurity Companies”:

1. Ads – Obvious. Paid placement.

2. Peer Review Platforms – Seem legit, but…

3. SEO Blogs from Vendors – More on that in a sec.

4. Reddit/Forums – Rare gems. Often buried.

Let’s dive into the two most subtle sources of information asymmetry.

1. Reddit & Forums

Forums have always been a valuable source of information—they reward contributors and act as a peer platform where people share real experiences.

However, if you’ve ever searched for vendor-related information on forums like Reddit, you know it can take time. Not all replies are relevant, and few directly answer the specific questions you might have about a potential partner.

However, the downside is that it assumes you already have some security knowledge—like what certification abbreviations mean or what type of testing you’re actually looking for.

In short, it’s a hidden gem. But you’ll need to invest time to find it and do your research.

And let’s be honest: most users won’t. They prefer when someone simplifies things with a quick “Top 10” list.

With that said, let’s move to the next category.

2. Peer Review Platforms

The least biased—yet still tricky.

There are many peer review platforms out there, and they often function in similar ways. For this article, I’ll focus on Clutch, since it appeared prominently in the search results.

At first glance, Clutch looks solid.

It gives you access to real client feedback—covering budgets, project scope, industries, strengths, and even areas for improvement.

They also ask thoughtful, in-depth questions like:

See the example below 👇

On top of that, Clutch has recently even rolled out a Credit Score system and “Premier Verified” label. To be eligible for Premier Verified criteria, a vendor needs to meet several criteria, including receiving very low to moderate risk credit rating from Creditsafe (their Credit score partner)

We went through that ourselves, and it wasn't easy to prove the risk credit.

So what's wrong with Peer Review platforms?

Here’s the catch…

When you land on Clutch’s “Top X” pages via Google, you’re likely seeing a sponsored ranking.

Yes, the vendors listed paid to be there in the higher positions. It became impossible to get through organically.

If you don’t pay? You don’t show up in the first TOP10. Period.

So where do you find organic rankings?

For that, you need to go to -> Leader Matrix

(But let’s be honest, most buyers never click that deep.)

Here, we can see the real scores Clutch assigns to each vendor. And interestingly, many of the organizations featured on the sponsored pages don’t even appear in the top 15 of the organic Leader Matrix.

That’s information asymmetry in action.

The best vendors often get overlooked—not because they lack quality, but because they don’t pay for visibility.

3. Vendor Blogs

This is the one I’d be most skeptical about—it’s the most biased and offers the least insight into other vendors.

Or as I like to say: when cybersecurity companies hack SEO instead of systems.

Again, I’m not judging these companies. They’re using the tools that work. I get it.

But I genuinely believe the security industry deserves more transparency.

So, here’s the playbook:

• Write a blog titled “Top 10 Penetration Testing Companies in 2025”

• Add your own company in the #1 slot

• Fill the rest of the list with generic descriptions of others

• Sprinkle in SEO keywords and backlinks

  
  

Security vendors rank themselves TOP1.

And voilà: first page of Google.

Sounds smart? Maybe.

Is it helpful for buyers? Not at all.

Most of these blogs:

• Offer zero insight into how vendors actually work

• Use the same copy-paste language (certified, trusted, enterprise-grade…)

• Reinforce the illusion of choice—without real comparison

• Extremely biased

  
  

This is marketing masquerading as objectivity.

But some vendors keep their integrity.

For the sake of objectivity, I’ll still mention one company from the search results: Blaze Information Security

They also provide a list of companies to consider—but check out the difference in their approach:

1. Companies are listed in alphabetical order

2. There’s a clear disclaimer stating it’s not a “Top 10” ranking (see below)

3. Each vendor’s area of expertise is outlined

Here’s the disclaimer from their page:

This approach clearly took more time and effort—but it results in a far more insightful resource for buyers who genuinely want to make informed decisions.

Anyway, Why This Matters?

When buyers can’t tell signal from noise, the market starts rewarding visibility over capability.

That’s adverse selection in action.

So, what can we do?

This isn’t just a vendor problem—it’s a buyer’s dilemma too.

Behavioral economics tells us people take shortcuts.

We don’t want to spend hours researching.

We trust the first page of Google because it’s right there.

But cybersecurity isn’t toothpaste.

You can’t afford to make decisions based on who ranks well.

A Better Way Forward?

First, as vendors, we need to do a better job educating buyers about the industry.

We need more content like what Blaze provides—clear, transparent, and actually helpful.

But I couldn’t help thinking: what if there was a vendor-neutral platform?

One built by experienced security professionals—not marketers.

A place where buyers could:

✅ Actually understand what acronyms like OSCP, ASVS, or OWASP WSTG mean

✅ Compare vendors based on methodology, not messaging

✅ Share context-specific reviews (e.g., “We’re a HealthTech startup under HIPAA”)

Wouldn’t that be something?

Final Thoughts

Back in school, we had media literacy training. One of our tasks was to find reliable information using search engines.

The first thing we were taught?

Check how authoritative and impartial the source is.

Fast forward to today—this skill is more relevant than ever.

Even peer review platforms have their own interests. Promoting certain companies is part of their business model.

And of course, finding the truth is never easy.

It takes time. It takes effort.

Most “Top X” lists are just content marketing in disguise.

They reflect who can pay or optimize—not who can protect.

Security isn’t about who shouts the loudest. It’s about who protects best.

Let’s make it easier for buyers to tell the difference.

The goal isn’t more noise.

It’s better security decisions.

About The Author

Demyd Maiornykov, Co-founder & CEO of Sekurno.

Sekurno is a globally recognised cybersecurity firm specializing in Penetration Testing, Application Security and Compliance. At Sekurno, we dedicate all our efforts to reducing risks to the highest extent, ensuring high-risk industries like HealthTech and FinTech stand resilient against any threat.

Want to know how Sekurno approaches real-world cybersecurity for high-risk industries like HealthTech and FinTech? Read the full SafetyDetectives interview with Demyd Maiornykov for insights on our journey, methodology, and mission to build trust beyond compliance.

Have questions about securing your product or preparing for an audit?

You can contact us by writing to team@sekurno.com or booking a call here.