We've seen it too often. Your client buys a pentest and you have no idea what the results will yield, or worse, they don't tell you they are having one done. The come to you at the conclusion and let you know that you're not adequately securing their environment, without a chance to defend yourself and explain your side. As the MSP, you should be controlling the narrative here. Maybe some of the "risks" the pentesting team found you already knew about and understand that those are not real immediate risks. Your client is upset with you and you need to play from behind trying to explain yourself. I know this because I have been the pentester in this situation. The MSP ended up getting fired.

Instead, as the MSP you should be taking back control of this situation. Proactively planning for an independent pentest or risk assessment WITH your client. You should be involved in the scoping, the testing, the status meetings, the report readout conversations, and ultimately helping explain the results to your client.

These pentests don't have to be a bad thing, they can drive your client to budget for things that you have been telling them they have needed to do for years..but if you're not on the forefront of those conversations, you'll be playing on your heels and your client will not remember that you told them they needed to update those Windows 7 servers in their quarterly business review in 2019, a full year before it went end of life.

Come with me on a journey to see how a transparent pentest can lead to fantastic results and a more strategic and stronger relationship with your client!