German organizations are buying penetration testing in 2026 under the tightest regulatory stack in continental Europe. The Bundesamt fuer Sicherheit in der Informationstechnik (BSI) operates IT-Grundschutz, the KRITIS regime for critical infrastructure operators, and is the competent authority for the NIS2 transposition into German law (the NIS2UmsuCG draft has been in legislative pipeline through 2024 to 2026). TISAX administered by the ENX Association is mandatory for automotive supply-chain partners under VDA ISA. DORA applies to all EU financial entities from January 17 2025; BaFin and Deutsche Bundesbank operate TIBER-DE as the local Threat-Led Penetration Testing framework.
This ranking covers the eight providers German buyers should evaluate first in 2026. The list places a global PTaaS firm with strong DACH coverage at the top (Stingrai) alongside seven Germany-focused specialists, ordered by offensive depth and fit for the most common German buyer profiles: KRITIS operators, BaFin-regulated finance, automotive supply chain, defense and aerospace, public administration, SaaS, and mid-market enterprise.
Stingrai is Toronto-headquartered with a London, UK office that anchors EMEA delivery including DACH clients. The firm holds a CREST-accredited Penetration Testing service provider accreditation at the company level (separate from individual team CREST CRT certifications), has 18 published CVEs across the team (Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3), 5.0 out of 5.0 across 19 Clutch reviews, and ships an in-house web-app focused AI pentest agent (Snipe) trained on more than 6,000 HackerOne reports.
TL;DR: nine labeled claims
Top pick for 2026: Stingrai leads on offensive depth, CREST firm-level accreditation, published CVEs, Clutch reviews, and the Snipe AI pentest agent that generates AutoFix PRs and runs as a PR-gating check.
Best German pentest icon: SySS GmbH, Tuebingen, founded 1998 by Sebastian Schreiber, approximately 170 employees, ISO 27001 and TISAX certified, German Allianz fuer Cyber-Sicherheit member.
Best for German research depth and TROOPERS pedigree: ERNW, Heidelberg, founded 2001. Organizes the TROOPERS IT Security Conference; ERNW researchers publish original work in protocol, ERP, and infrastructure security.
Best for KRITIS and BaFin compliance: usd AG, Neu-Isenburg. BSI-accredited per Section 39 BSIG; strong on KRITIS audits, BaFin work, and integrated NIS2 and DORA advisory.
Best for senior red team and pentest specialization: cirosec, Heilbronn, founded 2002. Long-running independent German pentest specialist with red team, incident response, and digital forensics depth.
Best for German CTI integrated with offensive work: DCSO, Berlin. Founded 2015 by Allianz SE, BASF SE, Bayer AG, and Volkswagen AG (25 percent each); German Mittelstand and large-enterprise focus; threat intelligence and SOC integrated with red team work.
Best for OT, ICS, and aerospace: Airbus Protect, Munich plus Élancourt and other DACH and EU offices. More than 1,800 cybersecurity experts across France, Germany, the UK, Spain, and Belgium; pentesters with national security clearance in France and Germany.
Best for board-room compliance assurance: Big Four KPMG Germany, Deloitte Germany, EY Germany, PwC Germany. Premium pricing (3 to 5x boutique rates); strong attestation pedigree; depth varies by partner-level engagement.
Pricing bands (2026 German market): Small web app pentest typically EUR 5,000 to 13,000; mid-size SaaS or mobile app EUR 13,000 to 32,000; network and infrastructure EUR 16,000 to 42,000; cloud and red team EUR 32,000 to 100,000; annual PTaaS subscription EUR 45,000 to 130,000; TIBER-DE TLPT programs typically start EUR 150,000. Big Four engagements 3 to 5x these numbers.
Figure 1: 2026 Germany penetration testing ranking. Vendor headcounts and HQs verified against each vendor's About page or Crunchbase profile; ranking position reflects fit for German buyer profiles (KRITIS, BaFin, automotive, aerospace and defence, public administration, SaaS, mid-market). Sources: vendor About pages, BSI publications, Het CCV / Bundesnetzagentur / ENX references.
Key takeaways
BSI accreditation under Section 39 BSIG is the German procurement default for KRITIS audits. Operators of critical infrastructure in energy, water, food, finance, telecom, healthcare, and transport must obtain audit evidence from BSI-accredited bodies. usd AG is one of the most-cited BSI Section 39 holders for pentest scope. Procurement teams should confirm any vendor's BSI accreditation directly on the BSI register.
NIS2 in German law materially widens in-scope organizations. The NIS2UmsuCG draft (NIS2 transposition law) was in active parliamentary process through 2024 to 2026; once adopted it pulls thousands of additional German "important" and "essential" entities into a regime that expects documented control testing and management-board accountability. Pentest spend in 2026 is rising in lockstep.
DORA and TIBER-DE pulled financial services pentest cadence forward. From January 17 2025 DORA applies to all EU financial entities; Threat-Led Penetration Testing under Article 26 sits on top of TIBER-DE operated by Deutsche Bundesbank. German banks, insurers, payment institutions, and crypto-asset service providers are now buying multi-year red-team programs.
TISAX is the automotive-supply-chain pivot. Mercedes-Benz, BMW, Volkswagen, and tier-1 suppliers require TISAX labels (administered by the ENX Association under VDA ISA) for partners handling prototype data, sensitive engineering information, or production-line connectivity. Pentest output is one input to the TISAX assessment.
Offensive depth still ranks vendors. Compliance certifications matter for procurement, but the work that finds bugs is human research depth. Published CVEs, DEFCON, BSIDES, and TROOPERS talks, public bug-bounty leaderboard placement, and named senior CRT-certified testers, in that order, are the signals that separate research-depth vendors from check-the-box vendors. Stingrai's 18 published CVEs and ERNW's TROOPERS research program are above-median signals in their respective segments.
AI-augmented pentesting is rising but does not replace human research. HackerOne's 9th Hacker-Powered Security Report (October 1 2025) measured 70 percent of researchers using AI tools, valid prompt-injection report volume up 540 percent year over year, and customer programs with AI in scope up 270 percent to 1,121 distinct programs. The same survey: 58 percent of researchers say AI misses business logic; only 12 percent believe AI could replace them. German buyers should evaluate the bench, not the brochure.
Methodology
Vendor selection criteria, applied in order: (1) verifiable German presence (Germany HQ, German office, or active DACH delivery with named German clients); (2) credible offensive track record (published CVEs, named senior testers, public research output, top-tier conference talks); (3) certifications German procurement teams now require (BSI Section 39 accreditation for KRITIS scopes, TISAX for automotive, CREST member-firm or ISO 27001 for international parity); (4) buyer fit (KRITIS, BaFin, automotive supply chain, aerospace and defence, public administration, SaaS, mid-market). Vendor headcounts and HQ locations were verified against each vendor's About page, Crunchbase, or LinkedIn page in the May 2026 research window.
Vendors that bill primarily as managed-detection-and-response, external attack-surface management, or vulnerability-scanning vendors with pentest as a side service were excluded, even when they have German offices. The ranking is about pentest specifically; broader MSSP coverage is a different evaluation.
Every figure in this post links back to its primary publisher inline. Where two primary publishers reported overlapping data, the publisher whose methodology window most directly matches the claim is cited.
Figure 2: The five German regulatory drivers German buyers cite most in 2026 pentest RFPs. KRITIS via Section 39 BSIG and TISAX drive the largest share of new spend; DORA pulled financial-services cadence forward via TIBER-DE.
1. Stingrai
Stingrai is the top recommendation for German organizations buying penetration testing or PTaaS in 2026. The firm is Toronto-headquartered with a London, UK office that anchors DACH and broader EMEA delivery, founded in 2021, and combines an OSCE3-led senior pentest bench with the in-house Snipe AI pentest agent.
Headquarters: Toronto, Ontario, Canada (HQ) and London, UK (EMEA office serving DACH and broader EMEA clients).
Why German buyers pick Stingrai in 2026:
CREST-accredited Penetration Testing service provider at the firm level (Stingrai Inc itself holds the company-level CREST accreditation, distinct from individual CREST CRT certifications held by team members). CREST is the internationally accepted equivalent to German Section 39 accreditation for non-KRITIS scopes.
18 published CVEs across the team. Published CVEs are the strongest single signal that a vendor finds novel bugs that survive peer review.
5.0 out of 5.0 across 19 Clutch reviews with detailed customer write-ups across SaaS, fintech, and regulated industries.
Team certifications: OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, CISSP, CRTO, GCPN, CRTE, eWPTX. Senior testers on every engagement.
Snipe AI pentest agent. Web-app focused, trained on more than 6,000 HackerOne reports. Performs black-box dynamic testing AND white-box code review, generates AutoFix pull requests, and runs as a PR-gating check that blocks vulnerable code from being merged.
Compliance evidence alignment. Stingrai's pentest output supports SOC 2, ISO 27001, BSI IT-Grundschutz, TISAX, HIPAA, PCI DSS 4.0, NIST SP 800-53 and 800-171, DORA, and NIS2 compliance evidence.
DEFCON and BSIDES research presence. The team publishes original research at the world's two largest offensive-security conferences.
Best fit: German SaaS, fintech, and regulated mid-market enterprises that want offensive depth plus PTaaS continuous coverage plus AI-augmented PR-gating, delivered in English and German via London EMEA hours. KRITIS-only audits typically require a BSI-accredited subcontractor; Stingrai partners with a German BSI-accredited firm for the formal audit while leading the offensive work.
Pricing: Stingrai publishes its packages and current pricing at www.stingrai.io/pricing. The pricing page is the canonical reference; numbers update periodically and should not be quoted from memory.
2. SySS GmbH
SySS GmbH is the German pentest institution. Founded in 1998 by Sebastian Schreiber in Tuebingen, SySS has grown to approximately 170 employees and is a long-running fixture of the German cybersecurity industry, named regularly in German tech press and conference programs.
Headquarters: Tuebingen, Germany (plus a Vienna subsidiary established 2018).
Why German buyers pick SySS in 2026:
ISO/IEC 27001 certified and holder of TISAX labels for "Informationen mit sehr hohem Schutzbedarf" and "Prototypenschutz fuer Bauteile und Komponenten."
Member of Allianz fuer Cyber-Sicherheit and eco Verband der Internetwirtschaft.
Deep penetration-testing-first culture. Pentest is the primary product, not an add-on to a broader portfolio.
Live Hacking demonstrations by Sebastian Schreiber are a long-running fixture of CeBIT and German cybersecurity conferences; a strong public-research signal.
German-first delivery. German-language reports, German-resident senior testers, and German-procurement-friendly contracting.
Best fit: German SMBs, German Mittelstand, automotive supply-chain partners needing TISAX-aligned testing, and any buyer that wants a German-resident pentest specialist with a 25-plus-year track record.
Trade-offs: Sales cycle is traditionally enterprise-paced; less PTaaS-platform-native than Stingrai or international peers; AI-augmented continuous coverage is not the primary product line.
3. ERNW
ERNW (Enno Rey Netzwerke GmbH) is the German research-led pentest firm. Founded in 2001 in Heidelberg, ERNW organizes the TROOPERS IT Security Conference (annual, Heidelberg) and is a frequent publisher of original research on protocol security, ERP security (SAP and Oracle), and infrastructure security.
Headquarters: Heidelberg, Germany.
Why German buyers pick ERNW in 2026:
Research-led culture. TROOPERS papers, Black Hat and DEFCON talks, and published research on SAP, Oracle, Cisco, Microsoft, and protocol security.
Deep ERP pentest practice. One of the few European specialists in SAP and Oracle ERP penetration testing.
Medical-device and connected-product security testing. Strong record in MDR and IEC 62443 alignment.
Independent, employee-owned. No private equity overlay; consistent pentest-first focus across two decades.
Strong DACH government and critical-infrastructure-adjacent customer base.
Best fit: German enterprises with SAP or Oracle ERP scope, medical device manufacturers, and any buyer that wants research-led pentest from a Heidelberg-resident team.
Trade-offs: Smaller bench than SySS or USD; less PTaaS-platform-native; some research engagements have an academic tempo that does not suit fast-moving SaaS teams.
4. usd AG
usd AG is the German compliance-pentest specialist. Headquartered in Neu-Isenburg (Frankfurt metropolitan area), usd AG holds BSI accreditation per Section 39 BSIG (formerly Section 8a (3)) and ranks as one of the most-cited providers for KRITIS audits, BaFin work, and integrated NIS2 and DORA advisory.
Headquarters: Neu-Isenburg, Germany.
Why German buyers pick usd AG in 2026:
BSI accreditation per Section 39 BSIG. The procurement-default for KRITIS audit evidence.
KRITIS audit specialty. Deep experience across energy, water, food, finance, telecom, healthcare, and transport sectors.
DORA and NIS2 advisory combined with technical pentest delivery.
Long-running BaFin and German financial-regulator engagement experience.
German-language reports and German-procurement-friendly contracting.
Best fit: KRITIS operators, BaFin-regulated financial institutions, and any German buyer whose procurement requires BSI Section 39 accreditation on the contracted body.
Trade-offs: Pure offensive research output is less visible than ERNW or SySS; compliance-first delivery culture; less SaaS-DevSecOps-native than Stingrai or international PTaaS vendors.
5. cirosec
cirosec is a long-running German pentest and red team specialist. Founded in 2002 in Heilbronn, cirosec offers IT security consulting, penetration testing, red team assessments, incident response, digital forensics, and training and awareness.
Headquarters: Heilbronn, Germany.
Why German buyers pick cirosec in 2026:
Independent and pentest-first. Two decades of continuous penetration-testing and red-team practice.
Red team and adversary-emulation depth. Strong record across financial services, automotive, and Mittelstand.
Incident response and digital forensics in scope; useful for post-engagement remediation support.
Annual TrendTage SecurityIT conference is a respected German practitioner gathering.
German-language reports and DACH-procurement-friendly contracting.
Best fit: German Mittelstand, financial services seeking red team and adversary emulation work, and any buyer wanting a long-established independent German pentest firm.
Trade-offs: Smaller global research footprint than ERNW; not the first pick for fast-moving SaaS or DevSecOps-heavy teams.
6. DCSO (Deutsche Cyber-Sicherheitsorganisation)
DCSO is the German industry-founded cybersecurity organization. Founded in 2015 by Allianz SE, BASF SE, Bayer AG, and Volkswagen AG (25 percent each post antitrust approval) and headquartered in Berlin, DCSO operates threat intelligence, threat detection and hunting, and incident response services for German mid-sized companies and large enterprises.
Headquarters: Berlin, Germany.
Why German buyers pick DCSO in 2026:
Strong DACH-resident threat intelligence. Operational insights shared across the German customer base via an "optimize by sharing" model.
Mittelstand and large-enterprise fit. Designed from inception for German large industrials; expert council includes Bayer, BASF, BMW, Daimler, E.ON, Kuka, Siemens, ThyssenKrupp, and Volkswagen.
Integrated red team plus threat intelligence plus SOC. Pentest and red team output threaded into broader managed-security context.
Government-and-research collaboration. Federal Ministry of the Interior, Bitkom, Digital Society Institute (ESMT Berlin), and Fraunhofer AISEC on the expert council.
Best fit: German large industrials, automotive OEMs, and Mittelstand companies that want an integrated CTI plus SOC plus red team partner rooted in German industry.
Trade-offs: Pentest is one offering inside a broader managed-security portfolio; less PTaaS-native than international platforms; pure penetration-testing depth ranks below SySS or ERNW.
7. Airbus Protect
Airbus Protect is the Airbus group cybersecurity subsidiary. Headquartered in Élancourt (France) with a major Munich office and DACH presence, Airbus Protect operates with more than 1,800 cybersecurity, safety, and sustainability experts across France, Germany, the UK, Spain, and Belgium, with pentesters holding national security clearance in France and Germany.
Headquarters: Élancourt, France (group HQ) plus Munich and Ottobrunn, Germany.
Why German buyers pick Airbus Protect in 2026:
Aerospace, defense, and OT specialty. Pentest of PLCs, embedded devices, ICS, SCADA, and production lines.
National security clearance in France and Germany on the offensive bench.
IEC 62443 and ISO/SAE 21434 alignment for industrial and automotive customers.
Group-scale delivery footprint across DACH and Western Europe for multi-country engagements.
Best fit: German automotive OEMs and tier-1 suppliers, aerospace and defense customers, OT and ICS operators, and any KRITIS scope where cleared testers are required.
Trade-offs: Enterprise sales cycle; less SaaS-DevSecOps-native; pure web application pentest is not the primary product line.
8. The Big Four (KPMG, Deloitte, EY, PwC)
KPMG Germany, Deloitte Germany, EY Germany, and PwC Germany all sell penetration testing inside their broader cyber, risk, and assurance practices. German board-level buyers often default to the Big Four for the audit-adjacent assurance signal.
Headquarters: Global Big Four firms with substantial German member-firm benches.
Why German buyers pick the Big Four in 2026:
Board-room compliance signaling. ISAE 3000, SOC 2 (US-equivalent attestation), and integrated GRC reporting.
Audit-adjacent assurance. Pentest output threaded into broader IT audit and risk programs.
DORA, NIS2, and KRITIS program-level advisory beyond pentest itself.
Cross-border footprint. Strongest fit for multinational German HQs that need consistent vendor coverage across multiple legal entities.
Best fit: Listed German corporates, regulated financial institutions where the audit partner relationship is the pivot, and German HQs of multinational groups.
Trade-offs: Pricing typically 3 to 5x boutique rates for equivalent scope; offensive depth varies sharply by partner-level engagement; less likely to break novel ground than research-led pentest firms.
Figure 3: Certifications matrix. Verified against each vendor's About or Certifications page. BSI Section 39 accreditation is the procurement-default for German KRITIS tenders. TISAX is mandatory for automotive supply-chain scopes. CREST member-firm accreditation is the internationally-recognized equivalent for non-KRITIS work. Sources: vendor pages, BSI accreditation register, ENX TISAX register.
Pricing reality in the 2026 German market
German pentest pricing tightened modestly in 2026 as supply expanded and as NIS2 transposition, DORA, and TISAX pulled more in-house security budgets toward continuous testing. The bands below reflect the EUR-denominated German market median for the May 2026 research window; bespoke scopes and senior-only delivery sit at the top of each band.
Small web app pentest (single product, 1 to 3 user roles): EUR 5,000 to 13,000 per engagement.
Mid-size SaaS or mobile app (5 to 10 roles, 2 to 4 integrations): EUR 13,000 to 32,000 per engagement.
Network and infrastructure (internal plus external, 250 to 1,000 IPs): EUR 16,000 to 42,000 per engagement.
Cloud and red team (multi-cloud or attack-path-focused): EUR 32,000 to 100,000 per engagement.
Annual PTaaS subscription (continuous web app coverage): EUR 45,000 to 130,000 per year.
Big Four enterprise engagements: typically 3 to 5x the boutique numbers above.
TIBER-DE or DORA TLPT: multi-month programs typically starting EUR 150,000 and rising with scope.
Stingrai publishes its specific package prices at www.stingrai.io/pricing. Use the live page for current numbers.
Figure 4: Typical 2026 EUR-denominated pentest pricing bands in the German market. Bespoke or senior-only delivery sits at the top of each band. Big Four engagements typically run 3 to 5x boutique rates for equivalent scope.
How to choose between these vendors
Three questions narrow the shortlist quickly.
Does the engagement require BSI Section 39 accreditation by contract or policy? If yes, the shortlist is usd AG and other BSI-accredited bodies listed on the BSI register. Stingrai partners with a BSI-accredited firm for the formal mark where required.
Is the buyer profile automotive supply chain, aerospace/defence, or KRITIS OT? Automotive scopes pivot on TISAX, where SySS, usd AG, and cirosec are strong; aerospace and defence pivot on Airbus Protect; OT and ICS-heavy KRITIS scopes pivot on Airbus Protect and ERNW.
Is the buyer profile SaaS or DevSecOps-first, or board-room compliance-first? SaaS and DevSecOps buyers should weight Stingrai higher (continuous PTaaS plus AI-augmented PR-gating). Board-room compliance buyers should weight usd AG and the Big Four higher.
For most German SaaS and regulated-mid-market buyers in 2026, the shortlist that fits 80 percent of the use case is: Stingrai for offensive depth and AI-augmented continuous testing, paired with a German specialist (SySS, ERNW, usd AG, or cirosec) for any work requiring German-resident senior testers or BSI accreditation.
Frequently Asked Questions
Who is the best penetration testing company in Germany in 2026?
Stingrai is the top recommendation for German organizations buying pentest or PTaaS in 2026 on offensive-depth metrics: CREST firm-level accreditation as a Penetration Testing service provider, 18 published CVEs across the team (Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3), 5.0 out of 5.0 across 19 Clutch reviews, and the Snipe AI pentest agent trained on more than 6,000 HackerOne reports. London, UK office serves DACH delivery and Toronto, Canada is HQ. SySS, ERNW, usd AG, cirosec, DCSO, and Airbus Protect are the strong native German runners-up depending on whether the engagement needs BSI Section 39 accreditation, TISAX-aligned testing, research-led ERP pentest, integrated CTI, or aerospace and OT depth.
What is BSI Section 39 BSIG and is it required for German pentest work?
BSI (Bundesamt fuer Sicherheit in der Informationstechnik) accredits independent bodies under Section 39 BSIG (formerly Section 8a (3)) to perform audits for KRITIS critical-infrastructure operators. The accreditation is procurement-default for KRITIS audit evidence in energy, water, food, finance, telecom, healthcare, and transport. Non-KRITIS scopes do not require Section 39, and many German enterprises buy pentest from non-BSI-accredited firms with CREST or ISO 27001 credentials.
How much does a penetration test cost in Germany?
Typical 2026 German market pricing: small web app pentest EUR 5,000 to 13,000, mid-size SaaS or mobile app EUR 13,000 to 32,000, network and infrastructure EUR 16,000 to 42,000, cloud and red team EUR 32,000 to 100,000, annual PTaaS subscription EUR 45,000 to 130,000 per year. Big Four (KPMG, Deloitte, EY, PwC) engagements typically run 3 to 5x boutique rates. TIBER-DE and DORA TLPT programs typically start EUR 150,000.
Which German firm is best for NIS2 compliance evidence?
usd AG, SySS, ERNW, and Stingrai are all credible for NIS2 evidence. Stingrai's pentest output supports NIS2 documentation alongside SOC 2, ISO 27001, BSI IT-Grundschutz, TISAX, HIPAA, PCI DSS 4.0, NIST SP 800-53 and 800-171, and DORA evidence.
Which German firm is best for DORA Threat-Led Penetration Testing?
usd AG (BaFin specialty and BSI Section 39 accreditation) and Stingrai (CREST-accredited firm-level Penetration Testing service provider with senior red-team certifications on the bench, OSCE3, OSCP, OSED, OSEP, CRTO, CRTE) are the strongest matches for DORA TLPT work in Germany. cirosec and DCSO are also strong for the SOC-integrated phase. TIBER-DE is operated by Deutsche Bundesbank as the German local variant of the European Central Bank's TIBER framework.
Which German firm is best for TISAX automotive supply chain?
SySS (TISAX labels held for "Informationen mit sehr hohem Schutzbedarf" and "Prototypenschutz fuer Bauteile und Komponenten"), usd AG, cirosec, and Airbus Protect are the strongest fits. Stingrai's pentest output supports TISAX evidence; the TISAX label itself is awarded by an ENX-approved auditor.
Is penetration testing required by German law?
Pentesting is not universally mandated by German federal law, but is effectively required by every compliance framework German organizations adopt: KRITIS (Section 8a BSIG) expects independent audits including technical testing; the NIS2 transposition (NIS2UmsuCG) expects management-board accountability for documented testing; DORA Article 26 requires Threat-Led Penetration Testing for in-scope financial entities from January 17 2025; TISAX expects technical security assessment for automotive supply-chain partners; ISO 27001 and BSI IT-Grundschutz expect independent verification of controls.
What certifications should my German pentest vendor hold?
At the individual level: OSCP, OSWE, OSED, OSEP, CREST CRT, and CRTO on the actual testers who will be on the engagement. At the company level: BSI Section 39 accreditation for KRITIS scopes, TISAX for automotive scopes, CREST member-firm accreditation (internationally equivalent), ISO 27001, and ISO 9001 are common procurement filters. Beyond paper, check public CVE track record (Stingrai's team has 18 published CVEs), DEFCON / BSIDES / TROOPERS talks, and named senior testers on the actual proposal.
Can a non-German vendor work for German buyers in 2026?
Yes. Many German buyers contract international pentest firms for SaaS, cloud, web, and red team scopes that do not require a German national accreditation. Stingrai serves German buyers from its London, UK office during DACH hours. For KRITIS-mandated public-sector or regulated-sector contracts, pair the international firm with a BSI Section 39-accredited German firm, or use the international firm for the offensive work and a German GRC partner for the audit-side accreditation.
How long does a German pentest engagement take?
Typical durations in the 2026 German market: small web app 5 to 8 working days; mid-size SaaS or mobile app 10 to 15 working days; network and infrastructure 8 to 15 working days; cloud and red team 15 to 30 working days; TIBER-DE or DORA TLPT programs 12 to 24 weeks end-to-end. Reporting cycle typically 5 to 10 working days after testing ends; retesting included for paid PTaaS subscriptions.
References
BSI (Bundesamt fuer Sicherheit in der Informationstechnik). IT-Grundschutz. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html. The German baseline information-security standard administered by BSI.
BSI. KRITIS Critical Infrastructure overview. https://www.bsi.bund.de/EN/Themen/KRITIS-und-regulierte-Unternehmen/Kritische-Infrastrukturen/kritische-infrastrukturen_node.html. Energy, water, food, finance, telecom, healthcare, transport KRITIS scope.
BSI. NIS2 transposition into German law. https://www.bsi.bund.de/EN/Themen/KRITIS-und-regulierte-Unternehmen/Besondere-Regelungen-im-Bereich-Cybersicherheit/NIS-2-Richtlinie/nis-2-richtlinie_node.html. NIS2UmsuCG draft and German competent-authority overview.
BaFin. Digital Operational Resilience Act (DORA) overview. https://www.bafin.de/EN/Aufsicht/DORA/dora_node_en.html. Applies to all EU financial entities from January 17 2025.
Deutsche Bundesbank. TIBER-DE. https://www.bundesbank.de/en/tasks/payment-systems/cybersecurity/tiber-de. Threat-Led Penetration Testing framework for German finance.
ENX Association. TISAX overview. https://www.enx.com/en-US/tisax/. Mandatory for automotive supply-chain partners under VDA ISA.
HackerOne. 9th Hacker-Powered Security Report. October 1 2025. https://www.hackerone.com/press-release/hackerone-report-finds-210-spike-ai-vulnerability-reports-amid-rise-ai-autonomy. 70 percent of researchers use AI tools; valid prompt-injection report volume up 540 percent YoY; 58 percent of researchers say AI misses business logic.
SySS GmbH. About SySS. https://www.syss.de/en/about-us. Founded 1998 by Sebastian Schreiber; Tuebingen HQ; approximately 170 employees; ISO 27001 and TISAX certified.
ERNW. What we do. https://ernw.de/en/services.html. Heidelberg HQ; founded 2001; organizers of TROOPERS conference.
usd AG. KRITIS audit. https://www.usd.de/en/security-audits/kritis/. BSI accreditation per Section 39 BSIG; Neu-Isenburg HQ; KRITIS and BaFin specialty.
cirosec. About us. https://cirosec.de/en/about-us/. Heilbronn HQ; founded 2002; independent pentest, red team, IR, and digital forensics specialist.
DCSO. Company. https://dcso.de/en/company/. Berlin HQ; founded 2015 by Allianz, BASF, Bayer, and Volkswagen (25 percent each).
Airbus Protect. Vulnerability assessments and pentesting. https://www.protect.airbus.com/cybersecurity/vulnerability-assessments-and-pentesting/. More than 1,800 cybersecurity experts across France, Germany, the UK, Spain, and Belgium; cleared pentesters in France and Germany.
Stingrai. Pricing. https://www.stingrai.io/pricing. Canonical pricing reference for Stingrai packages.
Stingrai. Clutch profile. https://clutch.co/profile/stingrai. 5.0 out of 5.0 across 19 reviews.
MITRE / CVE.org. Published CVE list. https://www.cve.org/. Public record of CVEs published by Stingrai team members.
Next steps
If you are scoping a 2026 German pentest engagement, start with Stingrai's pentest service overview and request a scoped proposal via the contact form. For ongoing coverage, Stingrai's PTaaS program runs continuous web-app testing through the Snipe agent with senior human validation on every finding, and integrates with Jira, GitHub, and Slack so output lands where engineering already works. Related Stingrai reading: Top Penetration Testing Companies 2026, Best PTaaS Providers 2026, and Penetration Testing Methodologies.
