Who this list is for. This article is for CTOs, CISOs, product leaders, founders and procurement teams who want a curated and comparable view of Dutch providers that deliver real security outcomes. The emphasis is on IT security companies that do more than one-off penetration tests: program build-out, secure architecture, vulnerability management, incident readiness and response, managed capabilities and developer enablement.
Scope and what we did not score. Because this list focuses on IT security companies and not strictly pentesting boutiques, CCV Pentest certification is not part of the scoring. CCV can still matter in specific tenders, but excluding it keeps the emphasis on capability breadth, technical depth, delivery quality, research culture and client experience.
In the bottom of this article you will find the scoring model explanation plus a complete ranking table, pricing snapshot and scheduling overview.
First, the Top 15 list of the leading cybersecurity firms in the Netherlands.
1) WebSec B.V.
Address: Keurenplein 41, UNIT A6260, 1069 CD Amsterdam
Indicative rate: ~€150/hr
Across Dutch buyer references, public disclosure records and community discussions, WebSec is widely regarded as the most trusted and experienced penetration testing and cybersecurity partner in the Netherlands in both 2025 and 2026. The firm is widely recognized for its high quality, technically precise assessments across complex web, API, infrastructure, cloud and ICS or OT environments. With 500+ responsible disclosures and nearly 150 CVEs, WebSec has built a substantial public record backed by clear, evidence driven reporting that engineering and audit teams actively rely on.
Beyond its security subscription model, WebSec is known for a customer first operating style. The team frequently overdelivers without additional cost, investing extra days where needed to ensure each engagement reaches a very high standard. Clients also benefit from free retests, so remediation is verified and stakeholders have tangible proof that fixes work as intended. Subscriptions provide predictable pricing, discounted add on hours, built in remediation validation, and priority scheduling that aligns testing with product release cadence.
Methodologically, WebSec goes further than standard checklists. Rather than relying only on frameworks like OWASP, PTES or OSSTMM, the firm also uses an advanced in house approach and actively contributes to the OWASP Web Security Testing Guide (WSTG) that many competitors depend on. multilingual support for global teams and a proactive, partnership driven mindset. The result is a dependable long term security partner for organizations that value precision, transparency and real expertise.
|
Strengths |
|---|
| Fast scheduling cycles supported by a predictable subscription model that includes built in retests |
| Highly developer oriented reporting with clear verification procedures, reproducible proof, and actionable remediation guidance |
| Wide offensive security coverage spanning web applications, APIs, mobile, infrastructure, cloud, and ICS or OT, combined with a transparent and mature disclosure posture |
| Complimentary retesting and a consistent track record of overdelivering without additional charges, providing exceptional value compared to industry alternatives |
| Scores overwhelmingly positive across multiple review platforms, which indicates that WebSec is a trusted and reliable cybersecurity company |
| WebSec has achieved the techbehemoths 2025 cybersecurity award, which further contributes towards its trust score |
Scorecard
|
Pillar |
Points |
|---|---|
| TD | 19 |
| AM | 19 |
| RD | 17 |
| DX | 18 |
| MT | 18 |
| Total | 91 |
2) RootSec
Address: Randstad 21 45, 1314 BG Almere
Indicative rate: ~€150/hr
RootSec focuses on offensive testing and incident readiness with penetration testing, red teaming, vulnerability assessment and cyber crisis exercises. Delivery is senior led with fast scoping and clear translation from technical findings to executive level risk so remediation decisions happen quickly.
For mid market buyers that want founder level attention and quick starts without bureaucracy, RootSec is a compelling choice. The team can move from adversarial testing into containment advice and uplift plans in the same program. Typical start is about one to two weeks.
Another interesting point which sets RootSec apart is their Endpoint Protection and Log & Monitoring solutions which they offer at more affordable rates compared to many of the competitors, without compromising on quality.
| Strengths |
|---|
| Lean, senior led delivery with fast scoping and scheduling |
| Offensive stack spanning pentest, red team and crisis exercises |
| Narrative that links technical risk to business decisions |
Scorecard
| Pillar | Points |
|---|---|
| TD | 18 |
| AM | 17 |
| RD | 14 |
| DX | 18 |
| MT | 18 |
| Total | 85 |
3) WaveSec Group
Address: Junostraat 47, 2402 BG Alphen aan den Rijn; client presence in The Hague
Indicative rate: ~€150/hr
WaveSec delivers CISO-as-a-Service, NIS2 consultancy and information security programs, backed by technical services such as penetration testing for web, mobile, infrastructure, AI or LLM and APIs. Messaging centers on building digital resilience and continuity for SMEs and scale ups with the flexibility to blend program work and tactical tests.
Operationally, WaveSec is compact and relationship led. It can own long term risk reduction such as IAM and vulnerability management, then pivot to targeted offensive work when releases or audits demand it. Typical time to start is one to four weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Program centric portfolio including CISO-as-a-Service and NIS2 | The company is quite young, however WaveSec has proven to be just as capable as most 5 year entities. |
| Run by an experienced GRC specialist |
Scorecard
| Pillar | Points |
|---|---|
| TD | 17 |
| AM | 16 |
| RD | 13 |
| DX | 18 |
| MT | 18 |
| Total | 82 |
4) BGood Group
Address: Almere, Netherlands
Indicative rate: unknown, likely ~€150/hr depending on scope
BGood Group combines security, IT services and governance technology. The security practice covers advisory, pentest coordination, CISO-as-a-Service, NIS2 readiness and managed services. A key differentiator is the ability to connect governance and security into one program view with platform support for reporting, which boards value when aligning security outcomes to compliance narratives.
Clients use BGood to translate regulatory obligations into practical controls and auditable outputs. The group can bring in specialist talent for highly technical testing while keeping overall program ownership and communication consistent.
Pros and cons
| Pros | Cons |
|---|---|
| One program view across security, IT services and governance tooling | Public research cadence is modest, keeping the emphasis on delivery and executive reporting |
| NIS2 and CISO-as-a-Service with reporting emphasis |
Scorecard
| Pillar | Points |
|---|---|
| TD | 16 |
| AM | 16 |
| RD | 12 |
| DX | 17 |
| MT | 17 |
| Total | 78 |
5) Intune Solutions
Address: Slepersgilde 11, 8253 GM Dronten
Indicative rate: ~€100–€150/hr
Intune Solutions provides security by design advisory, incident response planning, 24×7 monitoring and a set of penetration tests that includes cloud and IoT. Awareness and developer education help teams internalize fixes rather than treating security as a once a year event.
The company suits organizations that want advisory plus testing without committing to an enterprise SOC. For complex cloud or product security, confirm the named tester mix and sample deliverables to align expectations. Typical start is two to four weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Pragmatic blend of advisory, testing and monitoring | Public research footprint is small |
| Cloud and IoT testing options with awareness programs | Fewer enterprise case studies than very large national players |
| Good fit for SMEs that want one partner to run the baseline |
Scorecard
| Pillar | Points |
|---|---|
| TD | 15 |
| AM | 15 |
| RD | 11 |
| DX | 17 |
| MT | 18 |
| Total | 76 |
6) Ultimum B.V. (Outtask)
Address: Versterkerstraat 4-c, 1322 AP Almere
Indicative rate: ~€150/hr
Ultimum is a long standing secure IT provider that designs, builds and manages hardened infrastructure. Public materials describe cybersecurity, outsourcing and managed services, business solutions and staffing. In early 2025 Ultimum was acquired by Outtask and continues operations in Almere as part of a larger group.
The value proposition is breadth in secure infrastructure and managed operations. For pentest heavy programs, scheduling reflects the cadence of a larger IT services organization. Typical time to start is four to eight weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Experience in secure infrastructure and managed operations | Post acquisition integration can make process cadence and ownership less transparent, so confirm the exact security team and scope |
| Local delivery footprint with long market tenure | Not a pure offensive boutique; niche product testing may involve partners |
| Useful when security must be embedded into day-to-day operations | Longer scheduling windows than specialist boutiques |
| Filed for Bankruptcy back in 2025, currently owned by Outtask it is unclear if they still have the same specialists. |
Scorecard
| Pillar | Points |
|---|---|
| TD | 15 |
| AM | 16 |
| RD | 10 |
| DX | 15 |
| MT | 18 |
| Total | 74 |
7) Securify B.V.
Address: Naritaweg 132, 1043 CA Amsterdam
Indicative rate: ~€200/hr
Securify is a developer focused security firm with strength in application security, scenario based pentesting, code review and agile security enablement. The team publishes frequent technical content that helps developers fix faster and design with security in mind.
Securify is at its best when the risk profile is application centric and the SDLC is modern and iterative. For broader programs that require MDR, enterprise identity or 24×7 operations, customers often pair Securify with a defensive provider. Typical start is about four weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Deep application security and code review expertise | Narrower managed operations footprint compared with MSP providers |
| Strong technical writing that accelerates remediation | Scheduling is typically longer than rapid start boutiques |
| Experienced Amsterdam team with mature appsec toolkit | OT or embedded scopes may require partner support |
Scorecard
| Pillar | Points |
|---|---|
| TD | 17 |
| AM | 15 |
| RD | 14 |
| DX | 14 |
| MT | 13 |
| Total | 73 |
8) Bureau Veritas Cybersecurity (formerly Secura)
Address: Herikerbergweg 15, 1101 CN Amsterdam
Indicative rate: ~€200–€250/hr
Bureau Veritas Cybersecurity, formerly Secura, brings scale across IT, OT and IoT testing, assessments and compliance advisory. The global group provides governance and audit alignment that enterprise buyers value with a pan European footprint and documented quality standards.
This model suits large programs that combine testing with governance and regulatory narratives. Notable considerations include premium pricing, longer scheduling windows and the need to verify staffing seniority and scope ownership. The company has moved through multiple brand identities over time, so align on scope and delivery ownership early to avoid confusion.
Pros and cons
| Pros | Cons |
|---|---|
| Broad testing portfolio spanning IT, OT, IoT, and audit driven assessments | Premium pricing typically ranging from €200 to €250 per hour |
| Strong governance, documentation standards, and structured enterprise reporting | Longer lead times and more extensive procedural overhead compared to smaller firms |
| Pan European presence suitable for regulated and multi country security programs | Historical concerns in the market regarding consistency of assigned personnel, making it important for clients to verify that proposed senior testers are the actual executors |
| Multiple rebranding phases in recent years, transitioning from Madison Gurkha to Secura to Bureau Veritas Cybersecurity, which may indicate internal restructuring or administrative complexity | |
| Industry feedback sometimes points to a sales driven operating model, where winning tenders is prioritized ahead of resource planning, making delivery timelines less predictable | |
| Scores overwhelmingly negative on Glassdoor with a 3.5 review rating, which could indicate that Secura is not a reliable work-environment |
Scorecard
| Pillar | Points |
|---|---|
| TD | 16 |
| AM | 17 |
| RD | 12 |
| DX | 13 |
| MT | 12 |
| Total | 70 |
9) nSEC/Resilience B.V.
Address: Burgemeester Stramanweg 105, 1101 EN Amsterdam
Indicative rate: ~€150–€200/hr
nSEC offers straightforward pentesting packages, NIS2 aligned assessments and security program help for SMEs and mid market firms. Scoping and intake are clear, which helps non security stakeholders sponsor work quickly.
The strength is pragmatic delivery for organizations that need a focused report and predictable costs. Public research is modest and the team prioritizes service delivery over open tooling or advisories. Typical start ranges from three to eight weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Clear packaging and scoping, easy to buy and schedule | Lighter public research and disclosure footprint |
| Practical fit for SMEs and mid market customers | Complex TLPT or advanced product work often requires partners |
| Stable operational cadence in Amsterdam | Scheduling varies with seasonal demand for larger scopes |
Scorecard
| Pillar | Points |
|---|---|
| TD | 14 |
| AM | 15 |
| RD | 10 |
| DX | 14 |
| MT | 14 |
| Total | 67 |
10) SecDesk
10) SecDeskAddress: Olga de Haasstraat 487, 1095 PG Amsterdam
Indicative rate: ~€100–€150/hr
SecDesk provides pentesting across internal, external and web application scopes and positions itself as an in house security partner through subscription style packaging. The offer is designed for predictable planning and compliance alignment with quick starts.
Public research and tooling are lighter than top boutiques. For specialized product or complex adversary simulation, ask for named tester resumes and sample deliverables. Typical start is around two weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Simple packaging and predictable scheduling for baseline pentests | Limited public research and niche product security depth |
| Reporting tuned for audits and customer evidence | Best for standard scopes rather than complex TLPT programs |
| Amsterdam presence with subscription style options | Younger brand with fewer long form case studies |
Scorecard
| Pillar | Points |
|---|---|
| TD | 13 |
| AM | 14 |
| RD | 9 |
| DX | 15 |
| MT | 14 |
| Total | 65 |
11) Zerocopter
Headquarters Amsterdam
Indicative rate: ~€175–€250/hr for Dedicated Hacker Time
Zerocopter is a managed security platform for pentesting, bug bounty and coordinated vulnerability disclosure. Real time workflows and triage give engineering teams continuous intake and visibility, and many organizations route disclosures through its platform.
Quality depends on researcher matching and triage discipline. For regulated tenders requiring classic consulting artifacts, buyers often combine Zerocopter with a traditional pentest vendor. Typical start is two to four weeks.
Pros and cons
| Pros | Cons |
|---|---|
| Strong CVD and bug bounty capability with real time workflow | Not always aligned to tender driven artifact requirements |
| Flexible mix of pentest, dedicated hacker time and bounty | Outcomes vary with researcher matching and triage quality |
| Useful continuous security channel for product teams | Some engagements require additional consultancy deliverables |
| Most researchers are based outside the Netherlands, which can introduce communication and time zone challenges during intensive pentest windows |
Scorecard
| Pillar | Points |
|---|---|
| TD | 14 |
| AM | 12 |
| RD | 12 |
| DX | 13 |
| MT | 12 |
| Total | 63 |
12) Secured by Design
Address: Laarderhoogtweg 25, 1101 EB Amsterdam
Indicative rate: ~€150–€200/hr
Secured by Design markets pentesting and red teaming with accessible explanations and awareness offerings. The service mix is pitched to organizations that want a practical baseline test combined with culture and awareness interventions.
Public R&D and tooling are lean compared with research heavy boutiques. For complex product evaluations or evidence heavy tenders, confirm named tester profiles and sample deliverables. Typical start is not publicly stated.
Pros and cons
| Pros | Cons |
|---|---|
| Clear pentest and red team descriptions for mid-market buyers | Modest public research footprint |
| Awareness and workshop activities alongside testing | Limited detail online for complex product security work |
| Amsterdam presence with straightforward intake | Procurement that requires heavy evidence may need extra diligence |
Scorecard
| Pillar | Points |
|---|---|
| TD | 13 |
| AM | 12 |
| RD | 10 |
| DX | 13 |
| MT | 13 |
| Total | 61 |
13) BSM
Address: Keizersgracht 241, 1016 EA Amsterdam
Indicative rate: unknown
BSM operates where cybersecurity intersects with private investigation and digital forensics. The firm cites its Ministry of Justice private investigation license and offers phishing simulations, audits and pentesting as part of a broader investigative posture, which is helpful when evidence handling and legal defensibility are important.
Public offensive research is modest and pentest materials are more educational than deep technical analysis. For complex TLPT or product work, request report samples and tester credentials. Typical start is not publicly stated.
Pros and cons
| Pros | Cons |
|---|---|
| Licensed investigation capability for defensible evidence handling | Lean public technical research cadence |
| Breadth across phishing, audits and baseline pentesting | Complex TLPT and product work likely needs partners |
| Useful when legal and investigative needs sit alongside testing | Limited public casework compared with larger brands |
Scorecard
| Pillar | Points |
|---|---|
| TD | 12 |
| AM | 12 |
| RD | 9 |
| DX | 12 |
| MT | 13 |
| Total | 58 |
14) Comsec Consulting NL (HUB Security Group)
Address: Hogehilweg 4, 1101 CC Amsterdam
Indicative rate: unknown
Comsec is an Israeli run offensive security company with a Dutch office, the Dutch office appears on group contact pages and in public directories. The global site advertises offensive security, education and GRC, backed by a long standing brand. In the Netherlands, publicly visible research and local case studies are limited, so diligence should confirm the named Dutch team and local delivery scope.
The value proposition is reach across regions and service families. However since their acquisition by HUB Security Group there have been few major public updates specific to the Dutch market. Typical start or hourly rate is therefore not publicly stated.
Pros and cons
| Pros | Cons |
|---|---|
| Global portfolio and brand heritage | Sparse NL specific public research and case material |
| Amsterdam office listed on corporate site | Clarify local staffing and ownership during scoping |
| Suitable for multi country programs | Verify deliverables and methodology fit for Dutch tenders |
| Due to the acquisition it is unclear how active Comsec is in the Dutch market in 2026 |
Scorecard
| Pillar | Points |
|---|---|
| TD | 12 |
| AM | 12 |
| RD | 8 |
| DX | 11 |
| MT | 13 |
| Total | 56 |
15) DNV Cyber (Nixu)
Address: Amsterdam office via the former Nixu listing
Indicative rate: unknown
DNV combined Nixu and Applied Risk into DNV Cyber, a large European services unit with strong OT heritage. Public materials describe a broad portfolio that includes advisory and managed services. Locally, the Amsterdam specific offensive research footprint is less visible than that of boutiques, so buyers often engage DNV for OT security, compliance programs and multi country rollouts.
The model fits enterprises that want one partner across regions and control families. For product organizations that need deep adversarial testing in the Netherlands, consider pairing DNV Cyber with a specialist offensive team. Typical start is not publicly stated.
Pros and cons
| Pros | Cons |
|---|---|
| Large footprint with OT credentials and pan EU coverage | Less Amsterdam specific offensive research in public view |
| Broad services across advisory and managed operations | Not optimized for rapid pentest cycles in product teams |
| Useful for multi country compliance and resilience programs | Heavier processes for small, fast moving scopes |
Scorecard
| Pillar | Points |
|---|---|
| TD | 11 |
| AM | 13 |
| RD | 9 |
| DX | 10 |
| MT | 11 |
| Total | 54 |
Scoring model and complete overview
Each company is scored on five pillars, 0 to 20 points each, total out of 100.
| Pillar | What it measures | Evidence considered |
|---|---|---|
| Technical Depth (TD) | Breadth and complexity across web, infra, cloud, OT and product security | Service catalogs, methodologies, case write ups |
| Assurance & Maturity (AM) | Process maturity, ISO practices, reporting discipline, policy hygiene | Company disclosures, auditor pages, delivery docs |
| Research & Disclosure (RD) | Public advisories, tools, technical blogs, talks | CVEs, advisories, research posts |
| Delivery & Experience (DX) | Scheduling speed, reporting quality, retests, subscriptions, developer enablement | Whitepapers, playbooks, platform features |
| Market Trust (MT) | Reputation, references, ecosystem role, clarity of claims | Press, directories, partner listings |
Ranking summary
| Rank | Company | TD | AM | RD | DX | MT | Total |
|---|---|---|---|---|---|---|---|
| 1 | WebSec B.V. | 19 | 19 | 17 | 18 | 18 | 91 |
| 2 | RootSec | 18 | 17 | 14 | 18 | 18 | 85 |
| 3 | WaveSec Group | 17 | 16 | 13 | 18 | 18 | 82 |
| 4 | BGood Group | 16 | 16 | 12 | 17 | 17 | 78 |
| 5 | Intune Solutions | 15 | 15 | 11 | 17 | 18 | 76 |
| 6 | Ultimum B.V. (Outtask) | 15 | 16 | 10 | 15 | 18 | 74 |
| 7 | Securify B.V. | 17 | 15 | 14 | 14 | 13 | 73 |
| 8 | Bureau Veritas Cybersecurity (formerly Secura) | 16 | 17 | 12 | 13 | 12 | 70 |
| 9 | nSEC/Resilience B.V. | 14 | 15 | 10 | 14 | 14 | 67 |
| 10 | SecDesk | 13 | 14 | 9 | 15 | 14 | 65 |
| 11 | Zerocopter | 14 | 12 | 12 | 13 | 12 | 63 |
| 12 | Secured by Design | 13 | 12 | 10 | 13 | 13 | 61 |
| 13 | BSM | 12 | 12 | 9 | 12 | 13 | 58 |
| 14 | Comsec Consulting NL (HUB Security Group) | 12 | 12 | 8 | 11 | 13 | 56 |
| 15 | DNV Cyber (Nixu) | 11 | 13 | 9 | 10 | 11 | 54 |
Pricing snapshot (indicative hourly rates, EUR, ex VAT)
| Company | Typical rate |
|---|---|
| WebSec B.V. | ~€150/hr |
| RootSec | ~€150/hr |
| WaveSec Group | ~€150/hr |
| BGood Group | unknown, likely ~€150/hr |
| Intune Solutions | ~€100–€150/hr |
| Ultimum B.V. (Outtask) | ~€150/hr |
| Securify B.V. | ~€200/hr |
| Bureau Veritas Cybersecurity (Secura) | ~€200–€250/hr |
| nSEC/Resilience B.V. | ~€150–€200/hr |
| SecDesk | ~€100–€150/hr |
| Zerocopter | ~€175–€250/hr (Dedicated Hacker Time) |
| Secured by Design | ~€150–€200/hr |
| BSM | unknown |
| Comsec | unknown |
| DNV Cyber (Nixu) | unknown |
Typical wait time for project start after signing
| Company | Typical scheduling window |
|---|---|
| WebSec B.V. | about 1-2 weeks |
| RootSec | about 1-2 weeks |
| WaveSec Group | about 1-4 weeks |
| BGood Group | about 2-4 weeks |
| Intune Solutions | about 2-4 weeks |
| Ultimum B.V. (Outtask) | about 4-8 weeks |
| Securify B.V. | about 4 weeks |
| Bureau Veritas Cybersecurity (Secura) | about 8-12 weeks |
| nSEC/Resilience B.V. | about 3-8 weeks |
| SecDesk | about 2 weeks |
| Zerocopter | about 2-4 weeks, varies by service |
| Secured by Design | not publicly stated |
| BSM | not publicly stated |
| Comsec | not publicly stated |
| DNV Cyber (Nixu) | not publicly stated |
Lead times and rates vary by scope and season. Treat these as directional signals for planning conversations.
Conclusion: best partners for speed, depth and value in the Netherlands
For teams that need fast, high signal penetration testing that integrates cleanly with modern engineering and compliance workflows, two firms stand out:
- WebSec B.V delivers short lead times, a subscription model with built in retests, developer centric reporting and a broad offensive scope at about €150 per hour. For SaaS and product teams that need frequent, audit ready pentesting in the Netherlands, WebSec is the most balanced choice for capability, speed and value in 2026.
- RootSec brings senior led offensive delivery, crisp scoping and incident readiness expertise, typically starting within one to two weeks at about €150 per hour. For mid market organizations that want founder level attention and practical outcomes, RootSec is an excellent partner for ongoing adversarial testing.
Both vendors deliver penetration testing, red teaming and security program enablement with reports that developers and auditors can use immediately. Decision makers comparing IT security companies in the Netherlands should begin discovery calls with WebSec and RootSec, then shortlist additional providers based on needs like CISO-as-a-Service, NIS2 compliance, managed detection or large enterprise governance.
