Martin Grottenthaler

Martin Grottenthaler, Founder and Lead Penetration Tester. OSCP, CISSP, GCFA, GWAPT. Pentesting since 2017. More about me

OSCP
CISSP
GCFA
GWAPT

Speaker at conferences:

One Penetration Tester. From the First Call to the Final Report.

No account managers, no handoffs. At VidraSec, you always have one point of contact who stays with your engagement from start to finish.

Schedule a free initial call

Not ready to call?

    Testimonials

    A selection from real engagements.

    Working with VidraSec was absolutely professional and pragmatic. The pentest delivered reliable and actionable results and is an important building block for our ongoing DORA compliance.
    Anonymous
    AnonymousCISODORA-regulated company

    Penetration Testing and Consulting

    The three pillars of a stronger security posture.

    Penetration Tests

    A penetration test finds vulnerabilities so that they can be remedied before they are exploited by attackers.

    Cyber Attack Simulation

    The simulation of cyber attacks checks whether existing protective measures actually work as expected.

    Trainings and Presentations

    People are still the first line of defense. Only highly trained employees can prevent attacks at an early stage.

    Why choose VidraSec? 🦦

    What sets a VidraSec engagement apart.

    Many Years of Experience

    At VidraSec, you are guaranteed to get a pentester with a lot of experience. I’ve been conducting pentests since 2017 and have seen all kinds of systems in companies of all sizes and from a wide range of industries. I attach great importance to high quality and understandable, actionable recommendations so that you get as much added value as possible from the pentest.

    Focus on What Matters

    Many penetration tests offer little added value because they focus on trivialities or do not accurately capture the scope. VidraSec attaches great importance to delivering concrete and relevant findings. This gives you maximum security gains at an optimal price-performance ratio.

    You Talk to the Person Doing the Work

    At VidraSec, there are no account managers or delivery handoffs. The person you speak with before signing is the tester who runs the engagement, writes the report, and joins the debrief. What you discuss in the scoping call is what gets tested. No miscommunication, no junior substitutions.

    See What a VidraSec Report Looks Like

    Real deliverables, not promises. Download a sample report before you book anything.

    View Example Reports

    Frequently asked questions

    Pricing, process, confidentiality, and compliance, answered directly.

    Pricing and duration

    How much does a penetration test cost?
    VidraSec uses transparent, person-day-based pricing. Each proposal clearly states the number of planned person-days, the daily rate, and a fixed total: the price quoted is the price charged, even if the work takes a few extra hours to complete. Engagements start at €4,200 for a narrow scope, such as a handful of internet-facing systems. Most projects land between €6,000 and €15,000, and larger red team engagements can run higher. The final price depends on scope and duration. Read how much a penetration test costs for the full breakdown, or get in touch for a quote tailored to your environment.
    How long does a penetration test take?
    Typical engagements run 3-10 days of active testing, depending on scope. A web application test for a single application may take 3-5 days; a full internal infrastructure test with Active Directory in scope may take 5-10 days. Reporting adds roughly 30-50% of the test time on top.
    How quickly can you start?
    After signing, the typical lead time to project start is approximately 4 weeks, though this varies with current capacity. For urgent requests, contact Martin directly to discuss availability.

    Engagement process

    What does the first call look like?
    The call runs about 30 minutes. No preparation needed. I’ll ask you a few questions about your environment and what’s driving the need for testing. If you already have details (number of systems, compliance requirements, previous test results), feel free to share them, but there’s no obligation. You’ll receive a written proposal within a few business days.
    Who will actually run the test?
    Martin Grottenthaler runs every engagement personally. There are no account managers, delivery teams, or junior substitutions. The person you speak with before signing is the person who tests your systems, writes the report, and leads the debrief.
    What happens if the tester gets sick during an engagement?
    The engagement pauses and resumes as soon as possible. There are no substitutions. A short delay is a better outcome than having a stranger you’ve never spoken to continue work on your systems. In practice, illness rarely causes more than a brief interruption. If you have a hard compliance deadline, mention it during scoping; I’ll make sure the schedule leaves enough buffer.
    Do you work remotely or on-site?
    Internal pentests are generally done on-site, but can be performed remotely via VPN or a dedicated jump host if the client’s network setup allows it. External and cloud assessments are always performed remotely.
    What does a pentest report include?
    Every report includes an executive summary for management (non-technical), a detailed technical section per finding with description, evidence, risk rating, and reproduction steps, and actionable remediation recommendations. All findings are manually verified. Reports do not include automated scanner output. See example reports for what this looks like in practice.
    Is a retest included after remediation?
    A retest is not included by default but can be added as an optional add-on. During a retest, VidraSec verifies whether the identified vulnerabilities have been successfully remediated.
    In what language are reports delivered?
    Reports can be delivered in English or German, agreed during scoping. Both languages are fully supported.
    Do you work with clients outside Austria and Germany?
    Yes. Most clients are based in Austria and Germany, but engagements happen internationally too, conducted in English or German.

    Confidentiality and data handling

    Do you sign NDAs?
    Yes. VidraSec routinely signs non-disclosure agreements before engagements begin. Client names, findings, and infrastructure details are never shared with third parties.
    How is sensitive client data handled?
    All client data is handled under VidraSec’s internal Information Security Management System (ISMS), aligned to ISO 27001 principles. This covers secure storage of pentest findings and reports, strict access controls, data minimization, and defined deletion procedures after project completion. Only data strictly necessary for the engagement is collected and retained.

    Compliance

    Does a VidraSec pentest count for ISO 27001, NIS2, TISAX, or DORA?
    Yes. VidraSec penetration tests serve as documented evidence of technical security testing for ISO 27001, NIS2, TISAX, and DORA (Article 25). VidraSec does not issue compliance certificates; that is the role of the relevant certification or audit body. Note: DORA Article 26 TLPT (Threat-Led Penetration Testing for significant financial entities) is a separately regulated process and is outside the scope of standard VidraSec engagements. See what a NIS2-ready pentest looks like for a concrete walkthrough.
    Has VidraSec worked with regulated organizations?
    Yes. VidraSec has conducted engagements for organizations operating under or pursuing ISO 27001, TISAX, DORA, and NIS2. These frameworks require regular, documented technical security testing. VidraSec assessments are structured to meet that need.

    Scope and methodology

    Is VidraSec suitable for smaller companies?
    Yes. VidraSec works with SMBs as well as larger enterprises. A smaller company with fewer systems will generally require fewer person-days, and the fixed-fee price reflects that. Get in touch to discuss what a right-sized engagement would look like for your organization.
    Blackbox, greybox, whitebox: which should I choose?
    Short answer: greybox almost always delivers more value. Blackbox (no credentials) simulates an unauthenticated external attacker but rarely finds findings that a vulnerability scanner wouldn’t also catch. Greybox (valid user credentials) simulates the realistic scenario: a phishing attack succeeded, or an insider has access. This is where the interesting findings live. The Buyer’s Guide covers this in detail.
    What certifications does Martin Grottenthaler hold?
    • OSCP: Offensive Security Certified Professional
    • CISSP: Certified Information Systems Security Professional
    • GCFA: GIAC Certified Forensic Analyst
    • GWAPT: GIAC Web Application Penetration Tester

    Still have questions? Get in touch.