A cybersecurity audit assesses technical and organizational controls through pentesting, OSINT and vulnerability analysis. SME cost: 3,000-15,000 euros.
Most companies do not know how vulnerable they are until they suffer an attack. A cybersecurity audit gives you that snapshot before it is too late: it tells you exactly where your weaknesses are, which ones are exploitable, what impact a successful attack would have and what you should do first to reduce risk to an acceptable level. It is not a luxury: it is the most profitable security investment you can make, because it lets you direct your limited resources to where they are needed most. If you need to understand the full landscape of cybersecurity services, read my article on cybersecurity consulting for companies. If you want 2026 costs, jump to the price table; if you are looking for the real-world case, go to the industrial case in Burgos.
Types of cybersecurity audit
Compliance audit
This assesses whether your organization complies with a specific regulatory framework or standard: Spain's National Security Framework (ENS), ISO 27001, GDPR, NIS2, PCI DSS. The auditor verifies the existence and effectiveness of the controls required by the standard, identifies compliance gaps and provides an adaptation plan.
It is the most appropriate audit when you have a specific regulatory obligation to meet, when you are preparing for a certification, or when you need to demonstrate to a client or a public tender that you comply with certain security requirements.
Technical audit (vulnerability assessment)
This uses automated tools and manual techniques to identify vulnerabilities in your systems, applications, networks and configurations. It scans open ports, exposed services, software versions with known vulnerabilities, insecure configurations and weak passwords.
The vulnerability assessment provides a complete inventory of the technical weaknesses in your infrastructure, prioritized by severity (critical, high, medium, low) according to standards such as CVSS (Common Vulnerability Scoring System).
Penetration testing (pentesting)
Pentesting goes one step further: it simulates a real attack to determine whether the identified vulnerabilities are actually exploitable and what impact their exploitation would have. There are three modes depending on the information provided to the pentesting team.
In black-box mode, the pentester only knows the company name and its public domains. It simulates an external attacker with no privileged information. In gray-box mode, partial information is provided, such as standard user credentials, network diagrams or application listings. It simulates an attacker with limited access or a malicious employee. And in white-box mode, the pentester has full access to the technical documentation, source code and privileged credentials. It is the most exhaustive mode and the one that identifies the most vulnerabilities.
The choice of mode depends on your goal. If you want to know what an external attacker with limited resources can do, choose black box. If you want an exhaustive assessment of every possible vulnerability, choose white box. Gray box is the most common balance for SMEs.
Social engineering audit
This assesses your organization's resistance to human-manipulation attacks. It includes simulated phishing campaigns (sending emails that try to trick employees into revealing credentials or running malware), vishing (simulated phone calls that try to obtain confidential information), and physical access tests (attempts to enter restricted facilities through pretexting).
This audit is especially valuable because the human factor is responsible for 95% of security incidents according to reports from INCIBE and ENISA, and it cannot be mitigated with technology alone.
What is OSINT and why does it belong in a professional audit?
OSINT (Open Source Intelligence) is the discipline of gathering information about the target from open sources: the same reconnaissance work a real attacker does before the technical phase. A serious audit includes an OSINT phase as step 0 because, without that map, technical pentesting falls short. The most critical OSINT findings in Spanish SMEs are usually:
- Leaked credentials: corporate emails with passwords exposed in historical breaches (Collection #1, RockYou2024, etc.) recoverable through Have I Been Pwned or Dehashed.
- Forgotten subdomains: old panels, test servers, obsolete installations indexed in Google Dorks, Shodan or Censys.
- Metadata in public documents: PDFs and Office files uploaded to the corporate website that leak usernames, internal paths, software and versions.
- Exploitable LinkedIn profiles: the CFO, the IT manager, sales reps with enough data to build a credible spear-phishing attack.
- Exposed services: RDP, SMB, databases without authentication, admin panels accessible from the internet.
The OSINT report delivers concrete evidence (screenshots, URLs, dates) and lets you close most of the attack surface before moving on to more expensive technical controls.
The process of a professional cybersecurity audit
Scoping and planning phase
Before the audit begins, you define the scope (which systems, networks, applications and sites are included), the mode (compliance, technical, pentesting or combined), the rules of engagement (what is and is not allowed during testing), the schedule (dates, times, duration) and the emergency contacts (in case the tests cause an incident).
This phase is critical to avoid surprises. Pentesting without clear rules of engagement can cause unwanted service outages.
Execution phase
The audit team carries out the tests according to the agreed plan. During execution, it maintains communication with the point of contact designated by the company to report critical findings that require immediate action. If a vulnerability that is being actively exploited by a real attacker is discovered, it is reported immediately.
Analysis and reporting phase
The team produces a report that includes an executive summary for management (overall risk, potential impact, main recommendations), a detailed technical report with each vulnerability found (description, severity, evidence, remediation recommendation), risk-based prioritization (not all vulnerabilities are equal), and a remediation plan with actions, owners and suggested deadlines.
Follow-up phase
A good audit includes a subsequent verification (re-test) to confirm that the critical and high vulnerabilities have been fixed. This verification is usually carried out between 30 and 90 days after the report is delivered.
How often should audits be done?
The frequency depends on your organization's risk level and on regulatory obligations. As a general reference, the compliance audit should be carried out at least annually (and always before ISO 27001 or ENS certification audits). The vulnerability assessment should be at least quarterly for dynamic environments and half-yearly for stable ones. Pentesting should be done annually and always after significant infrastructure changes. And simulated phishing campaigns should be run at least quarterly to keep the team alert.
2026 price table · Cybersecurity audit for SMEs
| Audit type | SME 10-30 emp | SME 30-60 emp | Duration |
|---|---|---|---|
| Documentation audit ISO 27001 / ENS | 3,000-4,500 € | 4,500-6,000 € | 2-4 weeks |
| Technical vulnerability assessment | 2,500-4,000 € | 4,000-5,500 € | 1-3 weeks |
| Corporate OSINT | 1,200-2,000 € | 2,000-3,500 € | 1-2 weeks |
| External pentesting (black box) | 2,500-4,500 € | 4,500-6,000 € | 2-4 weeks |
| Internal pentesting (gray box) | 4,500-7,500 € | 7,500-10,000 € | 3-5 weeks |
| Social engineering audit + simulated phishing | 1,800-3,000 € | 3,000-4,500 € | 3-4 weeks |
| Full package (OSINT + technical + pentest + social eng.) | 8,000-12,000 € | 12,000-15,000 € | 6-8 weeks |
| Subsequent re-test (remediation verification) | 600-1,000 € | 1,000-1,800 € | 3-5 days |
Costs and how to fund the audit
A complete cybersecurity audit (compliance + technical assessment + basic pentesting) for an SME of 10 to 50 employees ranges between 4,000 and 12,000 euros, depending on the complexity of the environment and the depth of the tests. This cost can be funded with the Kit Consulting program in its cybersecurity category (the security diagnosis is a required deliverable) or with regional grants such as DigitalICE in Castilla y León (the ARGOS cybersecurity line) or the Innobonos in the Canary Islands.
Read my article on the cybersecurity plan for SMEs for the measures you should implement after the audit.
Real-world case: full audit at an automotive industrial company in Burgos
An industrial company in the automotive sector with 60 employees and a production plant in Burgos requested a full audit before signing a Tier 2 contract with a European manufacturer that required evidence of cybersecurity maturity. The plant had an OT (operational technology) network with 12-year-old PLCs, offices on a corporate Windows network, with no segmentation between the two.
The project ran over 8 weeks with a total budget of 8,500 € (OSINT 1,500 € + technical assessment 2,200 € + internal gray-box pentesting 3,500 € + simulated phishing for 60 employees 1,300 €). Results:
- 17 vulnerabilities detected, distributed as: 3 Critical, 6 High, 7 Medium and 1 Low (CVSS v3.1 classification).
- Critical finding #1: SCADA management panel accessible from the office network with no additional authentication (CVSS 9.6).
- Critical finding #2: SMBv1 enabled on 8 file servers (vulnerable to EternalBlue, CVSS 9.3).
- Critical finding #3: the CFO's credentials leaked in a 2021 LinkedIn breach with no rotation (CVSS 9.1).
- Simulated phishing: 22% click rate, 9% credentials submitted (out of 60 employees).
- OSINT detected 4 forgotten subdomains, 1 with an unpatched Magento admin panel from 2019.
Remediation plan prioritized over 90 days: OT/IT VLAN segmentation with an industrial Stormshield firewall, disabling SMBv1 and upgrading to SMBv3, credential rotation with a corporate manager and mandatory MFA, removal of obsolete subdomains and quarterly anti-phishing training. The direct ROI was calculated through incident avoidance: the estimated cost of a 5-day production stoppage at the plant due to ransomware was put at 250,000 € (line stoppage + contractual penalty with the Tier 1 client + forensic recovery), against the investment of 8,500 € in the audit plus 18,000 € in remediation. ROI through avoidance: 8.3x.
Mini glossary of cybersecurity auditing
- CVSS v3.1: Common Vulnerability Scoring System · a 0-10 scoring standard for classifying the severity of vulnerabilities.
- CVE: Common Vulnerabilities and Exposures · a unique global identifier for each known vulnerability.
- OSINT: Open Source Intelligence · intelligence obtained from public sources.
- Pentest: penetration test · a test that simulates a real attack to validate exploitability.
- Black box / gray box / white box: levels of information provided to the auditor (none / partial / full).
- OT / IT: Operational Technology / Information Technology · production networks vs office networks.
- Re-test: verification after remediation to confirm vulnerabilities have been closed.
- OWASP Top 10: the top 10 web vulnerabilities maintained by the OWASP foundation.
Do you want to know your company's real security level? Let's talk about a complete cybersecurity audit that tells you exactly where your vulnerabilities are and what to do about them.
Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs, based in Aranda de Duero (Burgos).