Open Call 2 - Penetration Test and Vulnerability Assessment – “PACE”
The increasing digitalization of critical infrastructures and their complex supply chains makes them attractive targets for cyberattacks. Security vulnerabilities in IT and OT systems can have serious consequences – from service disruptions to massive economic damage. The project addresses these risks through the targeted identification of vulnerabilities in critical facilities and their suppliers.
Building on European best practices and experience from programs such as Horizon Europe, a practice-oriented approach is being pursued that strengthens both technical and organizational resilience. The result is an effective contribution to improving IT security, particularly with regard to the requirements of NIS2 and the Cyber Resilience Act (CRA).
The project aims to sustainably strengthen IT security in critical infrastructures and their supply chains. The focus is on the targeted use of advanced penetration testing and red-teaming methods to simulate realistic, highly complex attack scenarios, identify vulnerabilities at an early stage, and develop effective countermeasures.
As part of the project, 13 targeted penetration testing and analysis activities will be carried out across various sectors – including healthcare, finance, logistics, and manufacturing. The insights gained will feed directly into comprehensive risk analyses, concrete recommendations for action, and the implementation of regulatory requirements. Close collaboration with the participating organizations ensures that technical security measures are implemented effectively while also strengthening awareness and competencies within internal teams.
Another component of the project is the further development of our testing infrastructure. For example, the creation of a Windows-based laboratory is planned to simulate enterprise-like IT environments and to test detection-evasion techniques for realistic attack simulations (red teaming). In addition, attack scenarios will be simulated using a “Rogue Device Simulator,” which replicates the insertion and connection of compromised hardware within a corporate network, as well as the optimization of our CVE-reporting platform. These measures enable more precise security testing, realistic scenarios, and more efficient and responsible vulnerability disclosure.
In the long term, reusable tools, standardized testing methods, and established partnerships will be created that will continue beyond the duration of the project. In this way, the initiative makes an effective contribution to the further development of the European cybersecurity regulatory framework and to the resilience of critical infrastructures and their suppliers.
In total, 13 companies have confirmed their participation as partners in this funded project. The partners include:
Within the project, SBA assumes the project leadership, designs and conducts the tests, develops new tools and methods, and thus ensures practical, reusable results for the long-term protection of critical infrastructure.