FAQ

Pricing and duration

How much does a penetration test cost?

VidraSec uses transparent, person-day-based pricing. Each proposal clearly states the number of planned person-days, the daily rate, and a fixed total: the price quoted is the price charged, even if the work takes a few extra hours to complete. Engagements typically start at €6,000. The final price depends on scope and duration. Get in touch for a quote tailored to your environment.

How long does a penetration test take?

Typical engagements run 3-10 days of active testing, depending on scope. A web application test for a single application may take 3-5 days; a full internal infrastructure test with Active Directory in scope may take 5-10 days. Reporting adds roughly 30-50% of the test time on top.

How quickly can you start?

After signing, the typical lead time to project start is approximately 4 weeks, though this varies with current capacity. For urgent requests, contact Martin directly to discuss availability.

The engagement process

What does the first call look like?

The call runs about 30 minutes. No preparation needed. I’ll ask you a few questions about your environment and what’s driving the need for testing. If you already have details (number of systems, compliance requirements, previous test results), feel free to share them, but there’s no obligation. You’ll receive a written proposal within a few business days.

Who will actually run the test?

Martin Grottenthaler runs every engagement personally. There are no account managers, delivery teams, or junior substitutions. The person you speak with before signing is the person who tests your systems, writes the report, and leads the debrief.

What happens if the tester gets sick during an engagement?

The engagement pauses and resumes as soon as possible. There are no substitutions — a short delay is a better outcome than having a stranger you’ve never spoken to continue work on your systems. In practice, illness rarely causes more than a brief interruption. If you have a hard compliance deadline, mention it during scoping; I’ll make sure the schedule leaves enough buffer.

Do you work remotely or on-site?

Internal pentests are generally done on-site, but can be performed remotely via VPN or a dedicated jump host if the client’s network setup allows it. External and cloud assessments are always performed remotely.

What does a pentest report include?

Every report includes an executive summary for management (non-technical), a detailed technical section per finding with description, evidence, risk rating, and reproduction steps, and actionable remediation recommendations. All findings are manually verified. Reports do not include automated scanner output. See example reports for what this looks like in practice.

Is a retest included after remediation?

A retest is not included by default but can be added as an optional add-on. During a retest, VidraSec verifies whether the identified vulnerabilities have been successfully remediated.

In what language are reports delivered?

Reports can be delivered in English or German, agreed during scoping. Both languages are fully supported.

Confidentiality and data handling

Do you sign NDAs?

Yes. VidraSec routinely signs non-disclosure agreements before engagements begin. Client names, findings, and infrastructure details are never shared with third parties.

How is sensitive client data handled?

All client data is handled under VidraSec’s internal Information Security Management System (ISMS), aligned to ISO 27001 principles. This covers secure storage of pentest findings and reports, strict access controls, data minimization, and defined deletion procedures after project completion. Only data strictly necessary for the engagement is collected and retained.

Compliance

Does a VidraSec pentest count for ISO 27001 / NIS2 / TISAX / DORA?

Yes. VidraSec penetration tests serve as documented evidence of technical security testing for ISO 27001, NIS2, TISAX, and DORA (Article 25). VidraSec does not issue compliance certificates; that is the role of the relevant certification or audit body. Note: DORA Article 26 TLPT (Threat-Led Penetration Testing for significant financial entities) is a separately regulated process and is outside the scope of standard VidraSec engagements.

Has VidraSec worked with regulated organizations?

Yes. VidraSec has conducted engagements for organizations operating under or pursuing ISO 27001, TISAX, DORA, and NIS2. These frameworks require regular, documented technical security testing. VidraSec assessments are structured to meet that need.

Scope and methodology

Is VidraSec suitable for smaller companies?

Yes. VidraSec works with SMBs as well as larger enterprises. A smaller company with fewer systems will generally require fewer person-days, and the fixed-fee price reflects that. Get in touch to discuss what a right-sized engagement would look like for your organization.

Blackbox, greybox, whitebox: which should I choose?

Short answer: greybox almost always delivers more value. Blackbox (no credentials) simulates an unauthenticated external attacker but rarely finds findings that a vulnerability scanner wouldn’t also catch. Greybox (valid user credentials) simulates the realistic scenario: a phishing attack succeeded, or an insider has access. This is where the interesting findings live. The Buyer’s Guide covers this in detail.

What certifications does Martin Grottenthaler hold?

• OSCP: Offensive Security Certified Professional
• CISSP: Certified Information Systems Security Professional
• GCFA: GIAC Certified Forensic Analyst
• GWAPT: GIAC Web Application Penetration Tester

Still have questions? Get in touch. No obligation.