$ man pentest --region=munich

Penetration testing in Munich: the complete guide for German SMEs.

Everything a Munich or Bavarian company needs to know before commissioning a penetration test — what it involves, what it costs, what German law now demands after NIS2, and how to separate real red teamers from checkbox auditors. Written by the operators who do the testing.

$ diff pentest vuln_scan

What a penetration test actually is.

A penetration test is a human adversary, hired by you. An operator takes the same access a real attacker would have — the public internet, a phished credential, a foothold on one workstation — and chains real weaknesses into demonstrated access to your systems and data, then documents exactly how, with proof. A vulnerability scan, by contrast, is software producing a list of potential issues, most of which were never exploitable and some of which hide the one path that is. Scans are a hygiene tool; a penetration test is evidence. Auditors, regulators, insurers, and courts treat the two completely differently — and so do attackers. If a quote arrives within minutes, prices like a subscription, or promises “unlimited pentesting,” you are being sold a scan. We wrote more on this in why vulnerability scanners are dying.

$ ls engagement_types/

Types of engagements.

External network testing attacks what the internet can see — your perimeter, VPNs, mail, and exposed services. Internal testing assumes one workstation is compromised and measures how far an attacker gets: usually the most sobering report a business ever reads. Web application and API testing targets the software your customers touch, from authentication logic to injection paths. Cloud testing hunts IAM over-privilege, exposed storage, and misconfiguration across M365, AWS, Azure, and GCP. AI & LLM testing red-teams the models and agents you’ve deployed against prompt injection, data leakage, and tool abuse — the OWASP LLM Top 10, proven, not theorized (see securing AI’s new attack surface). Social engineering tests your people — phishing, vishing, pretexting. And red team operations combine all of it into a stealth campaign against your detection and response, not just your prevention. Full details on our services page.

$ cat pricing.txt

What it costs.

Honest market ranges — every firm scopes differently, but for a typical SMB engagement in this market you should expect:

EXTERNAL€6,000 – €18,000+
INTERNAL / WEBAPP€10,000 – €30,000+
CLOUD / AI-LLM€10,000 – €30,000+
RED TEAM OPS€30,000+

Scope drives everything: number of external hosts, internal subnets, applications, and whether social engineering or physical access is in play. Two warnings from inside the industry: a price dramatically below these ranges buys a rebranded scan, and a price quoted without a scoping call buys a template. A real firm asks questions before it quotes.

$ check --compliance

Compliance drivers in Germany.

Germany now has the hardest compliance driver in Europe: the NIS2 implementation act (NIS2UmsuCG) entered into force on 6 December 2025 with no transition period, pulling roughly 30,000 companies into scope — most mid-sized firms in manufacturing, transport, digital services, and their supply chains. It brings mandatory BSI registration, 24-hour incident reporting, and personal liability for management, with fines up to €10M or 2% of global turnover. Crucially, the required risk-management measures must demonstrably work — and penetration testing is how you demonstrate it. Beneath NIS2 sit GDPR Art. 32 (mandating regular testing and evaluation of security measures), TISAX for anyone in the automotive supply chain, and DORA for financial entities, which requires threat-led penetration testing outright. Our reports map findings directly to those evidence requirements.

$ ./recon --local

The Munich threat landscape.

Bavaria’s Mittelstand is the most efficient target set in Europe: a 150-person automotive or machinery supplier holds OEM design data, production-network access, and customer trust — at a fraction of the OEM’s security budget. Munich’s insurance and financial cluster concentrates regulated data, and its deep-tech and AI startup scene ships fast on young infrastructure. On engagements in this market we most often get in through phished VPN and M365 credentials, exposed OT/IT bridges on factory networks, and supplier portals that were never adversarially tested.

More on how we operate locally: 0x3 Security — Munich.

$ grep -r "operator" vendors/

How to choose a firm.

Five filters separate operators from resellers. Ask who does the work — names and certifications of the actual testers (look for hands-on-keyboard certs like OSCP, CRTO, CPTS, PNPT, earned by exploitation, not multiple choice). Ask for a sanitized sample report — if it’s a scanner export with a logo, walk. Ask how findings are proven — real firms deliver reproduction steps and proof-of-concept, not CVSS scores copy-pasted from a database. Ask what happens after the report — remediation guidance and a retest to verify fixes should be included, not upsold. And ask about scoping — a firm that quotes without understanding your environment is pricing a template, not your risk. We’re happy to be held to all five: meet the team.

$ cat report_anatomy.md

What you actually get.

A real deliverable has four layers. An executive summary in plain language your leadership and clients can read — what an attacker could do to the business, not jargon. Technical findings, each with severity, reproduction steps, and proof-of-concept evidence. A prioritized remediation roadmap — what to fix first and why, scoped to your team or MSP. And a retest verifying the fixes actually closed the paths. That document then earns its keep for years: it’s the evidence your auditor requests, the artifact your cyber insurer prices against, the attachment that closes enterprise deals, and — under the legal frameworks above — part of your defense file.

$ man faq

Frequently asked questions.

How much does a penetration test cost in Munich?

For German SMEs, external penetration tests typically run €6,000–€18,000, internal and web-application engagements €10,000–€30,000, and red team operations from €30,000. TISAX- or NIS2-mapped reporting is included in scope, not an upsell.

Does NIS2 require penetration testing in Germany?

The NIS2UmsuCG requires effective, state-of-the-art risk-management measures and makes management personally accountable for them. Penetration testing is the accepted way to evidence effectiveness — and for DORA-regulated financial entities, threat-led penetration testing is explicitly mandated.

What’s the difference between a penetration test and a vulnerability scan?

A scan produces an automated list of potential issues; a penetration test is a human adversary chaining real weaknesses into demonstrated access — the difference between a Befund and proof. Regulators, insurers, and courts treat them accordingly.

Can you test production and OT environments safely?

Yes. Manufacturing engagements are scoped with explicit safety rails — passive discovery on production segments, agreed exclusion lists, and maintenance-window testing — so we prove exposure without risking the line.

Do you deliver reports suitable for BSI, TISAX, and customer audits?

Yes — findings are mapped to the relevant framework controls and delivered with an executive summary in plain language, technical reproduction steps, and a remediation-verified retest.

$ sudo ./initiate_contact

Ready to see what an attacker sees?

Book a no-pressure scoping call with an operator. We’ll tell you straight what to test, what it’ll cost, and what to fix first.