How long does a wireless pen test take?

A single-site engagement typically requires half a day to a full day on-site, depending on the size of the building and the number of access points. Report delivery takes five business days from completion of on-site testing.

Do you need to be inside our building?

Yes — both outside and inside. External testing is conducted from the car park and perimeter. Internal testing is conducted from common areas, meeting rooms, and other positions accessible to employees or visitors. Both perspectives are required for a thorough assessment.

Will the testing disrupt our wireless network?

We agree a rules of engagement document before testing begins. Techniques that would cause denial of service to your users are excluded unless specifically requested and agreed in writing. Most wireless testing is passive or involves controlled active techniques with minimal disruption.

Can you test multiple sites?

Yes. Multi-site engagements can be scoped for sequential or concurrent site visits depending on your timeline and budget. We provide a per-site quote at the scoping stage.

Is wireless testing included in a full penetration test?

Wireless network testing is available as a standalone engagement or as a component of a broader internal network penetration test. We assess the scope with you during the scoping conversation and recommend the approach that best fits your environment and budget.

Penetration Testing · Wireless Networks

Wireless Network Penetration Testing.

Test your wireless security from the positions a real attacker would use. WPA2/WPA3 cracking, rogue access points, evil twin attacks, and 802.1X assessment.

Wireless attacks don't require physical access to your building — just proximity. Your car park is an attacker's starting point. We test from outside and inside to give you the complete picture.

Scope a wireless test →What we test

CREST-aligned methodology

Tested from real attacker positions

30-day free retest

Six test types

Every wireless attack technique in use today.

Wireless attack techniques are well-understood and readily available. We apply every method a real attacker would use, from outside your perimeter and from within.

Rules of engagement agreed before any testing begins. No denial of service unless specifically scoped and agreed.

WPA2/WPA3 cracking

Test whether wireless pre-shared keys can be cracked using captured handshakes and offline dictionary or brute-force attacks.

Evil twin attacks

We broadcast a rogue AP impersonating your corporate SSID to test whether users auto-connect and whether credentials can be intercepted.

Rogue access points

Identify unauthorised access points on your premises — whether planted by an attacker or set up by a staff member with a home router.

Guest network segmentation

Test whether your guest Wi-Fi is properly isolated from your corporate network, internal systems, and management interfaces.

What's included

Every test type, one engagement.

Eight test components performed in every wireless penetration test engagement. Risk-rated report delivered within five business days of on-site completion.

SSID enumeration

All wireless networks in range identified and mapped, including hidden SSIDs.

WPA2/WPA3 handshake capture

Authentication handshakes captured and tested against dictionary and brute-force attack methods.

Evil twin testing

Rogue AP broadcast to test auto-connect behaviour and credential interception via man-in-the-middle proxy.

Rogue AP detection

Unauthorised access points identified on the premises, regardless of how they were introduced.

Guest network isolation

Verification that guest Wi-Fi is properly segmented from corporate network and internal systems.

802.1X / EAP assessment

Enterprise Wi-Fi authentication tested for certificate validation bypasses and credential harvesting.

Captive portal testing

Where a captive portal is in use, tested for authentication bypasses and network access without completing the flow.

Risk-rated report

Findings rated by risk with evidence, reproduction steps, and remediation guidance. Executive summary included.

Tested from real attacker positions

We conduct testing from outside your building — the car park, the street, the lobby — as well as from inside. Both perspectives are necessary to understand your full wireless attack surface.

External testing from car park and street
Internal testing from common areas and meeting rooms
Insider threat simulation from employee positions
Multi-site engagements available
Rules of engagement agreed before any testing
30-day free revalidation of fixes

View penetration testing service →

What you receive

A risk-rated penetration test report suitable for board presentation and compliance evidence. Delivered within five business days of on-site testing completion.

Wireless network discovery and SSID enumeration
WPA2/WPA3 cracking attempt results
Evil twin and rogue AP findings
Guest network isolation verification
802.1X review where applicable
Risk-rated findings with evidence
Remediation guidance per finding
Executive summary and technical report

What you learn

Your wireless attack surface, fully mapped.

Four concrete outcomes from every wireless penetration test, delivered with evidence and remediation guidance.

SSID inventory

Every wireless network in range identified, including hidden SSIDs and rogue access points that shouldn't be there.

Key strength validated

WPA2/WPA3 pre-shared keys tested against real attack methods. Weak passwords identified with proof of exploit.

Segmentation confirmed

Guest network isolation from corporate systems verified or the gap demonstrated. Either way, you know what you're working with.

Remediation roadmap

Findings prioritised by risk and business impact. Remediation guidance written for your IT team or managed service provider.

Common questions

Wireless testing questions answered.

Not sure whether wireless testing fits your current scope? Contact us for a no-obligation scoping conversation.

Talk to a specialist →

How long does a wireless pen test take?
A single-site engagement typically requires half a day to a full day on-site, depending on the size of the building and the number of access points. Report delivery takes five business days from completion of on-site testing.
Do you need to be inside our building?
Yes — both outside and inside. External testing is conducted from the car park and perimeter. Internal testing is conducted from common areas, meeting rooms, and other positions accessible to employees or visitors. Both perspectives are required for a thorough assessment.
Will the testing disrupt our wireless network?
We agree a rules of engagement document before testing begins. Techniques that would cause denial of service to your users are excluded unless specifically requested and agreed in writing. Most wireless testing is passive or involves controlled active techniques with minimal disruption.
Can you test multiple sites?
Yes. Multi-site engagements can be scoped for sequential or concurrent site visits depending on your timeline and budget. We provide a per-site quote at the scoping stage.
Is wireless testing included in a full penetration test?
Wireless network testing is available as a standalone engagement or as a component of a broader internal network penetration test. We assess the scope with you during the scoping conversation and recommend the approach that best fits your environment and budget.

Is your Wi-Fi secure?

Find out before someone in your car park does.

Wireless testing is fast to scope and deliver. Single-site engagements typically complete within half a day on-site, with a report delivered within five business days.

Scope a wireless test →