Is HackersHub physically based in Amsterdam?

Yes. HackersHub's head office is in Amsterdam-Noord (Asterweg 19D12, 1031 HL). Testing is delivered remotely as standard; on-site engagements are routine across the Zuidas, Schiphol-Oost, and the Amsterdam metropolitan area.

Do you hold the certifications Dutch financial regulators expect?

Our team holds OSCP, OSWE, OSCE and CRTO. For DNB-ISI and DORA TLPT engagements we map scope and reporting to the regulator's exact evidence template before testing begins.

What is the typical engagement length for an Amsterdam-based scale-up?

Manual web-application pentests for SOC 2 / ISO 27001 audits typically run 5–10 working days, including report production. External network pentests for a single perimeter run 3–7 days. Red team operations run 4–8 weeks.

Can the engagement support a DORA TLPT exercise?

Yes. We deliver threat-led penetration testing aligned with DORA Articles 26–27, the TIBER-EU framework, and DNB's national TLPT supervisor expectations. TLPT engagements include scoping, threat intelligence, red team execution, purple-team handover and regulator-ready reporting.

Penetration Testing in Amsterdam

HackersHub is headquartered in Amsterdam-Noord and runs offensive security engagements for organisations across the Zuidas, the Schiphol corridor, and the wider Amsterdam metropolitan area. Penetration tests, red team operations and phishing simulations are delivered manually by OSCP and OSWE certified testers — never outsourced, never auto-scan-and-rebrand.

The Amsterdam threat landscape

Amsterdam concentrates a disproportionate share of European financial-services, fintech, and trading infrastructure. The Zuidas hosts the Dutch headquarters of ABN AMRO, ING, ABN Clearing, and the Dutch trading desks of every major investment bank. Schiphol-Oost concentrates the Netherlands' largest data-centre footprint and the cloud presence of every hyperscaler. The result: Amsterdam-based attack surfaces are over-exposed to business email compromise targeting treasury and AP teams, Microsoft 365 token-theft attacks routed through partner ecosystems, OAuth consent phishing against engineering teams, and supply-chain compromise via fintech integrations. Engagements in Amsterdam routinely uncover misconfigured Azure tenants, over-permissioned service principals, and weak conditional-access policies as the dominant root-cause patterns.

Industries we routinely engage in Amsterdam

Repeatable threat patterns by sector — drawn from real engagement data, not vendor marketing.

Financial services & fintech

Banks, payment institutions, crypto and trading desks at the Zuidas. Common scope: external + internal network pentests, Microsoft 365 and Azure tenant assessments, payment-API security review, DORA-aligned ICT third-party risk assessment, BEC-resilience red team.

Scale-ups & B2B SaaS

Amsterdam's tech scale-up cluster needs OWASP ASVS-aligned web and API pentests for SOC 2 / ISO 27001 audits — without the eight-week lead times their auditors flag. Manual web app pentest typically scoped in 5–10 working days.

Logistics, aviation & Schiphol corridor

Cargo, ground handling, IATA-adjacent operations. Mixed IT + OT environments, partner-API risk, NIS2 essential-entity obligations, and bridge networks between Schiphol airside and corporate IT.

Data-centre & cloud operators

Amsterdam metropolitan area data centres, managed hosting providers, and hyperscaler partners. Engagements cover physical-to-logical bridge testing, BGP and routing security review, and cloud-control-plane assessments.

Compliance frameworks we report against

Engagements for Amsterdam-based organisations regularly feed into Dutch and EU regulatory reporting. Deliverables include a penetration testing statement, executive summary, technical report with proof-of-concept, and a remediation tracker — all formatted to satisfy the evidence requirements of each framework below without additional documentation.

DNB Information Security Self-Assessment (ISI) — Dutch Central Bank
AFM operational-risk reviews — Dutch Financial Markets Authority
DORA Articles 24–27 — ICT third-party risk and threat-led testing (TLPT)
NIS2 essential / important entity obligations
ISO/IEC 27001:2022 Annex A.8.8 technical vulnerability management
SOC 2 Trust Services Criteria CC7.1 / CC7.4
AVG / GDPR Article 32 — appropriate technical measures

Services delivered for Amsterdam engagements

Same global service catalogue, scoped to Amsterdam regulatory and operational context.

Penetration Testing

Red Teaming

Phishing Simulation

Vulnerability Scanning

Managed Security

Security Consulting

Threat Exposure Management

Why Amsterdam enterprises choose HackersHub

HackersHub is a practitioner firm, not a platform reseller. Every engagement is led by OSCP- or OSWE-certified offensive security professionals who actively run red team operations — not analysts reading scanner output. Reports are audit-ready on delivery: SOC 2, ISO 27001, DORA, NIS2 and DNB-ISI auditors accept HackersHub deliverables as evidence without follow-up. Engagements scope in days, not weeks. Quotation requests receive a senior-level scoping call inside one business day.

Frequently asked questions — Amsterdam

Ready to Secure Your Systems?

Request a quote for your penetration testing needs.