The BSI would like to provide assistance on various topics and, for example, by publishing guidelines, provide practical background information on procedures with which institutions can test and enhance their security.

It may be advisable to involve an external qualified service provider both for prevention and following an acute security incident.
The BSI would like to provide support in selecting a qualified service provider and has therefore published a list of criteria on various topics that may be helpful when choosing an appropriate service provider.

In some subject areas, the BSI also carries out certifications of individuals as well as IT security service providers.

Penetration testing, information security consulting and information security revisions

• The BSI has published guidelines to assist in the commissioning of IS penetration testers and to explain the processes involved in an IS penetration test:

  • Praxis-Leitfaden: IT-Sicherheits-Penetrationstest and
  • Praxis-Leitfaden: IT-Sicherheits-Webcheck.
• The IS audit guide explains in detail the role of the IS audit based within the security process and the tasks associated with it, and can also be used as a basis for invitations to tender for IS audits.
• The BSI conducts certification in these subject areas and publishes lists of certified IT security service providers that engage certified penetration testers as well as certified IS auditors.

• The BSI also performs penetration tests and IS audits itself for authorities and operators of critical infrastructures.
  Additional information on the procedure and application process:

  • Penetration tests
  • IS audits based on IT-Grundschutz

DDoS -- defence

The impact of Distributed Denial of Service (DDoS) attacks can be significant, causing major economic harm to the institutions affected as well as reputational damage.

• Auswahlkriterien für qualifizierte DDoS-Mitigation-Dienstleister
• The BSI has published a topic page on DDoS attacks.

IT forensics

• IT forensics guide (practice-oriented procedure for the forensic investigation of security incidents)

APT -- response service providers

Due to increasing, large-scale cyber attacks on companies and state institutions, there is a growing need not only to prevent attacks, but also to defend against ongoing attacks or attacks that have already taken place. Particularly when targeted attacks are carried out by powerful adversaries (Advanced Persistent Threat, APT), these activities place high demands on the service providers involved.

Auswahlkriterien für qualifizierte APT-Response-Dienstleister

Liste der qualifizierten APT-Response-Dienstleister; Stand: 28.03.2025

For quick first aid in the event of an APT incident, see also:

First aid paper issued by the Alliance for Cyber Security