Penetration testing in Stockholm: the complete guide for Swedish companies.
Everything a Stockholm company needs to know before commissioning a penetration test — what it involves, what it costs, what the new Cybersecurity Act demands, and how to separate operators from checkbox vendors. Written by the people who do the breaking in.
What a penetration test actually is.
A penetration test is a human adversary, hired by you. An operator takes the same access a real attacker would have — the public internet, a phished credential, a foothold on one workstation — and chains real weaknesses into demonstrated access to your systems and data, then documents exactly how, with proof. A vulnerability scan, by contrast, is software producing a list of potential issues, most of which were never exploitable and some of which hide the one path that is. Scans are a hygiene tool; a penetration test is evidence. Auditors, regulators, insurers, and courts treat the two completely differently — and so do attackers. If a quote arrives within minutes, prices like a subscription, or promises “unlimited pentesting,” you are being sold a scan. We wrote more on this in why vulnerability scanners are dying.
Types of engagements.
External network testing attacks what the internet can see — your perimeter, VPNs, mail, and exposed services. Internal testing assumes one workstation is compromised and measures how far an attacker gets: usually the most sobering report a business ever reads. Web application and API testing targets the software your customers touch, from authentication logic to injection paths. Cloud testing hunts IAM over-privilege, exposed storage, and misconfiguration across M365, AWS, Azure, and GCP. AI & LLM testing red-teams the models and agents you’ve deployed against prompt injection, data leakage, and tool abuse — the OWASP LLM Top 10, proven, not theorized (see securing AI’s new attack surface). Social engineering tests your people — phishing, vishing, pretexting. And red team operations combine all of it into a stealth campaign against your detection and response, not just your prevention. Full details on our services page.
What it costs.
Honest market ranges — every firm scopes differently, but for a typical SMB engagement in this market you should expect:
Scope drives everything: number of external hosts, internal subnets, applications, and whether social engineering or physical access is in play. Two warnings from inside the industry: a price dramatically below these ranges buys a rebranded scan, and a price quoted without a scoping call buys a template. A real firm asks questions before it quotes.
Compliance drivers in Sweden.
Sweden’s Cybersecurity Act (Cybersäkerhetslagen, 2025:1506) entered into force on 15 January 2026, implementing NIS2 with a distinctive twist: a whole-entity scope — if any part of your operations falls in a covered sector, the entire organization’s systems are in scope, including internal IT. It brings registration with MCF, 24-hour incident reporting, management accountability, and fines up to €10M or 2% of global turnover for essential entities. The Act’s ten minimum security areas must demonstrably work, and its effectiveness-assessment requirement is precisely what penetration testing evidences. Beneath it, GDPR Art. 32 (enforced by IMY) already mandates regular testing of security measures, and DORA requires threat-led penetration testing for financial entities. Our reports map findings directly to those requirements.
The Stockholm threat landscape.
Stockholm concentrates the Nordics’ fintech and payments infrastructure, a deep bench of SaaS and gaming companies whose product is a cloud environment, and one of Europe’s most digitized business cultures — which cuts both ways, because identity is the perimeter here more than anywhere. On engagements in this market we most often get in through leaked or over-scoped OAuth tokens and API keys, over-privileged cloud IAM roles, SSO gaps between fast-adopted tools, and BEC-style identity attacks that Sweden’s high digital trust makes unusually effective.
More on how we operate locally: 0x3 Security — Stockholm.
How to choose a firm.
Five filters separate operators from resellers. Ask who does the work — names and certifications of the actual testers (look for hands-on-keyboard certs like OSCP, CRTO, CPTS, PNPT, earned by exploitation, not multiple choice). Ask for a sanitized sample report — if it’s a scanner export with a logo, walk. Ask how findings are proven — real firms deliver reproduction steps and proof-of-concept, not CVSS scores copy-pasted from a database. Ask what happens after the report — remediation guidance and a retest to verify fixes should be included, not upsold. And ask about scoping — a firm that quotes without understanding your environment is pricing a template, not your risk. We’re happy to be held to all five: meet the team.
What you actually get.
A real deliverable has four layers. An executive summary in plain language your leadership and clients can read — what an attacker could do to the business, not jargon. Technical findings, each with severity, reproduction steps, and proof-of-concept evidence. A prioritized remediation roadmap — what to fix first and why, scoped to your team or MSP. And a retest verifying the fixes actually closed the paths. That document then earns its keep for years: it’s the evidence your auditor requests, the artifact your cyber insurer prices against, the attachment that closes enterprise deals, and — under the legal frameworks above — part of your defense file.
Frequently asked questions.
How much does a penetration test cost in Stockholm?
For Swedish SMEs, external tests typically run €6,000–€18,000 (roughly 70,000–200,000 SEK), application and cloud engagements €10,000–€30,000, and red team operations from €30,000, depending on scope.
Does the new Cybersecurity Act require penetration testing?
The Act requires organizations to assess the effectiveness of their security measures across ten minimum areas — and penetration testing is the accepted way to produce that evidence. For DORA-regulated financial entities, threat-led penetration testing is explicitly mandated.
What does the whole-entity principle mean for us?
Unlike the old branch-level approach, the Swedish implementation covers your entire legal entity once any covered activity puts you in scope — HR, finance, and internal IT included. Testing scoped only to the “critical” service no longer matches your legal exposure.
What’s the difference between a penetration test and a vulnerability scan?
A scan is an automated list of potential weaknesses; a penetration test is a human adversary chaining them — a leaked token, an over-permissive role, a forgotten subdomain — into demonstrated access to your data.
How often should we test?
At least annually and after significant changes. Cloud-native companies shipping continuously often pair an annual deep engagement with targeted testing of new attack surface each quarter.
Ready to see what an attacker sees?
Book a no-pressure scoping call with an operator. We’ll tell you straight what to test, what it’ll cost, and what to fix first.