The problem
With cyber-attacks rising, customers are required to provide sufficient due care evidence in cyber security. It is both a legal requirement in number of regulated industries (government, financial, utilities etc.) and common sense.
Often, security requirements are included into software development contracts (due diligence). But just like builder should not be trusted to attest safety of public building, software must be tested by independent agency to check if cyber security requirements are indeed implemented (due care).
On top of it, industry uses multitude of terms to denote often overlapping cyber security testing services – vulnerability assessments, penetration testing, red-teaming, purple-teaming etc. Often, quoted prices are vastly different as they are based on non-compatible methodologies with low prices usually indicating heavy reliance on using automated tools with little human verification. Depending on specific customer risk profile, that may or may not be appropriate choice.