Choosing a pentest company in Belgium is not about the lowest price, but about the right combination of certifications, methodology, reporting quality and knowledge of Belgian regulations such as NIS2. This article helps you tick off the most important selection criteria so you choose a pentest partner that really adds value.
Why choosing your pentest partner is crucial
A penetration test is more than a technical exercise. The result determines whether your organization discovers vulnerabilities on time, whether your audit report holds up to an NIS2 compliance review, and whether your IT team gets concrete guidance on how to structurally improve security.
Yet the market is cluttered. From freelance ethical hackers to international consulting firms, the offer in Belgium is wide and the differences in quality are great. If you choose wrong, you pay for a report that provides little more than an automated scan. If you choose the right one, you get a partner who looks at your systems through the eyes of a real attacker and helps you make targeted security investments.
In this article, we go through the seven criteria that make the difference when selecting a pentest company in Belgium.
Certifications: which ones are really relevant?
The first selection criterion is the certification of the pentesters themselves. Not the company, but the people who actually test your systems. The three certifications that carry the most weight in the Belgian market:
OSCP (Offensive Security Certified Professional) is widely considered the gold standard for penetration testers. The exam lasts nearly 24 hours and requires candidates to compromise and document live systems. An OSCP holder has proven that he or she can find and exploit vulnerabilities in realistic environments.
CEH (Certified Ethical Hacker) is a well-known certification that validates a broad base in ethical hacking. CEH is stronger on a theoretical level and is often requested in job postings, but lacks the hands-on depth of OSCP.
CISSP (Certified Information Systems Security Professional) focuses on designing and managing security programs. This certification is particularly valuable with pentesters who also provide strategic advice on your overall security architecture.
When quoting, always ask what certifications the individual testers have. A company may claim on its website that the team is certified, but it makes a difference whether the junior or senior is working on your project.
Manual testing versus automated scanning
This is the criterion where the biggest difference in price is, as well as the biggest difference in quality. A vulnerability scan runs automated tools and provides a list of potential vulnerabilities. A pen test goes further: an ethical hacker actually tries to exploit those vulnerabilities, combining weaknesses and testing whether an attacker can move laterally through your network.
The difference is similar to having a building inspected on paper versus asking a burglar to actually come in. Both are useful, but only the second shows what is really possible.
With any pentest company, ask this question: what percentage of testing hours is manual analysis by an experienced pentester? Good agencies spend at least 60 to 70 percent of testing time on manual work. Organizations that exclusively offer automated scans under the rubric of “pentest” provide a fundamentally different product.
Knowledge of Belgian regulations and compliance
A pentest company operating in Belgium must be aware of the Belgian regulatory landscape. This goes beyond “we know NIS2.” Specifically, it means:
The company understands the CCB’s CyberFundamentals (CyFun) framework and can outline how their pen test contributes to your compliance assessment. Essential entities must achieve the CyFun “major” level by April 18, 2026, and essential entities must be certified at the “essential” level by April 18, 2027.
The pentest report can be used as an exhibit in an audit or compliance assessment for NIS2, ISO 27001 or DORA. That requires a structured report with risk classification (CVSS scores), reproducibility steps and recommendations consistent with frameworks such as CIS18 or the CyFun framework.
The company is familiar with Flemish subsidy opportunities. Through the VLAIO KMO-portefeuille, small enterprises receive 45% and medium-sized enterprises 35% subsidies on cybersecurity advice, including pen tests. Since February 2026, cybersecurity has been the only topic for which consulting subsidies are possible through the SME portfolio. In addition, through cybersecurity improvement projects, VLAIO subsidizes up to 50% of the costs for projects between €7,100 and €39,000.
Scope and test method: black box, grey box or white box?
A sound pen testing company does not set the scope for you, but discusses it with you. The choice of testing method has a direct impact on the cost and depth of results:
In a black box pen test, the tester gets no inside information about your systems. This simulates an external attacker, but takes more time and is therefore more expensive. In a gray box pentest, the tester receives basic information such as network topology or user accounts, allowing for more in-depth testing more quickly. With a white box pen test, the tester has full access to source code and documentation, ideal for application security.
In practice, a grey box pen test provides the best balance of cost and insight for most SMEs. You get deeper results than with black box, without the added cost of leaving completely blank.
Reporting: for IT and management
A pen report that contains only technical jargon is a missed opportunity. Your IT team needs the technical details to remediate vulnerabilities. Your board or management needs a management summary that translates risk into business impact.
Always ask for a sample report (anonymized). Note these elements: a clear executive summary, risk rating per vulnerability (critical, high, medium, low), reproducing steps so your team can verify the finding, concrete recommendations with prioritization, and a retest after remediation.
That last point, the retest, is an important difference between pen testing companies. Some agencies offer a standard retest after remediating the findings. Others charge extra for this. Ask about this in advance.
Price indication: what does a pen test in Belgium cost?
The cost of a professional pen test in Belgium varies greatly depending on the scope, complexity and testing method. As a general guideline for the Belgian market:
A simple external infrastructure pen test starts around €3,000 to €5,000. A more extensive test of a complex environment with multiple systems, Web applications or APIs runs to €7,000 to €15,000 or more. Organizations with NIS2 commitments that require a combined internal and external test quickly enter the €10,000 to €20,000+ range.
Don’t choose on price alone. A €2,500 pen test consisting largely of automated scans fundamentally delivers less than a €6,000 investment in manual testing by certified professionals. Moreover, through the VLAIO SME portfolio, you can get up to 45% of these costs back as a subsidy.
Want a detailed price estimate for your specific situation? Contact Cyberplan for a no-obligation scoping consultation.
Practical checklist: 7 questions to ask every pentest company
Before requesting a quote, ask these questions to assess the quality of a pen testing company:
- What certifications do the pentesters working on my project have (OSCP, CEH, CISSP)?
- What percentage of testing time is manual analysis versus automated scanning?
- Do you provide a report that is usable as a proof of NIS2 compliance or ISO 27001?
- Do you offer a retest after remediating the findings?
- Do you have experience in my sector and do you know the relevant Belgian regulations?
- Do I get a management summary in addition to the technical report?
- Are you registered as a service provider for the VLAIO SME portfolio?
Those who get clear answers to all these questions have a strong basis for choosing the right partner.
Conclusion
Choosing a pen testing company in Belgium is a strategic decision that goes beyond a price comparison. Certifications of the individual testers, the balance between manual and automated testing, knowledge of Belgian regulations and the quality of reporting make the difference between a report that disappears in the drawer and an investment that structurally improves your security.
At Cyberplan, we combine OSCP, CEH, CISSP and CISM certified ethical hackers with in-depth knowledge of NIS2, CyFun and the Flemish SME market. We deliver reports in human language, collaborate with your IT team and help you maximize VLAIO grants.
Want to know how your systems score? Schedule a no-obligation introductory meeting and find out which pentest approach best suits your organization.
FREQUENTLY ASKED QUESTIONS
What does a pen test cost in Belgium?
A professional pen test in Belgium starts around €3,000 for a simple external test. More complex processes with internal and external tests cost €7,000 to €15,000 or more. Through the VLAIO SME portfolio, you get up to 45% subsidy on this investment.
How often should a company have a pen test performed?
For IT infrastructure, an annual pen test is the common best practice. Web applications are best tested before each major release and after significant changes. Under NIS2, regular testing is expected as part of your risk management measures.
What is the difference between a pen test and a vulnerability scan?
A vulnerability scan is an automated check that detects possible vulnerabilities. A pen test goes further: an ethical hacker actually tries to exploit vulnerabilities and find out how far an attacker can get. Only a pen test shows the real impact on your organization.
What certifications should a pentest company have?
Look at the certifications of individual testers, not just the company. OSCP is the gold standard for hands-on pentesting. CEH validates broad knowledge of ethical hacking. CISSP is valuable for strategic security consulting. Ideally, the team combines multiple certifications.
Is a pen test mandatory under NIS2?
NIS2 does not mandate pen testing per se, but requires that organizations take appropriate measures to manage risk. In practice, auditors and conformity assessment bodies expect you to have periodic technical tests performed. A pen test is the most recognized tool for this purpose.
Can I get funding for a pen test in Belgium?
Yes. Through the VLAIO SME portfolio, small enterprises receive 45% and medium-sized enterprises 35% subsidies on cybersecurity advice, including pen tests. In addition, VLAIO offers cybersecurity improvement projects with 50% subsidy on projects up to €39,000.
