Penetration Testing Services in Germany
Germany operates the most structured information-security regulatory stack in the EU. BSI (Bundesamt für Sicherheit in der Informationstechnik) owns IT-Grundschutz, the BSI Standards 200-x series, the C5 cloud-security catalogue and the certification scheme for IT-security service providers and KRITIS audits. BaFin sets BAIT, VAIT, KAIT and ZAIT — the supervisory IT requirements for banks, insurance, asset managers and payment institutions — and supervises DORA implementation from January 2025. The Federal Commissioner for Data Protection (BfDI) and 16 Länder data-protection authorities enforce GDPR and the Federal Data Protection Act (BDSG) — Germany's enforcement record is the most active in the EU. NIS2 transposition and the German KRITIS regime apply to essential and important entities across energy, water, transport, banking, health and digital infrastructure. AxVeil delivers vulnerability assessment, penetration testing and red team services across Germany for commercial buyers — operator-led, named-operator engagements with fixed-fee EUR or USD proposals.
Engagements are served from our Bengaluru-headquartered team across Berlin, Munich, Frankfurt am Main, Hamburg, Stuttgart, Cologne, Düsseldorf and the Wolfsburg / Ingolstadt automotive belt. India Standard Time is 4.5 hours ahead of Central European Time (3.5 hours ahead of CEST), which gives a clean overlapping working day for daily Slack / Teams triage, draft-report walkthroughs and readout calls. Whether you are a Berlin Series-B SaaS chasing US Fortune 500 procurement under SOC 2 Type 2 and ISO 27001:2022, a Frankfurt-based BaFin-supervised commercial bank running BAIT-aligned independent testing, a Munich Mittelstand manufacturer scoping NIS2 readiness, a Wolfsburg / Stuttgart / Ingolstadt automotive supplier on TISAX AL2 / AL3 readiness, or a foreign-HQ company with German engineering ops consolidating GDPR / BSI IT-Grundschutz evidence, our methodology compresses 4-week manual audits into 10-14 day engagements without sacrificing depth.
The German threat surface we scope against
BSI, BaFin and the Länder DPAs each push a distinct threat lens. We threat-model these clusters first, then map findings to whichever framework governs your scope.
Mittelstand ransomware targeting
German Mittelstand manufacturers are a favoured ransomware target via exposed VPN edge, weak AD tiering and flat OT networks. Our red team emulates the initial-access and lateral-movement chains these crews actually run.
Automotive supply-chain (TISAX)
VW, BMW, Mercedes-Benz and tier-1 suppliers cascade TISAX and ISO 21434 expectations. We test engineering-environment segmentation, OTA signing infrastructure and telematics back-ends against UN R155 CSMS scope.
BaFin financial-sector resilience
BAIT / VAIT / ZAIT and DORA push tested incident response and third-party-risk assurance. We threat-model payment APIs, SWIFT CSP boundaries and the outsourced-IT chain BaFin reviews scrutinise.
Schrems-II cross-border exposure
Cross-border transfers under SCCs and TIAs remain a live GDPR risk. We map where EU personal data leaves the bloc and whether the supplementary measures actually hold under audit.
AxVeil is not currently BSI-certified under the Bundesamt für Sicherheit in der Informationstechnik certification scheme for IT-security service providers (IT-Sicherheitsdienstleister) and is not on a German federal cybersecurity panel. For BSI-certified scope — most German federal-government tenders, BSI-attestation scope on KRITIS audits, and any tender that names BSI certification as the procurement floor — AxVeil partners with a BSI-certified provider that signs the regulator-facing report. AxVeil's commercial focus is direct delivery to German SaaS, fintech (non-BaFin-mandated layers), Mittelstand manufacturing, automotive software, e-commerce, BaFin-supervised commercial scope and foreign-HQ companies with German engineering. For DORA TLPT scope, AxVeil partners with TIBER-DE / TIBER-EU-registered providers. The contracting path is stated in the proposal up front.
Industries we serve in Germany
The German commercial market is unusually concentrated by sector. Berlin runs the SaaS and B2B fintech corridor — analogue stacks of N26, Trade Republic, Personio, Pitch, Celonis (Munich) and the broader European-grown SaaS cohort scaling into US Fortune 500 procurement under SOC 2 Type 2 and ISO 27001:2022. Frankfurt anchors the BaFin-supervised banking and payment estate — Deutsche Bank, Commerzbank, DZ Bank, KfW, the European Central Bank and the DORA-relevant cohort. Munich and Stuttgart centre the deep-tech, automotive-software and Mittelstand insurance estate; Hamburg and Cologne add logistics, media and retail platforms.
Automotive is the densest cluster: VW (Wolfsburg), BMW (Munich), Mercedes-Benz (Stuttgart), Audi (Ingolstadt), Porsche (Stuttgart) and the tier-1 supplier estate (Bosch, Continental, ZF Friedrichshafen) cascade TISAX, ISO/SAE 21434 and UN R155 CSMS expectations across the entire global supply chain. NIS2 / KRITIS coverage spans energy (E.ON, RWE), telecoms (Deutsche Telekom), transport (Deutsche Bahn, Lufthansa), health and digital infrastructure. Federal-government and BSI-certified scope routes through a partnered BSI-certified provider; commercial scope across all of the above AxVeil contracts directly.
SaaS & API VAPT
Web, API, mobile and cloud penetration testing for German SaaS, fintech and B2B platforms scaling into EU / US enterprise procurement under SOC 2 Type 2, ISO 27001:2022 and GDPR enforcement.
Learn more →Automotive TISAX & ISO 21434
TISAX (VDA-ISA) readiness, ISO/SAE 21434 ATO-supporting cybersecurity-case engineering and UN R155 CSMS-aligned testing for German OEMs (VW, BMW, Mercedes-Benz, Audi, Porsche) and tier-1 suppliers across Wolfsburg, Munich, Stuttgart and Ingolstadt.
Learn more →BSI Grundschutz + GDPR Compliance
BSI IT-Grundschutz-aligned audits, GDPR enforcement-readiness, BaFin BAIT (banking) / VAIT (insurance) / KAIT (asset management) / ZAIT (payment) cross-mapping, NIS2 / KRITIS readiness and ISO 27001:2022 evidence packs.
Learn more →AdSim
Continuous purple-team simulation against German production stacks with detection-engineering output for in-house SOC and EU MDR providers — tuned for ransomware crews active against German Mittelstand and DAX-listed enterprises.
Learn more →German regulators and frameworks we map every report to
BSI — Bundesamt für Sicherheit in der Informationstechnik
BSI owns IT-Grundschutz (the German methodological standard for information-security management), the BSI Standards 200-x series, the C5 cloud-security catalogue and the certification regime that runs alongside ISO 27001. BSI also operates the certification scheme for IT-security service providers — AxVeil is not BSI-certified, and BSI-certified scope (most German federal-government work) routes through a partnered BSI-certified provider.
BaFin — BAIT / VAIT / KAIT / ZAIT
BaFin (Federal Financial Supervisory Authority) sets the supervisory IT requirements for banks (BAIT), insurance (VAIT), asset managers (KAIT) and payment institutions (ZAIT). Independent system-security testing, third-party risk and tested incident response are baseline expectations. DORA (Digital Operational Resilience Act, EU 2022/2554) applies in addition to BaFin-supervised entities from January 2025.
GDPR + BDSG (Federal Data Protection Act)
Germany enforces EU GDPR through the Federal Commissioner for Data Protection and Freedom of Information (BfDI) at federal level and 16 Länder data-protection authorities at state level. Personal-data breaches must be reported within 72 hours. Penalties up to EUR 20 million or 4% of global annual turnover. Germany's enforcement record is the most active in the EU.
NIS2 Directive (EU 2022/2555) and the German KRITIS (Kritische Infrastrukturen) regime apply to operators of essential and important entities — energy, water, transport, banking, health, digital infrastructure. Tested cyber risk-management measures and incident-reporting obligations to BSI apply. AxVeil scopes NIS2 / KRITIS readiness directly for commercial-tier covered entities; BSI-mandated audit attestation routes through a partnered BSI-certified provider.
TISAX (VDA) + ISO/SAE 21434
TISAX is the German VDA-anchored automotive supply-chain assessment cascaded by VW, BMW, Mercedes-Benz, Audi, Porsche, Stellantis and the wider OEM cohort to tier-1 and tier-2 suppliers. ISO/SAE 21434 + UN R155 CSMS apply to type-approved connected vehicles. AxVeil scopes TISAX AL1 / AL2 / AL3 readiness and ISO 21434 ATO-supporting penetration testing directly.
ISO 27001:2022 + C5
ISMS certification baseline asked for by German enterprise procurement and the public sector. BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the cloud-specific overlay frequently required by German government and regulated buyers for cloud-service-provider attestation. Stage-1 / stage-2 audit prep and Statement of Applicability evidence supported.
Engagement timeline (typical 14-day Professional VAPT)
Scoping call in CET / CEST (overlapping IST window). NDA + MSA exchanged under preferred jurisdiction (German law / English language supported). DPA (Auftragsverarbeitungsvertrag) signed where AxVeil processes personal data on behalf of the buyer under GDPR Art. 28. Scope, RoE and contracting path locked.
Recon + threat-modelling against Germany-relevant actors and regulators (BSI IT-Grundschutz module mapping, BaFin BAIT / VAIT where applicable, GDPR / BDSG, NIS2 / KRITIS scope determination, OWASP ASVS L2).
Active testing — web, API, mobile, cloud IAM, internal AD, business logic. TISAX-scoped engagements include VDA-ISA control walk-through in parallel. Daily Slack / Teams digest with critical findings as they surface in CET.
Draft report: BSI IT-Grundschutz / BaFin BAIT / GDPR / ISO 27001 / TISAX (where applicable) cross-references with reproducible PoCs and developer-friendly remediation guidance. German-language executive summary supported on request via translation partner.
Readout call with engineering + CISO + Datenschutzbeauftragter (DPO) in CET. Free retest of remediated criticals within 30 days. Final signed PDF for board, BaFin / BfDI / Länder DPA-facing audiences and enterprise / OEM customer auditors.
Sample German engagements (indicative)
Berlin Series-B B2B SaaS — SOC 2 + ISO 27001 + GDPR window pentest
Indicative engagement: a Berlin Series-B B2B SaaS commissions a window-period pentest under TSC CC7.1 / CC8.1 paired with ISO 27001:2022 stage-2 audit prep ahead of a US Fortune-100 enterprise deal and a German DAX customer onboarding. Scope: multi-tenant web app, REST + GraphQL APIs, customer mobile app, AWS IAM on Frankfurt regions, multi-tenancy isolation, Schrems-II-compliant cross-border-transfer evidence. Deliverable: SOC 2 evidence pack, ISO 27001:2022 SoA evidence, GDPR + BDSG gap notes, BSI C5 cross-mapping for cloud-service attestation. Pattern available on request under NDA.
Stuttgart tier-1 automotive supplier — TISAX AL3 + ISO 21434 readiness
Indicative engagement: a Stuttgart tier-1 automotive supplier commissions TISAX AL3 readiness paired with ISO/SAE 21434 cybersecurity-case engineering ahead of a Mercedes-Benz / Porsche onboarding for a new connected-vehicle programme. Scope: VDA-ISA control walk-through (information protection, prototype protection, third-party connection), engineering-environment segmentation, OTA signing infrastructure, telematics back-end. Deliverable: TISAX AL3 evidence pack, ENX audit-handoff package, ISO 21434 cybersecurity-case evidence, ATO-supporting penetration test report. Pattern available on request under NDA.
Frankfurt BaFin-supervised payment institution — BAIT / ZAIT-aligned pentest
Indicative engagement: a Frankfurt BaFin-supervised payment institution commissions a BAIT / ZAIT-aligned independent pentest covering customer-facing web / mobile, payment APIs, SWIFT CSP environment (read-only), internal AD and outsourced-IT third-party risk assurance. DORA Article 24 ICT-risk testing scope noted where applicable. Deliverable: BaFin-cross-mapped findings, SWIFT CSP attestation alignment, DORA Art. 24 evidence-pack design, GDPR breach-notification runbook, board-pack and supervisory-facing evidence. Pattern available on request under NDA.
Germany FAQ
›Is AxVeil BSI-certified as an IT-security service provider?
No. AxVeil is not currently BSI-certified under the German Federal Office for Information Security's certification scheme for IT-security service providers (IT-Sicherheitsdienstleister). For BSI-certified scope — most German federal-government tenders, BSI-attestation scope on KRITIS audits and any tender that names BSI certification as the procurement floor — AxVeil partners with a BSI-certified provider that signs the regulator-facing report. For German commercial buyers — SaaS, fintech (non-BaFin-mandated layers), Mittelstand manufacturing, automotive software, e-commerce and foreign-HQ companies with German engineering — AxVeil contracts directly. The contracting path is stated in the proposal up front. Reference: https://www.bsi.bund.de/EN.
›Do you support BaFin BAIT / VAIT / KAIT / ZAIT and DORA?
Yes — for commercial layers and for BaFin-supervised firms where the engagement is internal readiness, scope-design or follow-on retest. BAIT (banks), VAIT (insurance), KAIT (asset management) and ZAIT (payment institutions) set the supervisory IT requirements that translate into independent system-security testing, third-party risk and tested incident response. DORA (Digital Operational Resilience Act, EU 2022/2554) applies in addition to BaFin-supervised financial entities from January 2025, including TLPT (threat-led penetration testing) thresholds for significant entities. AxVeil scopes BaFin-aligned testing directly for non-systemic entities and partners with TIBER-DE / TIBER-EU-registered providers where TLPT is mandated. References: https://www.bafin.de/, https://eur-lex.europa.eu/eli/reg/2022/2554/oj.
›How do you handle GDPR, BDSG, the 72-hour clock and the Länder DPA enforcement landscape?
Every German engagement includes a GDPR + BDSG gap pack covering lawful basis (Art. 6 / 9), purpose limitation, data-subject rights workflow, retention schedule, cross-border-transfer controls (SCCs, TIA, supplementary measures post-Schrems II) and a tested 72-hour breach-notification runbook aligned to the relevant Länder data-protection authority. Germany's 16 Länder DPAs vary in enforcement posture — Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Hamburgische Beauftragte (HmbBfDI) and others all enforce independently. Penalties under GDPR reach EUR 20m or 4% of global annual turnover. Reference: https://www.bfdi.bund.de/EN.
›Do you cover TISAX, ISO/SAE 21434 and German OEM supply-chain cybersecurity?
Yes — directly. TISAX (Trusted Information Security Assessment Exchange) is the VDA-anchored automotive supply-chain assessment cascaded by VW, BMW, Mercedes-Benz, Audi, Porsche, Stellantis and the wider OEM cohort to tier-1 and tier-2 suppliers across Germany and globally. AxVeil scopes TISAX AL1 (self-assessment), AL2 (plausibility) and AL3 (on-site) readiness — VDA-ISA control walk-through, evidence pack, gap remediation and ENX-approved auditor handoff — directly. ISO/SAE 21434 ATO-supporting penetration testing of connected-vehicle telematics, OTA platforms, in-vehicle gateways and back-end PKI is scoped directly for OEM and tier-1 buyers preparing for UN R155 type approval.
›Where is AxVeil based and how do you deliver across Berlin, Munich, Frankfurt and the Mittelstand?
Engagements are served from our Bengaluru-headquartered team across Germany — Berlin, Munich, Frankfurt am Main, Hamburg, Stuttgart, Cologne, Düsseldorf and the Wolfsburg / Ingolstadt automotive belt. India Standard Time is 4.5 hours ahead of CET (3.5 hours ahead of CEST), so our IST working day overlaps cleanly with the German morning and early afternoon. Daily standups, Slack triage and draft-report walkthroughs run in this window; full-day onsite kick-offs in any German city for sensitive scopes are arranged on a per-engagement basis. We do not maintain a German office. German-language contracting and executive summaries are supported on request via a translation partner; English-language contracting is the default and accepted by the German Mittelstand and DAX-listed buyers we work with.
Cross-links
See /services/vapt for the BSI IT-Grundschutz / BaFin BAIT-aligned VAPT methodology and /services/compliance for GDPR + ISO 27001:2022 + TISAX evidence-pack design. Sibling European / commercial locations: /locations/uk-commercial and /locations/us-commercial. Relevant industry vertical: /industries/saas.
Need penetration testing in Germany? Talk to a tester.
Free 30-minute scoping call in CET. We map your attack surface against BSI / BaFin / GDPR / TISAX expectations and quote in EUR or USD. BSI-certified scope routed through a partnered certified provider; commercial scope delivered direct.