Top 10 Penetration Testing Companies in Singapore (2026)

If you're shortlisting penetration testing providers in Singapore, you have a problem most people don't envy. The range is wide. Global consultancies that charge enterprise rates. Local boutiques that know the regulatory landscape. Product companies with a services arm bolted on.

This list covers ten firms with a confirmed Singapore presence and real penetration testing capabilities. I've kept the descriptions honest because I'd want the same if I were the buyer.

One disclosure upfront: Bravix Infosecurity is my company. It's on this list because it belongs here, but I've applied the same criteria to every entry. Take the ranking as a starting point, not a verdict.

1. Bravix Infosecurity

Founded: 2025  |  Certifications: CREST CRT, OSCP  |  Focus: Offensive assessments, AI security, OT/ICS security, VAPT

Bravix is a CREST-certified consultancy based in Singapore, built around manual penetration testing and AI/LLM security. Every finding is hand-verified. No scanner dumps dressed up as a report. The team comes from red teaming and bug bounty backgrounds, which means you get people who think like attackers, not auditors running checklists.

Two things separate Bravix from the rest of this list. First, AI security. If you're deploying LLMs, AI agents, or copilots and need someone to actually attack them, this is the niche Bravix occupies. Second, OT/ICS security -- operational technology and industrial control systems. Most firms treat OT as an afterthought. Bravix has people who understand both IT and plant-floor environments, which matters if you're in manufacturing, energy, or critical infrastructure. They also cover traditional VAPT, red teaming, GRC, and vCISO work for clients in fintech, healthcare, SaaS, and manufacturing.

Best for: Organisations that want consultant-driven testing, not automated scans. Especially strong for AI security and OT/ICS environments.

bravixsec.com

2. Vantage Point Security

Founded: 2014  |  Certifications: CREST approved, ISO 27001, SOC 2, CSRO licensed  |  Focus: Penetration testing, red team operations, cloud compliance, mobile application security

Vantage Point has been operating from Singapore since 2014 and has built a strong reputation in banking and financial services across Southeast Asia. They're CREST approved and ISO 27001 certified, with teams in Singapore, Indonesia, and Thailand.

They authored the OWASP Mobile Application Security Testing Guide (MASTG) -- the global standard for mobile app security testing. That's not a marketing claim; it's a contribution that every mobile pentester worldwide uses. If you need mobile application penetration testing, Vantage Point is one of the most credentialed firms in the region for it.

Best for: Financial services and organisations that need CREST-approved penetration testing with deep mobile application expertise.

vantagepoint.sg

3. Ensign InfoSecurity

Founded: 2018  |  Certifications: ISO 27001, ISO 9001  |  Focus: Managed security services, strategic advisory, defence operations

Ensign is the largest pure-play cybersecurity firm in Singapore. A joint venture between Temasek and StarHub, ranked 1st in Asia and 6th on the global MSSP list. If you need a full managed detection and response setup with 24/7 monitoring, threat intelligence, and a security operations centre, Ensign is built for exactly that.

They're less of a boutique pentest shop and more of an end-to-end security partner. For large enterprises or government-linked organisations that need a single vendor for their entire security lifecycle, Ensign has the scale and local presence to deliver.

Best for: Large enterprises and GLCs that need a full-service security partner with managed services, not just a one-off pentest.

ensigninfosecurity.com

4. Sekuro (formerly Privasec)

Founded: 2015 (Australia), SG office at International Plaza  |  Certifications: ISO 27001  |  Focus: Penetration testing, red teaming, security advisory, GRC

Sekuro (rebranded from Privasec) is a pentest-focused security consultancy with a Singapore office at International Plaza, Anson Road. They operate across Australia, Singapore, Malaysia, Philippines, and the UK. Unlike the Big Four firms on this list, Sekuro leads with offensive security -- penetration testing and red teaming are core services, not add-ons to a consulting engagement.

They're a practical mid-market option. If you want a firm that specialises in hands-on testing without the enterprise price tag of the global consultancies, Sekuro sits in that gap. Strong presence in the Australian market with growing APAC operations.

Best for: Mid-market organisations that want a pentest specialist rather than a generalist consulting firm, at a more accessible price point.

sekuro.io

5. ITSEC Asia

Founded: 2009  |  Certifications: CREST accredited, ISO 27001, ISO 9001, ISO 14001  |  Focus: Penetration testing, OT/SCADA security, managed SOC, vulnerability assessment

ITSEC has been in the game for 16 years with offices in Indonesia, Singapore, Australia, UAE, and Mauritius. They hold CREST accreditation alongside three ISO certifications, which puts them in a small group of firms that have invested heavily in formal assurance. 400+ professional personnel and 7,000+ projects delivered.

They're particularly strong in OT/SCADA security -- one client testimonial specifically calls out improved OT security without interrupting production processes. If you're running industrial environments and need pentest coverage that understands plant-floor constraints, ITSEC has the experience.

Best for: OT/SCADA environments and organisations that want a CREST-accredited provider with deep APAC operational experience.

itsec.asia

6. Accenture (Singapore Cybersecurity)

Founded: 1989  |  Certifications: ISO 27001, SOC 2, FedRAMP  |  Focus: Cyber resilience, managed security, AI-enabled security, zero trust transformation

Accenture's Singapore cybersecurity practice sits within their global security division. They're strong on the strategy and transformation side: security operations centre build-outs, zero trust architecture, identity management, and increasingly Gen AI security. Their annual State of Cybersecurity Resilience report is worth reading if you're benchmarking your program.

For hands-on penetration testing, they're competent but not specialised. You're paying for the Accenture machine -- project management, methodology, global threat intelligence -- rather than individual tester flair. That suits some organisations fine, particularly those that need a vendor their procurement team already trusts.

Best for: Large organisations that need security transformation programs (SOC, zero trust, identity) alongside assessment work, and want a single vendor for all of it.

accenture.com/sg-en/services/cybersecurity

7. Deloitte (Southeast Asia Cyber Risk)

Founded: 1845  |  Certifications: ISO 27001, SOC 2  |  Focus: Cyber risk advisory, GRC, penetration testing, privacy (PDPA)

Deloitte's Southeast Asia cyber risk practice is headquartered in Singapore and is the most regulatory-savvy option on this list. If you're dealing with MAS TRM, PDPA compliance, or a major audit and need someone who speaks both security and governance fluently, Deloitte has the people and the methodologies.

On the technical testing side, they offer penetration testing and vulnerability management, but it's wrapped in a consulting framework. You'll get structured deliverables, clear remediation roadmaps, and executives who can present to a board. You won't necessarily get the most aggressive tester. Different tool for a different job.

Best for: Regulated industries (banking, insurance, healthcare) that need audit-ready security testing with strong governance and compliance reporting.

deloitte.com/sg

8. PwC (Singapore Cybersecurity)

Founded: 1998 (global network)  |  Certifications: ISO 27001, SOC 2  |  Focus: Cyber strategy, threat and vulnerability management, data privacy, identity and access management

PwC's Singapore cybersecurity practice sits within their broader consulting arm. They focus on cyber strategy and transformation, security operations, cloud security, and data privacy. Their threat and vulnerability management service covers penetration testing, though it's positioned as part of a wider risk program rather than a standalone engagement.

If you're already using PwC for audit or advisory work, extending to penetration testing is the path of least resistance. Strong on governance, compliance, and board-level reporting. Less specialised on hands-on offensive work than the boutiques higher up this list.

Best for: Existing PwC clients who want to consolidate vendors and value governance integration.

pwc.com/sg

9. EY (Singapore Cybersecurity)

Founded: 1989 (global)  |  Certifications: ISO 27001, SOC 2  |  Focus: Cyber resilience, technology risk, identity management, cyber incident resilience and response

EY's Singapore cybersecurity practice focuses on resilience, risk management, and digital transformation security. Their Cyber Incident Resilience and Response solution is a notable offering -- it bridges the gap between proactive testing and incident preparedness, which is useful if you want both from the same vendor.

Like the other Big Four firms, EY delivers penetration testing as part of a broader consulting engagement. The strength is in structured methodology, risk framing, and executive communication. For technical depth at the exploit level, the boutiques on this list will give you more per dollar.

Best for: Organisations that want cyber resilience and incident response planning alongside vulnerability assessment, from a Big Four framework.

ey.com/en_sg

10. KPMG (Singapore Cybersecurity)

Founded: 1987 (global)  |  Certifications: ISO 27001, SOC 2  |  Focus: Technology risk consulting, cyber defence, cloud security, data privacy

KPMG's Singapore cyber security practice operates under their risk consulting division. They cover cyber strategy, security operations, cloud security, and data privacy. Their SG website has a dedicated cyber insights section, and they're active in the local regulatory conversation around MAS TRM and PDPA.

Similar profile to PwC and EY: strong on governance and risk, competent on technical testing but not as a core specialisation. If you're an existing KPMG client, they're a practical choice for consolidating your security assessments with your broader audit and advisory relationship.

Best for: Existing KPMG clients in regulated industries who want cybersecurity testing integrated with their audit and risk advisory program.

kpmg.com/sg

How to choose a penetration testing provider in Singapore

Before you sign anything, ask these questions:

1. Who's actually doing the testing? Some firms sell the engagement then hand it to a junior consultant. Ask for the lead tester's certifications and experience. CREST CRT or OSCP is the minimum. If they can't tell you who's on the team, that's a red flag.
2. Manual testing or scanner output? A real pentest involves manual exploitation, business logic testing, and chaining vulnerabilities together. A vulnerability scan run by a human is not a pentest. Ask how much of the engagement is manual.
3. Do you understand Singapore's regulatory landscape? MAS TRM, PDPA, CSA guidelines, and the Cybersecurity Act all have specific testing requirements. Your provider should know which framework you're testing against without you explaining it.
4. What does the report look like? Ask for a sample report (redacted). You should see: an executive summary your board can read, technical findings with proof-of-concept steps, and remediation guidance your engineers can act on. If the sample is 200 pages of Nessus output, walk away.
5. What happens after the report? Good providers offer remediation support, retesting, and are available for questions after delivery. Bad ones hand you a PDF and disappear.

How much does penetration testing cost in Singapore?

Rough ranges based on what we see in the market:

• Web application pentest -- SGD 8,000 to SGD 25,000 depending on size and complexity
• Network infrastructure pentest -- SGD 10,000 to SGD 30,000 for an internal/external combo
• Mobile application pentest -- SGD 8,000 to SGD 20,000 per platform (iOS, Android)
• Red team engagement -- SGD 30,000 to SGD 80,000+ for a multi-week, full-scope exercise
• AI/LLM security assessment -- SGD 15,000 to SGD 40,000 depending on model complexity and deployment architecture

Prices vary based on scope, provider tier, and how quickly you need it done. The cheapest option is rarely the best value. A SGD 5,000 pentest that misses a critical vulnerability costs you more than a SGD 20,000 pentest that finds it.

Common questions

How often should we do penetration testing?

MAS-regulated financial institutions must test at least annually per MAS TRM requirements. For everyone else: annually for external-facing assets, after major architectural changes, and before any compliance audit. Some organisations run continuous testing with quarterly engagements. If you're unsure, your specific regulatory framework will tell you the minimum.

What's the difference between VAPT and penetration testing?

VAPT combines vulnerability assessment (automated scanning) with penetration testing (manual exploitation). Penetration testing is the manual part. A proper engagement includes both: scanning finds weaknesses, manual testing confirms which ones real attackers could exploit. For more detail, read our VAPT guide.

Do we need CREST certification from our provider?

For MAS-regulated entities, CREST is effectively expected. For government tenders in Singapore, it's often required. For private sector work, it's not mandatory but it's the strongest signal of technical competence. CREST accreditation means the firm and its testers have been independently assessed. Anyone can hold an OSCP. Not anyone can pass CREST's organisational review.