Here's something no one will tell you. Unless you have circumstances beyond your control that force you to do so, don't buy a pentest in Q4.
Your sales rep isn't going to warn you about this, because Q4 is historically the most lucrative quarter of the year, typically (or so I've been told) around 130-150% of other quarters in terms of revenue.
The rumor mill has it that 2013 will have been a lighter year than 2012 for some assessment teams, with belt-tightening for security spending and revenues down. Q4 is when a struggling practice has a last-ditch, make-or-break chance to dig its way out of the hole of the last few quarters. Combine that with overworked InfoSec teams that are still remediating last year's findings and aren't ready for yearly assessments until now, and you've got yourself the perfect storm.
So what does that mean for you as a client? The same thing it means every year.
Pentesters everywhere are double and triple booked, working holidays and weekends, and sales reps and practice managers are banking on nice bonuses in January. Everyone is working toward the goal of a big quarter, doing their best to fatten up before a slow Q1, like bears about to hibernate.
In the 7 years I worked as a pentester, I don't remember a holiday I wasn't sitting up late, running a pen or writing a deliverable, all the way up to New Year's Eve. In that state of exhaustion and overwork, mistakes are made. Quality goes down. It's simply unavoidable. Junior resources are brought in to run projects, interns are promoted, and everyone scrambles to cope with the workload.
None of this is to say you empirically can't get good work in Q4, but you'll need to ride herd on your testing team to get it, and choose your resources carefully. Quality is going to be the exception, not the rule, for many shops.
On reading the above, let me rephrase my original statement. Go ahead and buy a pentest in Q4, it's a great time to negotiate and everyone is ready to sell work at a good rate. Just book your start date for Q1, if you can.
Or buy one from us, of course. We don't have interns, or junior resources.