Skip to main content

Cyber Attack Services

Penetration Testing

Contact us
Submit RFP

Our penetration testing services offer comprehensive, end-to-end testing capabilities for complex connected ecosystems, ranging from in-depth hardware testing to mobile applications and cloud environments, including internal/external infrastructures and applications. Our testers and project managers have the expertise to execute and deliver large-scale, global penetration testing programs, managing hundreds of projects annually.

2008-2012

ERA OF COMPLIANCE

Regulation standards (ISO, PCI, SOX, etc.) Cyber’s predominant focus is on security

Find out more

2012-2018

ERA OF RISK

Publicized breaches Major cyber incidents Cyber elevates to a business issue, focus is on risk management and resilience

Find out more

2018-2025

ERA OF COMPLEXITY

Cyber is everywhere, uncertain, interconnected, and driven by innovation. With digital, cloud, IT/OT, and IoT, the focus is managing risks beyond our control.

Find out more

Penetration testing at application level with (grey-box) or without user accounts (black-box) included but not limited to:

  • Web applications and APIs
  • Mobile applications
  • Binary applications
  • SAP 

On top of the typical application security problems, these tests also cover the business logic and vertical/horizontal authorization issues to provide deep understanding of the cyber security status of the given application.

Infrastructure level testing of external perimeters, entire internal networks, including wireless systems.This also includes testing of various cloud-based setups, cloud-only or hybrid solutions.These tests can also focus on specific infrastructure elements, like remote access solutions (e.g., breakout tests in VDI environments), ATMs or HMIs in highly sensitive environments.

We assess the security configuration of an SAP deployment, including cryptographic practices and authorization structures. We also identify remote connections and interfaces, evaluating their security. Additionally, we conduct automated and semi-automated tests on custom ABAP code to detect vulnerabilities. The results from these steps will be used to create attack scenarios, which will be discussed and approved by the client before execution. The outcome will provide a comprehensive insight into the overall security posture of the SAP system

Threat-driven simulation of real-world cyber attack. The scenarios may include, but are not limited to, simulations of external or internal attackers, with or without access, targeting various system components (such as internal/external infrastructure and applications) or individuals through social engineering tactics (like spear phishing or physical intrusion) to achieve a predetermined goal.Our team is experienced in conducting Thread-Led Penetration Testing for TIBER EU or DORA TLPT based tests.

Testing and evaluation of self-developed or off-the-shelf electronics, IoT, automotive or healthcare devices. Typical projects include:

  • Circuit level testing (hardware hacking)
  • Firmware level assessment
  • Bus and interface testing, including internal and external communication channels
  • Application and backend testing

Specialized services focusing on the automotive industry's cyber security needs. Security testing on complete cars as well as individual ECUs. Testing activities address investigation on electronics and firmware level, in-vehicle automotive buses like CAN, Automotive Ethernet or FlexRay and the connected vehicle ecosystem. Supporting OEMs and TierNs regarding regulatory requirements of UN ECE R155 (WP29) with Cyber Security Management Services (in accordance with standard ISO/SAE 21434).

Todays connected automotive ecosystems require well designed multilayer cyber security protection, from the security of ECU to ECU communication in the vehicle through backend communication and to the various connected features. A typical automobile today contains a large number of computational systems running up to 100 million lines of programming code. As vehicles continue to expand in complexity, the attack surface of an automobile also expands. A single vulnerable device can leave an entire automotive ecosystem open to attack and the potential exposure ranges from inconvenience to massive safety breakdowns.This makes the connected automotive ecosystem a valuable target for attackers and consequently it is important to be aware of potential cybersecurity risks and vulnerabilities.Deloitte has developed its unique training and demonstration environments which are ideal for practicing automotive security testing tools and techniques.

Learn more about Automotive Cyber Security Training

We cover the security needs of complex industrial environments, from the shop floor to the product and its backend environment as well. The range of tests includes, but is not limited to:

  • Penetration testing on application and network-level
  • Shop floor infrastructure security assessment
  • Network segmentation and configuration review
  • Hardware-level security testing of Industrial IoT (IIoT) devices
  • Simulation of ransomware and APT attacks 

About us

Deloitte Hungary Cyber Risk Services (CRS):

  • Our services go beyond technical vulnerability assessments. We translate technical issues found to business risks.
  • More than 500 tests/year worldwide
  • Diverse selection of clients including financial services, telecom and manufacturing and automotive
  • Centre of Excellence for Cyber Security Services in Central Europe
  • Collaborative approach with Deloitte member firms throughout the world
  • Specialized professional team for automotive security testing and training 
  • Unique hardware hacking services
  • IoT and ICS security services

1. What is penetration testing and why is it important for organizations? 

Penetration testing (ethical hacking) is a simulated cyber attack that helps identify vulnerabilities in systems, applications, and networks before malicious actors can exploit them. It provides a realistic view of an organization’s cyber resilience and helps meet regulatory and compliance requirements while improving security posture. Penetration testing combines automated testing with manual checks to ensure efficient vulnerability detection. 

2. What types of penetration testing does Deloitte offer? 

Deloitte provides a wide range of penetration testing services, including: 

  • Application-level testing (web, mobile, binary, SAP) 

  • Infrastructure penetration testing (internal, external, cloud, wireless) 

  • Red Teaming / TLPT / TIBER EU threat simulations 

  • Hardware and IoT testing 

  • Automotive and Industrial Control Systems (ICS) testing 
    Each service is tailored to the specific environment and risk profile of the client. 

3. How is a penetration test different from a vulnerability assessment? 

A vulnerability assessment identifies known weaknesses in systems through automated scanning. Penetration testing, on the other hand, involves expert-driven exploitation to validate and understand the real-world impact of those vulnerabilities — providing deeper insight into potential attack paths and business risks. 

4. How does Red Teaming or TLPT (TIBER EU) testing differ from traditional penetration testing? 

Red Teaming and TLPT go beyond standard testing by simulating real-world attack scenarios targeting people, processes, and technology. These engagements test an organization’s detection and response capabilities, not just its technical defenses, in alignment with TIBER EU or DORA TLPT frameworks. Lastly, while a penetration test typically focuses on a specific system, red teaming typically has a wide scope and may include various types of test activities and chaining attacks to achieve goals attackers may have. 

5. What is SAP penetration testing and why is it critical? 

SAP systems often manage an organization’s most sensitive business data. Deloitte’s SAP penetration testing evaluates security configurations, authorization structures, and custom ABAP code to uncover vulnerabilities. It helps prevent data breaches, fraud, and service disruptions in critical business operations. 

6. How is penetration testing conducted for automotive and IoT systems? 

Automotive penetration testing includes ECU level (hardware, firmware and interface), function level, in vehicle networks (e.g., CAN, Ethernet, Flexray), and vehicle level penetration testing. It also includes testing the whole connected ecosystem (e.g., backends, web/mobile/API applications) of a modern vehicle. These tests ensure compliance (e.g., UN ECE R155, ISO/SAE 21434), and resilience. 

For IoT and hardware, assessments cover hardware, firmware, interfaces, and the connected ecosystem of the given device to detect exploitable flaws. 

7. How often should penetration testing be performed? 

Penetration testing should be conducted at least annually, or after any major infrastructure or application change. Regular testing ensures new vulnerabilities introduced through updates, integrations, or configuration changes are identified and mitigated promptly. 

Our thinking

Cybersecurity in Medical Devices: From Insight to Action

As connected medical devices become increasingly complex, cybersecurity has emerged as a fundamental element of patient safety and regulatory compliance.
Research
3 minute read

Defcon Biohacking Village 2024

Dragoș Ionică – Senior Manager at Deloitte, and four other teammates from Secureworks, have shown their skills and technical expertise by winning the prestigious cybersecurity competition in the medical field at the 32nd edition of Defcon, held in Las Vegas.
Blog

Magyar AI Körkép 2025

A stratégiai gondolkodás és a szervezeti átalakítás nélkülözhetetlen az AI sikeres integrálásához
Perspective

A kvantumkorszak a lehetőségek és kihívások új dimenzióját hozza el | Deloitte Magyarország

Új időszámítás közelít a számítástechnikában. A kvantumkorszak beköszönte, eddig nem látott lehetőségeket, ugyanakkor alapvető veszélyeket is rejt magában. A kvantumszámítógépek segíthetnek megoldani a hagyományos számítógépekkel megoldhatatlan matematikai műveleteket is, ezzel azonban számos titkosítási módszert is elavulttá fognak tenni. 
Analysis

Cyber Risk Services Overview

Secure success

Operate with resilience. Grow with confidence
Download a detailed description of our services!

Download leaflet

Ready to find your cyber solution?

László Tóth

László Tóth

Partner
Gergely Tóth

Gergely Tóth

Director
András Kabai

András Kabai

Director