Provider comparison Switzerland
Penetration testing providers in Switzerland: 2026 buyer guide
Swiss companies face more than 30 penetration testing providers on the market, from solo consultants to Big Four advisories. Quality varies widely, prices range by a factor of ten, and only a fraction of providers meet the requirements FINMA-regulated institutions or TIBER-CH tests demand.
How do you choose a penetration testing provider in Switzerland?
Four criteria determine whether a Swiss penetration testing provider is qualified. First, CREST accreditation at company level and CREST CRT or CCT certifications for the testers actually performing the engagement. Second, openly communicated methodology based on the OWASP Testing Guide, OWASP ASVS, PTES and NIST SP 800-115. Third, transparent pricing with defined day rates and scope-based fixed prices instead of vague "on request" quotes. Fourth, industry experience in your regulatory environment, documented through references, audit-annex experience and demonstrable compliance mappings to FINMA Circular 2023/1, ISO 27001 or TIBER-CH. Providers missing two or more of these criteria typically deliver shallow reports without a defendable audit trail.
Six criteria for choosing a provider
Company certification
CREST accreditation at company level is the international gold standard. For TIBER-CH-compliant tests, CREST is typically a precondition. ISO 27001 of the provider itself shows internal security is taken seriously.
Tester certifications
At individual level: OSCP, OSCE, OSWE, CREST CRT, CREST CCT, GPEN. Confirm that the testers working on your project hold these credentials, not just the company.
Methodology
Reputable providers publish their methodology: OWASP Testing Guide, OWASP ASVS for web applications, OWASP API Security Top 10 for APIs, PTES for infrastructure, NIST SP 800-115 as overarching framework.
Pricing transparency
Avoid providers that quote only on request. Serious providers publish price ranges per test type. A web app pentest under CHF 6,000 is suspiciously thin; above CHF 25,000 requires a plausible justification.
Industry and compliance experience
For FINMA-regulated institutions, healthcare providers and critical infrastructure, sector-specific experience is not optional. Ask for sample audit annexes and compliance mappings.
Reporting quality
Request a sample report. A good report contains a management summary, CVSS-rated findings, proof of concept, business-impact analysis and prioritised remediation. Pure tool-output reports show themselves through 200+ page counts without narrative structure.
Penetration testing price ranges in Switzerland 2026
| Test type | Price | Duration |
|---|---|---|
| Web Application Pentest | CHF 8,000 – 15,000 | 5 – 10 days |
| External Infrastructure | CHF 10,000 – 20,000 | 5 – 10 days |
| Internal Infrastructure | CHF 12,000 – 25,000 | 5 – 15 days |
| Mobile App (iOS / Android) | CHF 10,000 – 18,000 | 5 – 10 days |
| API Security Assessment | CHF 8,000 – 15,000 | 5 – 10 days |
| Wireless Assessment | CHF 8,000 – 14,000 | 5 days |
| Red Teaming (full scope) | CHF 40,000 – 150,000 | 4 – 8 weeks |
Three red flags that reveal weak providers
Day rates under CHF 1,500 without explanation. Experienced CREST-certified testers in Switzerland typically charge CHF 1,800 to CHF 2,500 per day. Significantly lower rates indicate junior staff or offshore delivery.
No sample reports available. Established providers have anonymised samples or at least table-of-contents previews. "We cannot share for confidentiality reasons" is plausible only if some structural template or pattern can be shown.
Tools instead of methodology. When a provider talks primarily about tools (Burp, Nessus, Metasploit) rather than methodology (OWASP, PTES, MITRE ATT&CK), the engagement is likely scan-driven without manual depth.
Frequently asked questions about provider selection
Answers to the questions Swiss security leaders most often raise when selecting a provider.
How many CREST-accredited pentest providers are there in Switzerland?
As of 2026, only a handful of Swiss providers hold company-level CREST accreditation. RedTeam Partners is among the few CREST-accredited providers in German-speaking Switzerland. CREST publishes the current list at crest-approved.org.
How do Swiss pentest providers differ from foreign ones?
Swiss providers offer three advantages: familiarity with the Swiss Data Protection Act, FINMA circulars and TIBER-CH; on-site availability for internal infrastructure tests; and data residency within Switzerland, which is often a regulatory precondition. Foreign providers are typically cheaper but fail on residency and compliance requirements.
What is the difference between CREST and ISO 27001 for a pentest provider?
CREST certifies the offensive security service itself (methodology, tester qualification, reporting standards). ISO 27001 certifies the information security management system of the provider (internal processes, data protection). A serious provider holds both.
Should you keep the same provider every year?
Recommendation: rotate providers every 2 to 3 years to avoid blind spots. Recurring tests can stay with the same provider for consistency, but at least one major audit per cycle should be performed by a second provider.
Can small providers do work as good as large ones?
Yes, often better. Solo CREST CCT testers and small boutique providers frequently have deeper technical expertise than Big Four consultancies, where the actual test gets delegated to junior staff. Individual tester qualification matters more than firm size.
How many providers should you compare during selection?
Three is optimal: one as the price anchor, one as the quality anchor (established CREST provider), one as the industry specialist. With more than five, comparisons become muddied. Have all three scope the same document to keep proposals comparable.
Du weisst nicht, was Angreifer in deinem Netzwerk sehen. Wir schon.
30 Minuten. Ein CREST-zertifizierter Offensive-Experte zeigt dir, wo dein grösstes Risiko liegt. Kostenlos. Ohne Verpflichtung. Nur Fakten.
Kein Verkaufsgespräch — nur Erkenntnisse, die du morgen umsetzen kannst
30-Minuten-Videocall mit einem CREST-zertifizierten Offensive-Experten
Analyse basierend auf deiner tatsächlichen Infrastruktur, kein generisches Template
Kostenlose Analyse buchen
Drei kurze Fragen. Dann zeigen wir dir, wo du verwundbar bist.
Erhalten.
Wir melden uns innerhalb von 24 Stunden.