BSI-Certified Pentest Providers: Certification, Requirements, and the Current List

Anyone commissioning a penetration test faces a fundamental question: how can a provider's competence be objectively verified? The German Federal Office for Information Security (BSI) has established a dedicated certification program for this purpose. It examines both the technical qualifications of individual testers and the organizational quality of the service provider. The result is a publicly accessible list of certified companies that serves as a reliable reference when selecting a vendor.

For clients in the public sector, this certification is often mandatory. But private-sector organizations benefit as well, since it establishes a verifiable quality standard backed by a government authority.

Competence Assessment for Penetration Testers

Certification starts at the individual level. The BSI has replaced its original formal personal certification process with a competence assessment procedure that validates recognized external credentials rather than administering its own exams.

In practice, a candidate must hold at least one of the certificates recognized by the BSI. These include OSCP and OSWE from Offensive Security, GPEN and GXPN from GIAC, the Certified Red Team Operator (CRTO) from Zero-Point Security, and the CPTS from HackTheBox Academy. CompTIA PenTest+, the CREST Registered Penetration Tester (CRT), and the EC-Council certifications CEH (Practical) and CPENT are accepted as well. The BSI also evaluates other certificates on a case-by-case basis, provided they include a demonstrable practical component of at least 60 percent and a final exam with a strong hands-on element.

Two conditions apply to all submitted credentials: the certificate must not be older than three years at the time of application and must still be valid. Someone who earned their OSCP four years ago without renewing it will need to retake the exam.

Applications are not submitted by individual testers but centrally by the IT security service provider through the BSI's recognition office. The company coordinates all registrations, modifications, and re-enrollments, assembling the complete set of supporting documents. Incomplete applications will not be processed.

Company Certification

Individual competence alone is not sufficient. For a company to appear on the BSI list, it must complete the IS penetration test certification program. The central requirement is that the company must employ at least two individuals whose competence in IS penetration testing has been verified. This ensures the provider does not depend on a single person and that projects remain staffed even during personnel changes or peak workloads.

Company and personal certification run in parallel. A firm cannot have its employees certified independently and apply for corporate certification later; both processes are coupled. Beyond technical expertise, the BSI also assesses reliability, independence, and the quality of service delivery. The process is governed by the certification procedure description for IT security service providers together with the IS penetration test program, which describes the mandatory requirements in detail.

Certification is granted for a defined period and must be renewed regularly. Among the currently listed companies, the typical validity period is three years.

The Current BSI List of IS Penetration Test Providers

The BSI publishes the list of certified IT security service providers on its website. Currently, 18 companies are certified in the IS penetration testing scope:

Company	Valid until
@-yet GmbH	14.01.2029
CGI Deutschland B.V. & Co. KG	31.05.2027
datenschutz cert GmbH	14.05.2027
Deutsche Telekom MMS GmbH	31.01.2029
Deutsche Telekom Security GmbH	30.06.2028
Ernst & Young GmbH WPG	14.10.2026
Eviden Germany GmbH	31.12.2025
HiSolutions AG	31.05.2026
Infodas GmbH	31.05.2028
PwC Cyber Security Services GmbH	14.08.2027
PwC GmbH WPG	14.06.2027
secunet AG	01.08.2028
secuvera GmbH	31.03.2028
SVA System Vertrieb Alexander GmbH	15.12.2028
SySS GmbH	14.11.2028
turingpoint GmbH	14.11.2028
TÜV Informationstechnik GmbH	29.02.2028
TÜV TRUST IT GmbH	29.02.2028

The list includes both large consulting firms and corporate subsidiaries as well as specialized mid-sized providers. Notably, some companies have been certified for over a decade and regularly renew their accreditation, while others have joined more recently. The market is growing, and the BSI has deliberately opened the process to additional qualified providers in recent years.

What the Certification Means for Clients

An entry on the BSI list is not a marketing label but the result of a documented assessment process. For clients, this means that the technical qualifications of deployed testers have been verified against internationally recognized certifications, the provider employs at least two qualified penetration testers, and the certification is renewed on a regular basis.

The BSI certification is particularly relevant for organizations subject to IT-Grundschutz or those executing public-sector contracts. In many federal and state-level procurement processes, IS penetration tester certification is a hard prerequisite. But even without a formal obligation, the list provides a reliable indicator during vendor selection because it is based on a transparent, BSI-supervised procedure.

Conclusion

The BSI certification for IS penetration testing establishes a traceable quality standard on two levels: individual testers must demonstrate their competence through recognized hands-on certifications, and companies must meet organizational minimum requirements. Anyone looking for a qualified pentest provider will find the BSI list a solid starting point. And service providers themselves can leverage the certification as a strategic differentiator that builds trust with clients and strengthens their position in procurement processes.