Any recommendations for an outfit that does IT security audits/penetration testing?

For a simple pen test I can recommend DataComm.  They may do a lot more than this but I used them for a simple, affordable scan. For a one time scan of about a dozen IP's it was under a grand.  You get a few reports broken down by vulnerabilities by device and a high level "executive summary" that management likes.  There's not a lot of help as far as how to remedy the vulns though.   Last time I used them I was at a Financial Institution and the testing and results held up to auditors/regulator scrutiny.

Is there a specific regulation that you're auditing against? Network penetration test or something else?

Most of the large technology providers have customer audit & assessment teams, so if you need something simple and already have an account rep with Dell, HP, VMWare, Cisco, etc. I'm sure they would sell you one.

If not, there are plenty of smaller shops that offer more a vulnerability assessment service and provide reports as wintermute described at a very affordable rate depending on the scope.

Aside from the smaller shops option, most of them use "Nessus" or one of the other free scanners maybe slightly modified.

 

True for the most part. My point in recommending a vendor that you already have a contract/agreement with was that you're already stuck together and you have a line to them to get further info/advice on fixing each item, and the realistic risk in your environment. Otherwise you run the risk of just getting handed a report and the line going cold.

If OP is in the situation with a Nervous Nancy, or some regs that have anxious management oversight (PCI, for example), then doing it yourself is not a sound idea. Audits = Compliance = Legal = Better to pay someone else so you can blame them later if they divide by zero. Plus, subject matter experts don't hurt the results.