Pentest Providers in Germany 2026: Comparison, Selection Criteria, Cost
The German market for penetration testing is fragmented. Hundreds of providers — from three-person boutiques to Big Four consultancies, plus a new generation of Pentest-as-a-Service platforms — and every one of them promises "individual testing at the highest level". This guide helps IT and security leaders find the right partner for their actual situation.
The four types of pentest providers
1. Specialised pentest boutiques
Small to mid-sized teams (10–50 testers), often founder-led, deeply specialised. Examples: SySS, HiSolutions, Cirosec, usd AG, SEC Consult, Redlings.
Strengths: Deep technical know-how, in-house research, personal account handling.
Weaknesses: Limited capacity, long lead times (6–12 weeks), point-in-time testing instead of continuous coverage.
Price range: EUR 1,200–1,800 per person-day.
2. IT consultancies and MSSPs with a pentest practice
Mid-to-large consultancies with dedicated IT security units. Examples: Ernst & Young, KPMG, PwC, Deloitte, T-Systems, Secunet.
Strengths: Integration with ISMS, compliance and SOC functions; scale; audit credibility.
Weaknesses: Higher pricing, often less depth in individual engagements, frequent junior staffing on large mandates.
Price range: EUR 1,500–2,500 per person-day.
3. Freelancers / one-person shops
Experienced individuals, often ex-boutique consultants. Sourced through networks or LinkedIn.
Strengths: Flexible, cost-effective, often very high quality.
Weaknesses: No scalability, key-person risk, limited liability cover.
Price range: EUR 900–1,400 per person-day.
4. Pentest-as-a-Service (PTaaS) platforms
Newer category: platform-based, AI-driven pentest engines, continuous instead of point-in-time. Examples: Matproof Sentinel, Cobalt, HackerOne Assessments, Intigriti, Pentera.
Strengths: Continuous coverage, fast turnaround, integrated compliance mapping, clearer cost structure.
Weaknesses: Not always the first choice for highly customised legacy systems (SCADA, older mainframes).
Pricing model: EUR 2,000–8,000 per month (subscription) instead of per-project pricing.
Which certifications providers actually need
What matters is which people on the team are certified, not just the company profile:
| Certification | What it signals |
|---|---|
| OSCP (Offensive Security) | Hands-on exploit competence, practically relevant |
| OSCE / OSEP / OSWE | Advanced offensive-security skills |
| CREST CRT / CCT | Internationally recognised, important for TLPT |
| OPST / OPSA (ISECOM) | Methodical testing under OSSTMM |
| BSI-certified IS auditors | Mandatory for BSI-related projects |
| CISSP | Management level, less technical |
Important: A provider with 50 CISSPs but only three OSCPs on the testing team is the wrong choice for a technical pentest.
Selection criteria
1. Scope expertise
What systems does the provider actually test? Web apps, APIs, cloud (AWS/Azure/GCP), Active Directory, ICS/OT, iOS/Android, Kubernetes? Ask for reference projects in your specific stack constellation.
2. Methodology and reporting
- OWASP Testing Guide, PTES, OSSTMM, BSI IT-Grundschutz — which standard is applied?
- Request a sample report — is it readable for both engineering and management audiences?
- Are there concrete remediation recommendations, not just findings?
3. Compliance mapping
For NIS2-, DORA- or ISO-27001-obligated companies: are findings mapped directly to regulatory requirements? Does the report deliver artefacts you can use 1:1 in the audit?
4. Re-test included?
After fixes, a re-test must happen. Is it included in the price or charged separately? Best case: unlimited re-tests within three months of the main report.
5. Communication during the test
Daily updates or only a final report? Dedicated channel (Slack, Teams) or email? Are critical findings flagged immediately or only at the end? Immediate flagging is the standard at serious providers.
6. Liability and insurance
A pentest is a controlled attack against production systems. Minimum requirement: business liability cover of at least EUR 5 million, explicitly covering IT security services.
7. Pricing model
Person-day basis, fixed project price, or subscription? For one-off audit deliverables, person-day pricing is transparent. For continuous security, a subscription is meaningfully cheaper on an annual basis.
When classic pentest, when PTaaS?
Classic pentest (person-day model)
- You need a report for a specific audit (ISO 27001, TISAX)
- The system under test is highly customised or legacy
- You need red-team assessments including social engineering
- DORA TLPT — here a regulated, accredited provider is mandatory
Pentest-as-a-Service (subscription model)
- You have a large, fast-changing attack surface (cloud, many web services)
- You need to evidence NIS2 Art. 21 "regular assessment" continuously
- An audit trail matters more to you than a single 100-page PDF
- You want predictable cost and direct integration with dev teams
The two models are not mutually exclusive. Most mature companies combine both: PTaaS for continuous coverage, classic pentest for annual audits and special occasions.
Typical pentest costs in Germany 2026
| Scope | Duration | Cost range |
|---|---|---|
| External perimeter test (small company) | 5 PD | EUR 6,000–10,000 |
| Mid-complexity web application | 10–15 PD | EUR 12,000–25,000 |
| Active Directory pentest (internal) | 10 PD | EUR 12,000–18,000 |
| Full network pentest | 20–30 PD | EUR 25,000–50,000 |
| Cloud pentest (AWS/Azure) | 15–25 PD | EUR 20,000–40,000 |
| Red-team engagement | 40–80 PD | EUR 60,000–150,000 |
| TLPT under DORA | 60–120 PD | EUR 80,000–250,000 |
| PTaaS subscription (continuous) | – | EUR 24,000–96,000 / year |
Prices vary significantly by provider type and region. Boutiques in Munich and Frankfurt are typically 10–20 % more expensive than providers in Berlin or Dresden.
Contractual must-haves
Before signing, check:
- NDA — mutual; the provider must protect your data, not just the other way around
- Rules of Engagement — scope, time windows, allowed/forbidden techniques, emergency escalation path
- Data Processing Agreement (DPA) under GDPR if personal data is in scope
- Findings data protection — where are pentest reports stored, for how long, who has access?
- Notification duties — on discovering an active attacker or data exfiltration, immediate notification is mandatory
- Liability clause for system outage — who pays if the pentest takes production down?
- Re-test arrangement — how often, how long, on what commercial terms
How Matproof Sentinel positions itself
Matproof Sentinel is Matproof's AI pentest platform — built for European mid-market companies and regulated industries that need continuous audit evidence rather than once-a-year PDFs. What separates Sentinel from classic pentest providers:
- GitHub App as the primary integration path. One-click install, read-only access scoped to the repos you select, no PATs in env files, no third-party OAuth approvals. GitLab, Bitbucket and plain target URLs are supported too. A single scan can cover one primary target plus up to 50 additional URLs — domain ownership is verified via DNS TXT or HTTP file challenge before any traffic is sent.
- Ten specialised AI agents in coordinated stages. Recon (nmap, amass, httpx) maps the attack surface, then Web / API / Infra / Cloud / Mobile run in parallel (nuclei, sqlmap, OWASP ZAP, testssl.sh, Prowler, MobSF), then SourceCode / SupplyChain (Semgrep, Gitleaks, Trivy), then a ValidatorAgent that re-runs every finding to confirm exploitation. Median scan duration: 25 minutes.
- Findings land as GitHub issues. Auto-assigned with severity labels, reproduction steps and a suggested fix patch. Stable fingerprints dedupe across re-tests and surface a remediation-diff metric: "N findings remediated since your last scan" — the receipt your board actually wants. SARIF export for GitHub Advanced Security included.
- Open methodology, honest scope. The full Sentinel methodology, every agent and every tool are publicly documented at docs.matproof.com/features/sentinel-methodology — including what Sentinel does NOT do: no social engineering, no zero-day discovery, no human verification. No black box.
- Direct compliance mapping. Findings are auto-tagged to SOC 2 (CC7.1), ISO 27001 (A.8.8 / A.8.29), DORA (Art. 24-27), NIS2 (Art. 21), PCI DSS (Req. 11.4), HIPAA (§164.308(a)(8)), BaFin MaRisk/BAIT (AT 7.2 Tz. 13) and NEN 7510 (A.18.2.3). PDF, JSON and SARIF reports drop straight into your audit evidence room.
- We pentest ourselves. Sentinel runs against matproof.com every quarter. We do not ship security tooling we would not point at our own production.
Price anchor: Sentinel costs EUR 299/month including 3 scan runs, additional scans at EUR 149 each. A classic consultancy pentest in Germany typically costs EUR 8,000–25,000 per engagement with 2–4 weeks lead time. For teams currently feeling "blind" between two annual pentests, Sentinel is typically 70–90 % cheaper with significantly higher coverage.
When Sentinel fits: SaaS mid-market companies with an active development stack that need to evidence SOC 2 / ISO 27001 / NIS2 / DORA continuously.
When a classic provider is the better choice: Red-team engagements including social engineering, TIBER-EU / TLPT under DORA Art. 26, highly customised legacy systems (SCADA, older mainframes).
Start a free Sentinel scan | Compare pentest alternatives
Conclusion
There is no single "best" pentest provider. There is the right provider for your specific situation:
- For a one-off ISO 27001 audit: a boutique with sector experience
- For TLPT under DORA: an accredited TLPT provider under TIBER-EU
- For continuous security in the mid-market: a PTaaS platform
- For highly regulated industries with customised systems: a hybrid of boutique + PTaaS
What matters is not the provider's name, but the combination of methodology, certifications on the actual testing team, compliance mapping and continuity.
Read more: Automated vs. manual penetration testing | Pentest-as-a-Service: The complete guide | AI penetration testing: the complete guide