Hi Aman,    You've not give a lot of context here for what you are seeking - external vendor selection / tools to use is largely a decision that fits your overall pen test use case I think.

First off,  please review https://hi.service-now.com/kb_view.do?sysparm_article=KB0718043 as its got a good amount of info and links there in re all things Security relating to your ServiceNow instance.

Customers can arrange a pen test annually at no additional charge,  but it does need to be arranged in advance and coordinated with ServiceNow.    On the tools front as I mentioned above its horses for courses,  but do not plan to use any DOS/DDOS type tools as these are excluded from available test options.

FYI,  if you are a Security Contact for a customer you can also enrol in the CORE community and through that gain access to the ServiceNow current annual ISO cert's and results from the independent pen tests that ServiceNow has done.  You will find links to and more info on this in the above article.

You amy also find these links of interest:

https://community.servicenow.com/community?id=community_blog&sys_id=59da58dddba193c04e1df4621f96197b

and

https://hi.service-now.com/kb_view.do?sysparm_article=KB0538598