Mid-sized companies in Germany are the preferred target for cyberattacks in 2026. The statistical reason is unambiguous: large corporations have security operations centres, small businesses have little worth stealing — mid-sized firms have money, data and limited defences. On top of that come the EU NIS2 directive, a tightened interpretation of the GDPR, and cyber insurance policies that no longer pay out without proof of controls. Anyone who fails to build a professional cybersecurity strategy in the next 24 months risks not only the next ransomware incident, but also six-figure fines and cancelled policies. This guide shows what you concretely need to do — from your first pentest to continuous validation.
What is offensive security?
Offensive security means examining your own systems from an attacker's perspective. Instead of merely reviewing log files or configuring firewalls, an offensive auditor simulates real attacks — in a controlled and documented manner, with the goal of finding weaknesses before a real attacker does. The term covers penetration testing, red teaming, adversary emulation and continuous validation.
It's important to distinguish this from pure scanners: an automated vulnerability scanner like Nessus, Qualys or OpenVAS finds known CVE issues — but it does not test logic flaws, business process weaknesses or privilege escalation chains. Neither DAST nor SAST counts as offensive security in the strict sense: DAST (Dynamic Application Security Testing) probes the running application like a black box, SAST (Static Application Security Testing) searches source code for patterns. Both are useful building blocks but do not replace a manual pentest.
A good offensive security auditor combines all three: automated scanners for breadth, SAST/DAST for source code depth, and manual pentest sessions for the creative attack chains that no tool will find on its own. We have built exactly this three-layer approach into our own platform, Reepa Security — more on that below.
NIS2 obligations for mid-sized businesses
The EU NIS2 directive (Network and Information Security 2) has been in force since October 2024. It replaces the old NIS directive and dramatically expands its scope: where previously around 2,000 companies in Germany were affected, an estimated 29,000 companies now fall under the regulation. The German implementation takes effect through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which becomes mandatory in step with the EU directive.
Who is affected? NIS2 distinguishes between "essential" and "important" entities across 18 sectors — including energy, transport, banking, healthcare, drinking water, wastewater, digital infrastructure (data centres, DNS, cloud), public administration, space, postal services, food, mechanical engineering, electronics, automotive and IT service providers. The size threshold is 50 employees OR 10 million euros in annual revenue — quickly reached.
What is required? Concretely: risk management measures (Article 21), reporting duties for security incidents within 24 hours for an initial early warning, full notification within 72 hours, final report within one month. Technically mandatory items include: multi-factor authentication on exposed services, a cryptography concept, supply chain security, a backup and restore concept with testing, training, incident response plans, access management and asset inventory.
The sanctions. Up to 10 million euros or 2 percent of global annual revenue — whichever is higher. Management is personally liable. A 30-million-euro mid-sized firm from Baden-Württemberg therefore risks fines of up to 600,000 euros plus personal liability of its managing directors for violations. Anyone who has so far dismissed NIS2 as "regulatory noise" should revise that position now at the latest.
Are you subject to NIS2?
We review your company structure, sector classification and IT landscape in a free 30-minute consultation. With a concrete answer, not "it depends".
Book a NIS2 consultationPenetration testing methodology
A professional pentest follows a documented methodology — whoever offers to "just have a quick look" is not a pentester, but a chancer. Three methodologies are internationally established: OWASP (Open Worldwide Application Security Project) for web applications, PTES (Penetration Testing Execution Standard) as a generic phase model, and OSSTMM (Open Source Security Testing Methodology Manual) for infrastructure audits.
The seven phases. At their core all three follow the same scheme: pre-engagement (scope definition, rules of conduct, emergency contacts), intelligence gathering (OSINT, subdomain enumeration, employee profiles, technology stack detection), threat modeling (which attackers with which motivation and capabilities), vulnerability analysis (automated and manual identification), exploitation (controlled abuse with proof screenshots), post-exploitation (what is reachable, which data is exfiltrable) and reporting (executive summary, technical details, reproduction steps, risk assessment, remediation recommendations).
OWASP Top 10 as the mandatory baseline. For web applications, the OWASP Top 10 (2025 edition) is the minimum standard. Currently the list is led by Broken Access Control, Cryptographic Failures, Injection vulnerabilities, Insecure Design, Security Misconfiguration and Vulnerable Components. Every category is systematically worked through in a proper web app pentest — whoever offers you a "web app pentest" that does not address all 10 categories has not delivered a pentest.
At Reepa we perform all pentests according to PTES phases and use OWASP checklists for web targets. For cloud-specific testing we add the AWS, Azure or GCP Well-Architected security audit. The report always includes an executive summary (one page, for management) and a technical appendix with reproduction commands — you don't have to guess how a finding was meant.
Reepa Security: continuous validation instead of yearly audits
Reepa Security — the audit platform for mid-sized businesses
Since 2023 we have been building Reepa Security: a desktop application with auto-update that performs continuous penetration tests, compliance checks and vulnerability validation against your infrastructure. Currently at version 1.8 with over 100 active detectors, programmatic verification of every reported finding (triple-verify pipeline against false positives) and remote remediation for authenticated operators.
The "one external audit a year, then 11 months blind" model no longer works in 2026. On average, attackers need 9 days to integrate a newly disclosed vulnerability into mass tooling. Anyone testing once a year runs 351 days in the blind.
Reepa Security closes exactly this gap. Instead of looking in from the outside once a year, it runs continuously from the inside — as a workstation-installed application with signed code, auto-update via GitHub releases and a full local audit log. The platform combines three audit layers: a passive static scanner for configuration and code weaknesses, an active live validator for authentication, network exposure and cloud misconfiguration, and an optional offensive mode for authenticated vulnerability verification (operator authorisation required).
Concrete features from recent releases: OSINT recon with crt.sh, GitHub leak detection and typo-squat detection. Active Directory goldmine validators (Zerologon, PrintNightmare, PetitPotam detection). Cloud discovery for AWS, Azure and GCP accounts. Perimeter VPN audit with pre-auth RCE CVE coverage for eight vendor families. Deep RDP audit (BlueKeep, DejaBlue, CredSSP status). DNS security probes with DANE, BIMI and SPF-strict. Burp and ZAP import for seamless integration into existing audit workflows. The result is not "yet another scanner" but a complete continuous validation system with compliance reports for GDPR, NIS2 and ISO 27001.
For you as a customer this means: after the initial pentest engagement, Reepa Security stays in production. Every month you receive an up-to-date target/actual comparison against the baseline — new vulnerabilities are detected, remediated gaps are validated, compliance status is tracked. For critical findings the platform alerts immediately, not only in the next quarterly report.
Web, API, mobile and infrastructure pentests
Penetration tests are not a monolithic product — depending on the attack surface, methodology, tooling and depth differ significantly. The four main categories cover almost all mid-market scenarios.
Web application pentests are the most common entry point. The focus is on authentication, session management, input validation, access controls, SSRF, deserialisation and the OWASP Top 10. Typical duration: 5 to 15 person-days, depending on application complexity. The distinction between black box (the tester only knows the URL) and grey box (the tester has a standard user account) matters — the latter finds significantly more, especially in multi-tenant applications with a role model.
API pentests are becoming ever more important because B2B integrations keep growing. Here the focus is on REST and GraphQL endpoints: BOLA (Broken Object Level Authorization), Mass Assignment, rate limiting bypass, JWT confusion and SSRF via webhooks. Anyone testing only the UI and ignoring the API misses the most valuable attack chains.
Mobile app pentests cover reverse engineering of the iOS IPA or Android APK, inspection of local storage and the KeyChain, certificate pinning review and backend API tests. For hybrid apps (React Native, Flutter, Capacitor) the JavaScript bridge security is added. Common findings: hardcoded secrets in the bytecode, weak encryption in SharedPreferences, missing pinning that allows man-in-the-middle.
Infrastructure pentests address the network layer: external perimeter (what does the internet see?), internal segmentation (can a compromised printer reach the database server?), VPN endpoints with pre-auth RCE risk, RDP and SSH hardening, plus wireless security with evil twin and WPA Enterprise tests. Typical duration: 8 to 25 person-days, depending on the number of sites.
Active Directory audits
In over 95 percent of mid-sized Windows environments, Active Directory is the identity backbone — and therefore the primary target of every ransomware attack. A professional AD audit takes two to five days and in almost every case delivers at least one critical path to domain admin takeover.
Typical findings: outdated domain controllers with Zerologon exposure (CVE-2020-1472, still unpatched in many environments), Kerberoastable service accounts with weak passwords, unconstrained delegation on servers, ACL misconfiguration (Write-DACL on domain objects), PrintNightmare flaws (CVE-2021-34527 and successors), PetitPotam NTLM relay paths, ADCS weaknesses (ESC1 to ESC11) and unprotected LAPS backups. The tools of the trade are freely available: BloodHound for path analysis, Impacket for protocol attacks, Certify and ADCSPwn for certificate attacks — those who know them close the gaps; those who don't become victims.
Reepa Security ships dedicated AD goldmine validators that recognise exactly these attack patterns pre- and post-authentication — with an explicit operator authorisation flag, because most detections touch the SMB pipe and may only be used in authorised engagements.
Cloud audits (AWS, Azure, GCP)
Cloud migration solves old problems and creates new ones. The most common misconfiguration findings in our audits: publicly readable S3 buckets with personal data (an immediate GDPR violation), IAM roles with AdministratorAccess and no MFA requirement, Lambda functions with hardcoded secrets in environment variables, security groups with 0.0.0.0/0 on management ports, RDS and EBS snapshots shared publicly, and CloudTrail logs disabled or without multi-region coverage.
On the Azure side, typical issues: overly broad Reader rights via Management Groups, Storage Accounts without network ACLs, Service Principals with overly long secret lifetimes, Conditional Access policies with gaps (e.g. legacy authentication allowed). On GCP: service account keys instead of Workload Identity, BigQuery datasets readable by allUsers, Cloud Storage buckets without Uniform Bucket-Level Access.
A complete cloud audit covers CSPM scans (Cloud Security Posture Management) for configuration, IAM privilege analysis for the rights architecture, and manual deep tests for custom workloads. We deliver the audit report with concrete remediation snippets (Terraform patches, Azure policy definitions, AWS Config rules) — you don't have to derive the solution yourself.
ICS/OT security for industry
Industrial control systems (ICS) and operational technology (OT) are the most underestimated attack surface in DACH mid-market companies. Mechanical engineering firms, plant builders, manufacturing SMBs and utilities operate programmable logic controllers (PLCs) whose protocol stack dates from the 1970s and 1980s. Authentication is usually not provided, encryption neither, and patches are rare — these machines run for 20 years.
Reepa Security ships seven dedicated ICS protocol detectors: Siemens S7Comm and S7Comm-Plus, DNP3 for energy grids, BACnet for building automation, OPC UA for modern Industry 4.0 installations, IEC 60870-5-104 for transmission technology, EtherNet/IP with Forward-Open verify for Rockwell environments, and HART-IP for process instrumentation. Detection runs passive-first, active validation only with operator authorisation — no industrial audit may compromise production availability.
The most common findings in mid-market manufacturing: PLCs directly reachable from the internet (typically via remote maintenance modems or vendor cloud links without VPN), HMI panels with default password "admin/admin", flat networks without segmentation between office IT and production OT, missing asset inventories (no one knows how many PLCs are actually running on the shop floor). A single infected engineering laptop can shut down the entire production line — the only defence is network segmentation and a documented ICS incident response plan.
Incident response playbook
When an attack succeeds, the first four hours determine the scale of the damage. A documented incident response playbook is mandatory in 2026 under NIS2 and ISO 27001 — and from an insurance perspective it's no longer negotiable.
The six phases. Preparation (tools, contacts, contracts with external forensics providers, backup restore tests), detection and analysis (SIEM alert, triage, escalation), containment (network segmentation, account lockout, IOC distribution), eradication (malware removal, patching the entry vector, rebuilding compromised systems), recovery (validated backup restores, monitoring for reinfection), and lessons learned (post-mortem with root cause analysis, updating detection rules).
Mandatory components of a practical playbook: a 24/7 reachable escalation list with backup numbers, prepared communication templates for employees, customers and authorities, an asset inventory with criticality classification, backup restore procedures with documented recovery time, and contracts with external forensics providers in place (negotiating a contract under acute pressure costs you another 24 hours). We also recommend annual tabletop exercises in which a simulated incident is played through — almost every team uncovers gaps that would become expensive in a real crisis.
GDPR, ISO 27001, NIS2 reporting
Compliance is not a matter of taste, it's an obligation. The three central frameworks for DACH mid-market companies differ in scope, mandatory nature and evidence model.
GDPR (in force since 2018) applies to anyone processing personal data — that is, practically every business. Technical and organisational measures (TOMs) under Article 32 are mandatory, plus the record of processing activities under Article 30, data protection impact assessments where risk is high under Article 35, and the duty to report data protection incidents within 72 hours under Article 33. Fine ceiling: up to 20 million euros or 4 percent of global annual revenue.
ISO 27001 is voluntary but increasingly a prerequisite for B2B contracts. The Information Security Management System (ISMS) covers 93 controls across 4 themes (organisational, people, physical, technological). Certification is performed by an accredited body, every three years with annual surveillance audits. Effort for initial certification: 6 to 12 months, depending on maturity level.
NIS2 is a legal obligation for the 18 sectors (see above). The technical minimum measures from Article 21 largely overlap with ISO 27001 in practice — anyone certified to ISO 27001 has already met around 80 percent of NIS2. The specific additions: reporting obligations to the competent authority (in Germany the BSI), training duties for managing directors, and dedicated supply chain security.
Our compliance packages deliver all three frameworks in a coordinated build programme: shared asset inventory, shared risk register, shared control matrix with multi-mapping. Instead of three consultants in parallel, you have one partner with consolidated reporting.
What does a pentest cost in 2026?
The question is legitimate and the honest answer is: it depends on the scope. We're happy to give orientation in real numbers, rather than waving "depends on need" around.
Web application pentest: for a single application with standard login, role system and 20 to 50 functions, plan for 6,000 to 12,000 euros. Larger applications with a complex business logic layer, multiple tenants and API backend range from 12,000 to 25,000 euros.
API pentest: 4,000 to 10,000 euros for a focused REST or GraphQL API with 20 to 50 endpoints. For microservice architectures with many services, the price scales linearly with the number of independently testable components.
External infrastructure: from 3,000 euros for a single office with a fixed public IP range, from 8,000 euros for multiple sites and VPN endpoints. A full external audit with OSINT, subdomain coverage, cloud discovery and perimeter testing: 12,000 to 30,000 euros.
Active Directory audit: 8,000 to 20,000 euros depending on forest complexity, number of domain controllers, number of sites and hybrid cloud integration. Multiple forests or M&A topologies cost more accordingly.
Cloud audit (AWS, Azure, GCP): 6,000 to 18,000 euros depending on account count, service variety and multi-region topology. Continuous monitoring afterwards from 800 euros per month via CSPM tools.
Red team engagement: 25,000 to 80,000 euros for a 4- to 8-week realistic adversary simulation with social engineering, physical access and persistence testing. Only useful if your detection and response capabilities are already mature — otherwise you spend a lot of money to learn what you would have discovered in a pentest anyway.
Continuous validation with Reepa Security: 1,500 to 5,000 euros per month (one-off setup, then all-inclusive licence including updates, validation runs and compliance reports). This pays off against one-off audits from the second year on.
Your individual pentest quote within 24 hours
Tell us the scope (web, API, infra, AD, cloud) and the number of assets — we deliver a transparent fixed-price offer. No hidden follow-up costs.
Request a pentestProvider selection checklist
The DACH market for pentest providers is opaque — from specialised boutiques to resellers who sell a single Nessus scan as a "pentest", everything is on offer. These six criteria separate serious providers from occasional vendors.
- Certified testers. Ask to see the certifications of the actual auditors — not the company. Recognised credentials: OSCP (Offensive Security Certified Professional), OSCE, OSEP, GPEN, GWAPT, CRTO, CRTE. Anyone who dodges the question has none.
- Insured professional liability. At least 5 million euros, ideally 10 million, with explicit coverage for "IT security consulting and pentest services". Ask to see the policy.
- Documented methodology. The proposal must reference PTES, OWASP, OSSTMM or NIST SP 800-115. "We do it right" is not a methodology statement.
- Anonymised sample report. Before engagement, the provider must hand over a sample report — anonymised, but complete in structure. Anyone without one has never written one.
- Clear engagement rules. Written scope, written emergency contacts for escalations, written time windows (a pentest during Black Week is a bad idea). Are these points explicit in the contract or "to be agreed"?
- DACH location and data residency. For GDPR-relevant workloads the provider should be based in the DACH region and produce reports on DACH-based infrastructure. Not impossible, but legally more involved with US or Asian providers.
At Reepa we transparently meet all six criteria — and on request we document this in a provider selection dossier you can hand to your data protection officer or compliance office.
Frequently asked questions
What does a penetration test cost in Germany?
A web pentest typically starts at 6,000 to 12,000 euros for a focused application. Larger audits covering multiple applications, cloud infrastructure and Active Directory range from 20,000 to 60,000 euros. Continuous validation through a platform like Reepa Security replaces annual point-in-time audits with monthly re-runs starting at around 1,500 euros per month.
Is NIS2 mandatory for my company?
NIS2 applies to medium and large companies across 18 sectors — including energy, healthcare, digital infrastructure, transport, water, food, postal services, mechanical engineering, electronics and IT service providers. Key threshold: more than 50 employees OR more than 10 million euros in annual revenue. When in doubt, get it assessed — fines can reach 10 million euros or 2 percent of global annual revenue.
How often should a penetration test be performed?
At least once a year, plus after every significant architectural change (new cloud migration, new application going to production, new API integration). For regulated industries or GDPR-critical workloads we recommend continuous validation instead of an annual snapshot.
What is the difference between pentest, vulnerability scan and red team?
Vulnerability scanners find known weaknesses automatically. Pentests are human-led audits that also evaluate logic flaws, privilege escalation chains and business impact. Red team engagements simulate a real attacker with social engineering, physical access and weeks of persistence — they measure your team's response, not just the gaps.
What is Reepa Security?
Reepa Security is our own audit platform, which we have been developing for over two years. It performs continuous penetration tests, compliance checks and vulnerability validation against your infrastructure — as a desktop application with auto-update and remote remediation. It replaces the "one external audit per year, then 11 months blind" model with monthly re-validation.
Do we need ISO 27001 before NIS2?
No — the two overlap but are not dependent on each other. ISO 27001 is a voluntary management system with certification, NIS2 is a legal obligation with regulatory oversight. An ISO 27001 certification makes NIS2 implementation considerably easier, but does not directly replace the NIS2-specific reporting duties and technical minimum measures.
Is our data at risk during a pentest?
In a professionally conducted audit: no. Before testing we define a written scope (which systems, which time windows, which methods) and engagement rules of conduct. Destructive tests run in staging environments; in production only read-only verification. All findings are transmitted encrypted and reports are cryptographically destroyed on our side after closure.
What happens if an audit finds a critical vulnerability?
We report critical findings immediately, not only in the final report. We provide an emergency patch proposal and support the implementation. If the vulnerability has already been exploited, we escalate into incident response mode — forensics, containment, regulatory notification (NIS2/GDPR within 24 or 72 hours respectively).
How do we choose a reputable pentest provider?
Four criteria to watch: verifiable tester certifications (OSCP, OSCE, GPEN, CRTO), professional liability insurance of at least 5 million euros, transparent methodology (PTES/OSSTMM references in the proposal), and a sample report. Anyone who refuses to show you an anonymised sample report does not have one.
What about our cyber insurance — does it cover this?
Most cyber policies since 2024 actively require evidence of baseline protective measures: MFA everywhere, EDR on endpoints, documented patch process, regular backups with restore tests, annual pentests. Without this evidence, insurers deny payouts in the event of a claim. We help you deliver the required evidence in a consolidated form.
In-depth articles & cases
This pillar covers the overview — for operational depth we refer to the specialised articles per topic. Each article stands on its own and refers back to this cybersecurity guide.
Penetration test process — step by step
From pre-engagement to reporting: the seven PTES phases in detail, with realistic time estimates.
Pentest costs — what do you pay in 2026?
Concrete price ranges per pentest type, factors and what to look for in proposals.
The NIS2 directive for SMBs
Who is affected, which measures are mandatory, which deadlines apply?
GDPR IT security checklist
Article 32 TOMs translated into practical measures — as a self-check.
ISO 27001 — cost, effort, value
Realistic time and budget planning for initial certification in mid-sized companies.
OWASP Top 10 (2025) explained
The 10 most common web app vulnerabilities with code examples and defence patterns.
Red team vs pentest — what suits whom?
Decision matrix for choosing the right audit depth.
Hardening Active Directory
The 12 most important measures against Kerberoasting, ADCS misuse and NTLM relay.
Cloud security AWS checklist
The 20 misconfiguration classics we encounter most often in audits.
Phishing simulation for employees
How to set up an effective, GDPR-compliant phishing exercise in your company.
Incident response plan — template
Six-phase playbook with concrete checklists and escalation templates.
Vulnerability management tools
Tenable, Qualys, Rapid7, OpenVAS, Reepa Security — the honest comparison.
Bug bounty vs pentest
When is a bounty programme worthwhile, when the classic pentest?
Social engineering pentest
Vishing, phishing, pretexting — how we test the human firewall.
SIEM solutions for mid-sized businesses
Splunk, Sentinel, Elastic, Wazuh, MISP — strengths and weaknesses compared.
From our projects
Customer portal — hardening & audit
A self-service portal for 500 business customers, subjected to a full web and API pentest before go-live.
Infracorp Global — GDPR compliance
International infrastructure firm with a multi-region setup, full GDPR and data residency review.
Cloud migration with hardening
SaaS provider migrated from a dedicated server to AWS, including security hardening and CSPM baseline.
Ready for the first step?
Book a free 30-minute consultation to assess your current cybersecurity posture. Afterwards you'll know whether you need an audit, NIS2 preparation or continuous monitoring — or whether your baseline is already solid.
Secure a consultation slot
IT security and cloud architect with over ten years of experience. Builds Reepa Security with his team — an offensive audit platform for mid-sized businesses. Writes regularly on GDPR, NIS2, cloud security and pentest methodology.
Reviewed on: 22 May 2026 · More about Hakan