BSI IT-Grundschutz Penetration Testing: An English Guide

BSI IT-Grundschutz ('IT Baseline Protection') is the German Federal Office for Information Security's (Bundesamt für Sicherheit in der Informationstechnik — BSI) comprehensive framework for systematically securing information technology. Mandatory for German federal government agencies and widely adopted by German state governments, critical infrastructure operators, and large enterprises, Grundschutz is the de facto cybersecurity baseline for any organisation operating in Germany's public or regulated sectors. This English-language guide explains the framework structure, where penetration testing fits in the Grundschutz methodology, which modules are most relevant, and what international compliance teams need to know when their German operations require Grundschutz alignment.

Run Grundschutz-aligned scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

What BSI IT-Grundschutz is and why it matters for international companies in Germany

BSI IT-Grundschutz was first published in 1994 and has been continuously updated. The current generation (BSI-Standard 200-1 through 200-4, published 2017-2022) is built around four documents: BSI-Standard 200-1 (Information Security Management Systems), 200-2 (IT-Grundschutz Methodology), 200-3 (Risk Analysis), and 200-4 (Business Continuity Management). These are supplemented by the IT-Grundschutz Compendium — a detailed catalogue of building blocks (Bausteine) covering specific technology domains organised into layers: ISMS, ORP (Organisation/Personnel), CON (Concepts/Procedures), OPS (Operations), DER (Detection/Response), APP (Applications), SYS (IT Systems), IND (Industrial IT), NET (Networks), INF (Infrastructure). Penetration testing is addressed explicitly in the BSI's separate 'Penetration Testing Study' (Studie Penetrationstest, revised 2016, updated 2023) which provides a detailed classification system for penetration tests. Beyond direct regulatory obligation for federal agencies, BSI IT-Grundschutz matters for international companies in Germany for three reasons: (1) German state and federal procurement contracts increasingly require Grundschutz-compliant suppliers — the Verwaltungsvorschrift Informationssicherheit (VV ISi) requires federal agency vendors to demonstrate aligned security. (2) German critical infrastructure operators (Betreiber kritischer Infrastrukturen, KRITIS) under §8a BSIG must implement state-of-the-art security measures, and BSI has explicitly stated that IT-Grundschutz represents the 'state of the art'. (3) NIS2 transposition in Germany (NIS2UmsuCG, effective October 2024) requires KRITIS operators to follow BSI-published standards, of which Grundschutz is the primary reference.

BSI-Standard 200-2 Chapter 8 (Penetration Tests): explicitly positions penetration tests as an advanced validation tool beyond standard Grundschutz implementation — tests are required for high-protection-demand systems and as part of the 'IS check' audit process.
APP.3.1 (Web Applications and Web Services) module: requires security tests against all web application types, including authenticated areas. The module guidance explicitly references OWASP Testing Guide as the applicable methodology.
SYS.1.1 (General Server) and SYS.2.1 (General Client) modules: both include requirements for technical vulnerability assessments and patch management that penetration testing directly evidences.
NET.1.1 (Network Architecture and Design) module: requires testing of network segmentation effectiveness — parallel to PCI-DSS segmentation testing, this requirement applies to all Grundschutz systems at normal protection level and above.
DER.3.1 (Audits and Revision): requires regular security audits including technical testing — the module explicitly includes penetration tests as an audit mechanism for IT systems.
BSI §8a BSIG KRITIS requirement: critical infrastructure operators in DE (energy, water, food, healthcare, transport, finance, IT/telecommunications, waste) must demonstrate state-of-the-art security to BSI every 2 years — evidence packages commonly include penetration test reports.
Grundschutz IS certification (ISO 27001 auf Basis IT-Grundschutz): the BSI-issued 'ISO 27001 certificate based on IT-Grundschutz' requires an IS auditor assessment that includes technical testing review — penetration test evidence is typically part of the IS auditor's evidence package.

What BSI IT-Grundschutz modules require penetration testing to evidence

APP.3.1 (Web Applications): OWASP Top 10 (2021) full coverage — Broken Access Control, Injection (SQL, LDAP, OS command), Authentication Failures, Security Misconfiguration, XSS, SSRF; plus API security per APP.3.1's specific API requirements
APP.3.2 (Web Server): web server configuration hardening — HTTP methods (TRACE/OPTIONS disablement), server version disclosure, directory listing, error page information leakage, mod_security/WAF bypass testing
SYS.1.1/SYS.1.3 (Server): server-side vulnerability assessment — CVE scanning for active CVEs (CVE-2024-6387 OpenSSH RegreSSHion CVSS 8.1, CVE-2024-21626 runc CVSS 8.6), privilege escalation paths, filesystem permission misconfiguration
NET.1.1 (Network): segmentation verification — testing that network zones are properly separated, VLAN hopping resistance, internal firewall rule review, east-west traffic controls, VPN configuration security
OPS.1.1.3 (Patch and Change Management): validation that applied patches are effective — CVE-2023-44487 HTTP/2 Rapid Reset (CVSS 7.5) mitigation verification, CVE-2022-0778 OpenSSL loop (CVSS 7.5), installed package inventory vs NVD current state
DER.2.1 (Incident Handling): testing detection capability — verifying that attack activity during the penetration test generates SIEM/IDS/EDR alerts, simulating initial access techniques to assess detection coverage
IND.2.1 (General ICS Component) for operational technology: OT/SCADA component exposure testing, Modbus/DNP3/IEC 60870-5-104 protocol security assessment for industrial environments
INF.13 (Technical Building Management): testing of smart building and BMS systems for IP-based exploitation paths — increasingly relevant as German industrial facilities modernise infrastructure
CON.3 (Cryptography Concept): TLS/SSL configuration validation (RFC 8446 TLS 1.3, rejection of TLS 1.0/1.1/SSLv3), certificate management, key length requirements per BSI Technical Guideline TR-02102
APP.2.1/APP.2.3 (Directory Services/Active Directory): AD enumeration resistance, Kerberoasting vulnerability assessment, privileged account attack surface, GPO misconfiguration review

Sample finding

High

BSI APP.3.1 violation: unauthenticated access to administrative API via broken function-level authorisation

During the penetration test of a German federal agency's citizen services portal (Grundschutz protection class 'normal'), Matproof Sentinel identified that administrative API endpoints at /api/admin/users and /api/admin/configuration returned full data to unauthenticated requests — despite the web UI enforcing authentication. The API endpoints were intended only for internal administrative use, but were accessible on the public-facing server without any authentication or IP restriction. An unauthenticated external attacker could enumerate all 14,700 registered user accounts (name, email, registration date) and read the application configuration including database connection string prefixes. This violates BSI APP.3.1 Requirement 'ORP.4.A1 Identification and Authentication' (Basis requirement) and APP.3.1's specific requirement for access protection on all management and administration functions.

Fix: Immediately restrict administrative API endpoints to internal IP ranges only via web server/load balancer ACL configuration. Implement authentication enforcement at the API layer — do not rely solely on UI-level authentication. Add function-level authorisation middleware that checks role claims for all requests to /api/admin/* routes. Conduct a comprehensive audit of all API endpoints to identify other unauthenticated routes. For the Grundschutz IS-check evidence package: document the finding, the remediation, and a re-test result confirming the fix — DER.3.1 requires this documentation trail for audit purposes.

Reference: OWASP API5:2023 Broken Function Level Authorization · BSI APP.3.1 Web Applications Module (IT-Grundschutz Compendium) · CWE-306 Missing Authentication for Critical Function · BSI 200-2 §8 Penetration Tests

BSI IT-Grundschutz penetration testing options

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Matproof Sentinel for BSI IT-Grundschutz compliance

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about BSI IT-Grundschutz penetration testing

What is BSI IT-Grundschutz and is it legally required?

BSI IT-Grundschutz ('IT Baseline Protection') is the German Federal Office for Information Security's cybersecurity framework, providing a systematic methodology for securing IT through standardised building blocks (modules). It is legally mandatory for German federal government agencies and their IT service providers under the Federal Government IT Security Act (BSI-Gesetz, BSIG). For private sector organisations, it is voluntary as a framework but effectively required indirectly: critical infrastructure operators (KRITIS) under §8a BSIG must implement 'state of the art' security, and BSI consistently treats IT-Grundschutz as the reference standard for what constitutes state of the art. German federal procurement contracts (through the Verwaltungsvorschrift Informationssicherheit) require supplier compliance. For international companies operating German subsidiaries or serving German government clients, Grundschutz alignment is often a contractual requirement.

What is the BSI Penetration Testing Study and how does it classify tests?

The BSI 'Studie Penetrationstest' (Penetration Testing Study) is a BSI-published reference document (first edition 2003, revised 2016, updated 2023) that provides a classification framework for penetration tests. BSI classifies tests on two dimensions: (1) information basis — black-box (no prior knowledge), grey-box (partial knowledge), or white-box (full system knowledge including source code); (2) aggressiveness — passive (only observation), careful (limited active), standard (full active without sabotage), or aggressive (including deliberate unavailability testing). BSI recommends that organisations commissioning penetration tests specify their required classification and ensure the test provider delivers documentation aligned with the chosen classification. For Grundschutz IS certification audits, white-box or grey-box testing is typically preferred as it provides more comprehensive coverage within a defined scope.

Which BSI IT-Grundschutz modules are most relevant for web application penetration testing?

The primary modules for web application penetration testing are: APP.3.1 (Web Applications and Web Services) — covers OWASP methodology, authentication, authorisation, input validation, session management, cryptography, and security of APIs. APP.3.2 (Web Server) — covers web server hardening including HTTP method exposure, server version disclosure, TLS configuration. SYS.1.1 (General Server) — covers server-level security including patching and vulnerability management. NET.1.1 (Network Architecture and Design) — covers segmentation and traffic controls relevant to application hosting. OPS.1.1.3 (Patch and Change Management) — provides the context for software composition analysis and dependency management. For authentication infrastructure: APP.2.1 (General Directory Service) and APP.2.3 (OpenLDAP) if applicable. Each module contains requirements at three levels: Basic (Basis), Standard, and Elevated Protection (Erhöhter Schutzbedarf).

What is the BSI IS-check ('IS-Revision') and does it require a penetration test?

The BSI IS-check (IS-Revision, Informationssicherheits-Revision) is BSI's audit process for verifying IT-Grundschutz implementation. For ISO 27001 auf Basis IT-Grundschutz certification, a BSI-licensed IS auditor conducts the IS-check. The IS auditor examines both documentation and technical implementation — for technical controls, this includes reviewing penetration test reports. The IS auditor's mandate is to 'determine whether the implementation of the defined security measures can be verified with technical means'. This creates a practical requirement for penetration test evidence in any IS-check covering systems at standard or elevated protection demand. For systems at elevated protection demand, the IS auditor may additionally conduct or commission independent technical spot-checks.

How does BSI IT-Grundschutz relate to ISO 27001?

BSI offers a certification scheme called 'ISO 27001 auf Basis IT-Grundschutz' (ISO 27001 based on IT-Grundschutz) which is a BSI-specific extension of ISO 27001 certification. Holders of this certificate are also ISO 27001 certified, but have additionally demonstrated that their ISMS is implemented using IT-Grundschutz building blocks. The BSI-Grundschutz certification is generally considered more rigorous than standard ISO 27001 because it requires implementation of specific technical controls (not just risk acceptance) and IS auditor verification of technical implementation. For international companies seeking both ISO 27001 and German regulatory compliance, pursuing 'ISO 27001 auf Basis IT-Grundschutz' achieves both goals simultaneously. However, it requires significantly more implementation work and is more appropriate for German market-focused organisations than for international companies with primarily non-German operations.

What qualifications should a BSI IT-Grundschutz penetration tester have?

BSI does not maintain a specific accreditation list for penetration testers (unlike the BSI-licensed IS auditors for IS-checks). However, BSI's penetration testing study and APP.3.1 module reference OWASP Testing Guide as the applicable methodology, and the Grundschutz community's de facto expectations for tester qualifications align with: OSCP (Offensive Security Certified Professional) for general penetration testing, OSWE for web application specialists, GPEN or GWAPT for GIAC track practitioners. BSI-registered IS auditors conducting IS-checks may additionally require providers to demonstrate familiarity with BSI-specific requirements — knowledge of the IT-Grundschutz Compendium building blocks is expected. BSI itself does not certify penetration testers; the market standard in Germany is the TIBER-DE accreditation for red-team providers and OSCP/CREST CRT for standard penetration testing.

Does a German KRITIS operator need BSI Grundschutz or NIS2 compliance?

Both, as they overlap significantly. German KRITIS operators (critical infrastructure operators under §8a BSIG) must implement 'state of the art' security, audited by BSI every 2 years. The NIS2UmsuCG (Germany's NIS2 transposition law, effective October 2024) expanded the scope of affected organisations and added new obligations including incident reporting to BSI. For KRITIS operators, BSI explicitly treats IT-Grundschutz compliance as the benchmark for 'state of the art' — so demonstrating Grundschutz compliance directly addresses both the BSIG §8a requirement and provides strong evidence for NIS2 Art. 21 effectiveness assessment. The penetration testing obligation under NIS2 Art. 21(2)(g) is therefore simultaneously addressed by Grundschutz-compliant penetration testing.

What is the BSI protection demand classification and how does it affect penetration testing scope?

BSI IT-Grundschutz classifies information and IT systems into three protection demand levels: Normal (default, standard measures sufficient), High (significant potential harm justifies elevated measures), and Very High (exceptional potential harm, e.g., national security, critical infrastructure). This classification directly affects penetration testing: systems classified as Normal require implementation of APP.3.1 Basic requirements (which includes security testing). Systems classified as High must additionally implement Standard requirements — penetration testing becomes a standard requirement for High-demand systems. Systems classified as Very High have Elevated Protection Demand requirements — penetration testing with white-box methodology and potentially independent expert review is expected. For international companies: if your German subsidiary handles sensitive personal data of many individuals, processes payment data, or provides infrastructure services, High or Very High classification for key systems is likely required.

Go deeper — related blog articles

Get BSI IT-Grundschutz-aligned penetration testing

Matproof Sentinel delivers APP.3.1-compliant web application testing with documentation structured for IS-check audits. Start with a free scan or get a full BSI-aligned penetration test report from €149.