$ man pentest --region=stockholm

Penetration testing in Stockholm: the complete guide for Swedish companies.

Everything a Stockholm company needs to know before commissioning a penetration test — what it involves, what it costs, what the new Cybersecurity Act demands, and how to separate operators from checkbox vendors. Written by the people who do the breaking in.

$ diff pentest vuln_scan

What a penetration test actually is.

A penetration test is a human adversary, hired by you. An operator takes the same access a real attacker would have — the public internet, a phished credential, a foothold on one workstation — and chains real weaknesses into demonstrated access to your systems and data, then documents exactly how, with proof. A vulnerability scan, by contrast, is software producing a list of potential issues, most of which were never exploitable and some of which hide the one path that is. Scans are a hygiene tool; a penetration test is evidence. Auditors, regulators, insurers, and courts treat the two completely differently — and so do attackers. If a quote arrives within minutes, prices like a subscription, or promises “unlimited pentesting,” you are being sold a scan. We wrote more on this in why vulnerability scanners are dying.

$ ls engagement_types/

Types of engagements.

External network testing attacks what the internet can see — your perimeter, VPNs, mail, and exposed services. Internal testing assumes one workstation is compromised and measures how far an attacker gets: usually the most sobering report a business ever reads. Web application and API testing targets the software your customers touch, from authentication logic to injection paths. Cloud testing hunts IAM over-privilege, exposed storage, and misconfiguration across M365, AWS, Azure, and GCP. AI & LLM testing red-teams the models and agents you’ve deployed against prompt injection, data leakage, and tool abuse — the OWASP LLM Top 10, proven, not theorized (see securing AI’s new attack surface). Social engineering tests your people — phishing, vishing, pretexting. And red team operations combine all of it into a stealth campaign against your detection and response, not just your prevention. Full details on our services page.

$ cat pricing.txt

What it costs.

Honest market ranges — every firm scopes differently, but for a typical SMB engagement in this market you should expect:

EXTERNAL€6,000 – €18,000+
INTERNAL / WEBAPP€10,000 – €30,000+
CLOUD / AI-LLM€10,000 – €30,000+
RED TEAM OPS€30,000+

Scope drives everything: number of external hosts, internal subnets, applications, and whether social engineering or physical access is in play. Two warnings from inside the industry: a price dramatically below these ranges buys a rebranded scan, and a price quoted without a scoping call buys a template. A real firm asks questions before it quotes.

$ check --compliance

Compliance drivers in Sweden.

Sweden’s Cybersecurity Act (Cybersäkerhetslagen, 2025:1506) entered into force on 15 January 2026, implementing NIS2 with a distinctive twist: a whole-entity scope — if any part of your operations falls in a covered sector, the entire organization’s systems are in scope, including internal IT. It brings registration with MCF, 24-hour incident reporting, management accountability, and fines up to €10M or 2% of global turnover for essential entities. The Act’s ten minimum security areas must demonstrably work, and its effectiveness-assessment requirement is precisely what penetration testing evidences. Beneath it, GDPR Art. 32 (enforced by IMY) already mandates regular testing of security measures, and DORA requires threat-led penetration testing for financial entities. Our reports map findings directly to those requirements.

$ ./recon --local

The Stockholm threat landscape.

Stockholm concentrates the Nordics’ fintech and payments infrastructure, a deep bench of SaaS and gaming companies whose product is a cloud environment, and one of Europe’s most digitized business cultures — which cuts both ways, because identity is the perimeter here more than anywhere. On engagements in this market we most often get in through leaked or over-scoped OAuth tokens and API keys, over-privileged cloud IAM roles, SSO gaps between fast-adopted tools, and BEC-style identity attacks that Sweden’s high digital trust makes unusually effective.

More on how we operate locally: 0x3 Security — Stockholm.

$ grep -r "operator" vendors/

How to choose a firm.

Five filters separate operators from resellers. Ask who does the work — names and certifications of the actual testers (look for hands-on-keyboard certs like OSCP, CRTO, CPTS, PNPT, earned by exploitation, not multiple choice). Ask for a sanitized sample report — if it’s a scanner export with a logo, walk. Ask how findings are proven — real firms deliver reproduction steps and proof-of-concept, not CVSS scores copy-pasted from a database. Ask what happens after the report — remediation guidance and a retest to verify fixes should be included, not upsold. And ask about scoping — a firm that quotes without understanding your environment is pricing a template, not your risk. We’re happy to be held to all five: meet the team.

$ cat report_anatomy.md

What you actually get.

A real deliverable has four layers. An executive summary in plain language your leadership and clients can read — what an attacker could do to the business, not jargon. Technical findings, each with severity, reproduction steps, and proof-of-concept evidence. A prioritized remediation roadmap — what to fix first and why, scoped to your team or MSP. And a retest verifying the fixes actually closed the paths. That document then earns its keep for years: it’s the evidence your auditor requests, the artifact your cyber insurer prices against, the attachment that closes enterprise deals, and — under the legal frameworks above — part of your defense file.

$ man faq

Frequently asked questions.

How much does a penetration test cost in Stockholm?

For Swedish SMEs, external tests typically run €6,000–€18,000 (roughly 70,000–200,000 SEK), application and cloud engagements €10,000–€30,000, and red team operations from €30,000, depending on scope.

Does the new Cybersecurity Act require penetration testing?

The Act requires organizations to assess the effectiveness of their security measures across ten minimum areas — and penetration testing is the accepted way to produce that evidence. For DORA-regulated financial entities, threat-led penetration testing is explicitly mandated.

What does the whole-entity principle mean for us?

Unlike the old branch-level approach, the Swedish implementation covers your entire legal entity once any covered activity puts you in scope — HR, finance, and internal IT included. Testing scoped only to the “critical” service no longer matches your legal exposure.

What’s the difference between a penetration test and a vulnerability scan?

A scan is an automated list of potential weaknesses; a penetration test is a human adversary chaining them — a leaked token, an over-permissive role, a forgotten subdomain — into demonstrated access to your data.

How often should we test?

At least annually and after significant changes. Cloud-native companies shipping continuously often pair an annual deep engagement with targeted testing of new attack surface each quarter.

$ sudo ./initiate_contact

Ready to see what an attacker sees?

Book a no-pressure scoping call with an operator. We’ll tell you straight what to test, what it’ll cost, and what to fix first.