Infosec question.
Over the years i& #39;ve seen various hacked/defaced sites. I can generally clean them up and apply enough "protection" to avoid them getting re-hacked, but i& #39;m no security expert at all.

We work with 3rd party infosec companies who run scans and give us..

1/a few

They give us a report and i& #39;ve come to find most of them give us essentially an OWASP basic definition list after they& #39;ve run a scan with something like burpsuite.
I almost feel like they don& #39;t actually know shit about securing things, they just run scans and charge...

2/a few

They seem to charge a ton of money for what i feel amounts to them copying/pasting the site url into a preset tool, taking the "highest" threats and putting them into a PDF which they then present 2 days later as if they did a buncha work they can bill for.

3/a few

My question to the #infosec community is then.
How the hell are we "non-security-tech-folk" supposed to know who to trust and which of these companies actually know what they& #39;re doing?

4/ a few

Lastly, where can we point our clients when they are seeking such services so they don& #39;t get ripped off?
I& #39;m not talking large corporations with tons to spend, i& #39;m talking small businesses with small budgets that need some sort of security assistance.

Thank you.

5/the end.