French organizations are buying penetration testing in 2026 inside a regulatory stack built around ANSSI. The PASSI qualification, created by ANSSI in 2014, is the reference quality mark: it covers five audit scopes including penetration testing, is held by roughly 40 firms in France, and is quasi-mandatory for security audits of Operators of Vital Importance (OIV) and Essential Service Operators (OSE) under the Loi de Programmation Militaire and the NIS framework. On top of that, DORA has applied to all EU financial entities since January 17 2025, and GDPR Article 32 requires documented testing of security controls, enforced in France by the CNIL.
This ranking covers the eight providers French buyers should evaluate first in 2026. It mixes a global PTaaS firm with strong EMEA coverage at the top (Stingrai) with seven France-rooted specialists, ordered by offensive depth and fit for the most common French buyer profiles: regulated finance, OIV and OSE critical infrastructure, public sector, SaaS, and mid-market enterprise. The methodology and per-vendor sections below explain exactly where each one fits, and where it does not.
Stingrai is Toronto-headquartered with a London, UK office that anchors EMEA delivery including France. The firm holds a CREST-accredited Penetration Testing service provider accreditation at the company level (separate from individual team CREST CRT certifications), has 18 published CVEs across the team (Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3), holds 5.0 out of 5.0 across 19 Clutch reviews, and ships an in-house web-app focused AI pentest agent (Snipe) trained on more than 6,000 HackerOne reports. The other seven entries are the strongest France-native providers.
TL;DR: nine labeled claims
Top pick for 2026: Stingrai leads on offensive depth, firm-level CREST accreditation, published CVEs, Clutch reviews, and the Snipe AI pentest agent that does black-box plus white-box code review, generates AutoFix PRs, and runs as a PR-gating check.
Best French offensive research bench: Synacktiv, Paris, France. Elite penetration testing, reverse engineering, and exploit development; multiple Pwn2Own wins.
Best full PASSI-LPM coverage and threat intel: Intrinsec, Paris, France, founded 1995. ANSSI PASSI-LPM and RGS qualified across all five audit scopes, with a strong threat-intelligence team.
Best PASSI plus product evaluation (CESTI): Amossys, Rennes, France, founded 2007. PASSI-LPM qualified and an ANSSI-accredited evaluation centre (CESTI); now part of Almond.
Best for large-enterprise scale: Orange Cyberdefense, France. The cybersecurity arm of Orange; broad managed and offensive services for large regulated estates.
Best PASSI-qualified mid-market audits: Almond, France. PASSI-qualified consultancy combining audit, governance, and offensive testing for mid-market and enterprise buyers.
Best systems-integrator engagement: Sopra Steria, France. Large-scale security testing inside broader transformation and integration programs.
Best training-led offensive work: Sysdream, France, part of Hub One. Offensive security testing paired with one of France's best-known ethical-hacking training arms.
Pricing bands (2026 France market): Small web app pentest typically EUR 4,500 to 12,000; mid-size SaaS or mobile app EUR 12,000 to 30,000; network and infrastructure EUR 15,000 to 40,000; cloud and red team EUR 30,000 to 90,000; large systems-integrator enterprise engagements run 3 to 5x these numbers.
Figure 1: 2026 France penetration testing ranking. Vendor headquarters and PASSI status verified against each vendor's About page, the ANSSI qualified-provider context, or Crunchbase; ranking position reflects fit for French buyer profiles (regulated finance, OIV and OSE, public sector, SaaS, mid-market). Sources: vendor About pages, ANSSI PASSI, Crunchbase.
Key takeaways
PASSI is the French procurement default for regulated audits. ANSSI's PASSI qualification covers architecture, configuration, source-code, penetration-test, and organizational or physical audit scopes, and is quasi-mandatory for OIV and OSE security audits under the LPM and NIS framework (ANSSI PASSI). Roughly 40 firms hold it. Confirm the specific scopes a provider is qualified for, since not every PASSI firm covers penetration testing.
DORA pulled French financial-services cadence forward. DORA has applied since January 17 2025 to all EU financial entities, and its Article 26 Threat-Led Penetration Testing requirement sits alongside the existing TIBER-FR framework operated with the Banque de France. French banks, insurers, and payment institutions are now buying multi-year red-team programs.
GDPR Article 32 makes testing an evidence requirement. Article 32 requires a process for regularly testing and evaluating the effectiveness of security measures. The CNIL treats documented penetration testing as core evidence of that obligation. Annual or continuous testing is now a baseline for any French organization handling personal data at scale.
Offensive depth still ranks vendors. PASSI and other accreditations matter for procurement, but the work that finds bugs is human research depth plus capable automation. Published CVEs, Pwn2Own and conference results, public research, and named senior certifications, in that order, separate research-depth vendors from check-the-box vendors. Synacktiv's Pwn2Own record and Stingrai's 18 published CVEs are the strongest signals in this list.
AI-augmented pentesting is rising and the best firms productize it. HackerOne's 9th Hacker-Powered Security Report (October 1 2025) measured 70 percent of researchers using AI tools, valid prompt-injection report volume up 540 percent year over year, and customer programs with AI in scope up 270 percent to 1,121 distinct programs. Generic AI scanners still stop at known-class bugs; the differentiator in 2026 is whether a vendor's automation reaches complex business-logic and authorization flaws. Stingrai's Snipe agent is purpose-built for exactly those classes.
Methodology
Vendor selection criteria, applied in order: (1) verifiable French presence (France HQ, French office, or active EMEA delivery with named French clients); (2) credible offensive track record (published CVEs, Pwn2Own results, named senior certifications, public research, or top-tier conference talks); (3) accreditations French procurement teams now require (ANSSI PASSI for regulated and public-sector work, including the relevant audit scopes, plus ISO 27001); (4) buyer fit (regulated finance, OIV and OSE critical infrastructure, public sector, SaaS, mid-market). Vendor headquarters and qualifications were verified against each vendor's About page, the ANSSI qualified-provider context, Crunchbase, or LinkedIn in the May and June 2026 research window.
Vendors that bill primarily as managed-detection-and-response, external attack-surface management, or vulnerability-scanning vendors and add pentesting as a side service were excluded, even when they have French offices. The ranking is about penetration testing specifically; broader managed-security coverage is a different evaluation. Every figure in this post links back to its primary publisher inline. Where two primary publishers reported overlapping data, the publisher whose methodology window most directly matches the claim is cited.
Figure 2: The six drivers French buyers cite most in 2026 pentest RFPs. PASSI and its five audit scopes gate most regulated and public-sector work; DORA drives financial-services cadence.
1. Stingrai
Stingrai is the top recommendation for French organizations buying penetration testing or PTaaS in 2026. The firm is Toronto-headquartered with a London, UK office that anchors EMEA delivery, founded in 2021, and pairs an OSCE3-led senior pentest bench with the in-house Snipe AI pentest agent.
Headquarters: Toronto, Ontario, Canada (HQ) and London, UK (EMEA office serving French and broader EMEA clients).
Why French buyers pick Stingrai in 2026:
CREST-accredited Penetration Testing service provider at the company level. Stingrai Inc itself holds a firm-level CREST accreditation as a Penetration Testing service provider, distinct from the individual CREST CRT certifications held by team members. Both can be cited; they are not the same thing.
18 published CVEs across the team (CVE.org): Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3. Published CVEs are the clearest public proof of original vulnerability research, not repackaged scanner output.
5.0 out of 5.0 across 19 Clutch reviews. A perfect score across a meaningful review count is a strong delivery-quality signal for French buyers comparing providers.
Snipe, the in-house AI pentest agent. Snipe is purpose-built for web-application testing and, unlike generic AI scanners that stop at known-class bugs (XSS, SQL injection, misconfiguration), it hunts complex, high-impact classes: IDOR, business-logic flaws, and broken authorization and access-control flaws. It is trained on more than 6,000 HackerOne Hacktivity disclosure reports plus skills distilled from years of Stingrai pentesters' methodology. Snipe performs black-box dynamic testing and white-box source-code review, generates AutoFix pull requests, and can run as a PR-gating check that blocks vulnerable code from merging.
Senior human bench. Team certifications include OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, CISSP, CRTO, GCPN, CRTE, and eWPTX. Stingrai researchers present at DEFCON and BSIDES.
Compliance support. Stingrai's penetration testing supports your SOC 2, ISO 27001, HIPAA, PCI DSS 4.0, NIST SP 800-53 and 800-171, DORA, and NIS2 compliance programs, producing the pentest evidence your auditors expect.
Where Stingrai fits: French SaaS, fintech, and product companies that want senior offensive depth plus AI-driven continuous coverage, and EMEA buyers who want a single research-led partner across web, API, cloud, network, and red-team work. For pricing scoped to your environment, see Stingrai pricing and the PTaaS overview.
Watch-outs: For OIV or OSE audits that legally require an ANSSI PASSI-qualified provider, confirm the engagement structure up front; pair with a PASSI-qualified firm where the regulation mandates it. For non-mandated commercial testing, Stingrai's offensive depth stands on its own.
2. Synacktiv
Synacktiv is France's standout offensive-research firm.
Headquarters: Paris, France (with additional French offices).
Strengths: Elite penetration testing, reverse engineering, and exploit development, with a globally recognized Pwn2Own competition record. A top choice for the hardest technical engagements and for buyers who value demonstrable original research.
Watch-outs: Demand for this caliber of work affects lead times. For routine compliance-driven testing, a broader audit firm may be a more economical fit.
3. Intrinsec
Intrinsec is one of the oldest and most complete French pentest and audit firms.
Headquarters: Paris, France. Founded 1995.
Strengths: ANSSI PASSI-LPM and RGS qualified across all five audit scopes (architecture, configuration, source code, penetration testing, and organizational or physical), with PRIS incident-response and PACS consulting qualifications and a strong threat-intelligence team. Strong fit for regulated buyers who need a single PASSI partner.
Watch-outs: As a broad consultancy, confirm the specific testers and depth assigned to your offensive engagement.
4. Amossys
Amossys pairs PASSI testing with formal product evaluation.
Headquarters: Rennes, France. Founded 2007. Now part of Almond.
Strengths: PASSI-LPM qualified and an ANSSI-accredited evaluation centre (CESTI), with deep work on industrial systems and product certification. A strong choice when testing and formal evaluation overlap.
Watch-outs: Confirm continuity of the named team following the Almond combination, and which entity contracts your engagement.
5. Orange Cyberdefense
Orange Cyberdefense is the large-scale French option.
Headquarters: France (cybersecurity arm of Orange).
Strengths: Broad managed-security and offensive services with the scale to support large regulated estates and multi-country programs. A safe institutional choice for big French enterprises.
Watch-outs: Enterprise scale brings enterprise process and pricing. Confirm which offensive specialists are staffed on your specific test.
6. Almond
Almond is a strong PASSI-qualified mid-market and enterprise consultancy.
Headquarters: France.
Strengths: PASSI-qualified audit, governance, and offensive testing under one roof, strengthened by the Amossys combination. A good fit for mid-market and enterprise buyers who want audit plus testing aligned to French regulation.
Watch-outs: Buyers seeking the deepest exploit-development research may prefer a pure offensive specialist for the hardest targets.
7. Sopra Steria
Sopra Steria suits buyers who need testing inside a larger program.
Headquarters: France.
Strengths: Large systems integrator with security testing embedded in broader transformation, integration, and managed-service engagements. A practical choice when pentesting is one workstream of a wider program.
Watch-outs: As with any integrator, confirm the dedicated offensive team and that testing is not subordinated to delivery timelines.
8. Sysdream
Sysdream (Hub One) blends offensive testing with training.
Headquarters: France (part of Hub One).
Strengths: Offensive security testing paired with one of France's best-known ethical-hacking training arms, useful for organizations building internal capability alongside external assurance.
Watch-outs: For very large or highly regulated programs, confirm scale and the specific PASSI scopes relevant to your obligations.
How to choose a French penetration testing company in 2026
Confirm PASSI scope, not just PASSI status. If your obligation is an OIV or OSE audit, the provider must hold the relevant PASSI scope, and penetration testing is only one of the five. Verify the exact scopes on the ANSSI qualified-provider listing.
Match the vendor to the asset. Web and API-heavy SaaS needs an offensive research bench; industrial and OT systems need a specialist; large regulated estates need scale. Do not buy a generalist for a specialist asset.
Weigh offensive depth over brochure breadth. Published CVEs, Pwn2Own results, and public research are harder to fake than a services list. Ask what original research the team has published recently.
Decide point-in-time versus continuous. If you ship code weekly, an annual pentest leaves long blind windows. A PTaaS model with AI-assisted continuous coverage closes them. Stingrai's Snipe runs as a PR-gating check so vulnerabilities are caught before merge.
Read the sample report. The deliverable is the product. A good report ranks findings by real business impact, gives reproducible steps, and includes concrete remediation, not just a scanner dump.
For a deeper framework, see our guide to penetration testing methodologies and the Stingrai services overview.
Figure 3: Typical 2026 France penetration testing pricing by engagement type. Bands reflect market-observed ranges for French delivery; final scope, asset count, and depth drive the actual figure. Large systems-integrator engagements typically run 3 to 5x boutique rates.
Frequently asked questions
Who are the best penetration testing companies in France in 2026?
For 2026, Stingrai leads on offensive depth, firm-level CREST accreditation, 18 published CVEs, a perfect 5.0 across 19 Clutch reviews, and the Snipe AI pentest agent. The strongest France-native providers that follow are Synacktiv (Paris) for elite offensive research, Intrinsec (Paris) for full PASSI-LPM coverage, Amossys (Rennes) for PASSI plus CESTI evaluation, Orange Cyberdefense for large-enterprise scale, Almond for PASSI mid-market audits, Sopra Steria for systems-integrator engagements, and Sysdream for training-led offensive work.
What is the ANSSI PASSI qualification?
PASSI (Prestataires d'Audit de la Securite des Systemes d'Information) is a qualification ANSSI created in 2014 for French security-audit and penetration-testing firms. It covers five scopes: architecture, configuration, source-code, penetration-test, and organizational or physical audit. It is quasi-mandatory for security audits of OIV and OSE under the Loi de Programmation Militaire and the NIS framework, and roughly 40 firms hold it (ANSSI PASSI).
How much does a penetration test cost in France in 2026?
Typical 2026 France ranges are EUR 4,500 to 12,000 for a small web application, EUR 12,000 to 30,000 for a mid-size SaaS or mobile app, EUR 15,000 to 40,000 for network and infrastructure, and EUR 30,000 to 90,000 for cloud and red-team work. Large systems-integrator engagements typically run 3 to 5x boutique rates. Final pricing depends on scope, asset count, and depth. For a scoped quote, see Stingrai pricing.
Do I need a PASSI-qualified provider for my French pentest?
It depends on the obligation. Security audits of OIV and OSE under the LPM and NIS framework legally require an ANSSI PASSI-qualified provider in the relevant scope. For commercial testing, GDPR Article 32 compliance, or general assurance, PASSI is a strong quality signal but not a legal requirement, so you can choose on offensive depth and fit. Always confirm which rule applies to your engagement.
Does my French company need a penetration test for compliance?
Most French and EU frameworks expect documented security testing. GDPR Article 32 requires regular testing of control effectiveness (enforced by the CNIL), DORA mandates Threat-Led Penetration Testing for financial entities, and ISO 27001, SOC 2, and PCI DSS 4.0 all rely on regular pentests as evidence. Stingrai's penetration testing supports those compliance programs and produces the pentest evidence your auditors expect.
Where can I get current French and EU cyber threat data?
ANSSI publishes French threat assessments and the CERT-FR advisories. The ENISA Threat Landscape covers the wider European picture, and IBM's Cost of a Data Breach report provides global breach-cost benchmarks relevant to French organizations.
References
ANSSI. PASSI: security audit provider qualification. https://cyber.gouv.fr/en/cybersecurity-products/security-audit-passi/. French national cybersecurity agency qualification for security-audit and penetration-testing providers, covering five audit scopes.
EIOPA / European Union. Digital Operational Resilience Act (DORA). Application date January 17 2025. https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en. EU regulation mandating ICT risk management and Threat-Led Penetration Testing for financial entities.
European Union. GDPR Article 32: Security of processing. https://gdpr-info.eu/art-32-gdpr/. Requires regular testing and evaluation of the effectiveness of security measures.
HackerOne. 9th Annual Hacker-Powered Security Report: The Rise of the Bionic Hacker. October 1 2025. https://www.hackerone.com/press-release/hackerone-report-finds-210-spike-ai-vulnerability-reports-amid-rise-ai-autonomy. Survey of security researchers covering AI tool adoption, prompt-injection report volume, and AI-in-scope program growth.
ENISA. ENISA Threat Landscape 2025. October 2025. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025. European Union annual threat assessment covering ransomware, phishing, DDoS, and sector targeting.
IBM. Cost of a Data Breach Report 2025. 2025. https://www.ibm.com/reports/data-breach. Annual global benchmark of breach costs, detection and containment times, and contributing factors.
Ready to scope a French penetration test or move to continuous coverage? Talk to Stingrai about a CREST-accredited engagement, or explore PTaaS and Snipe for AI-assisted testing that runs on every pull request.
