Kroll’s service spans network, web, mobile, cloud and IoT targets, folds in phishing and physical social-engineering, and offers full red-team engagements mapped to MITRE ATT&CK. Manual exploitation and adversary simulation give clients insight that automated scans miss. Most competing test shops do not cover as many attack surfaces.

Kroll’s testing team lists many CREST and OSCP holders with long client track records. Published case studies across finance, healthcare and government show varied skills and manual testing depth. The rating is not 5 because few publicly credited CVE discoveries or major conference talks are linked to these consultants.

Kroll maps tests to PTES and OWASP, blends proprietary scripts with commercial tools, and follows a repeatable process. Reports translate vulnerabilities into business risk and provide clear fixes. The method is structured and tool-rich but stops short of the bespoke exploit development and root-cause depth that would earn the highest mark.

Kroll’s long history in investigations and cybersecurity gives strong name recognition and client trust. Fortune-level customers appear in public case studies and Kroll staff present research at major conferences, with no reported confidentiality breaches. The firm lists fewer recent industry awards for penetration testing than certain niche rivals, so reputation ranks just below the top tier.