Regulation-compliant penetration testing, under one roof.
From banking to energy, capital markets to card payments — we run penetration testing with a methodology specific to the regulation you are subject to, and report in the form the regulator expects.
Regulatory-Compliant Penetration Testing in Türkiye
In Türkiye, many sectors are required to regularly verify the security of their information systems through independent penetration testing. Banks are subject to BDDK regulations, capital market institutions to SPK, and the energy sector to EPDK; organizations handling cardholder data test under PCI-DSS, while firms seeking official certification test under TSE 13638. Each framework has its own scope, frequency and reporting requirements.
Netlore works with a methodology specific to each of these regulations: during scoping we clarify together which regulator applies to you and its specific scope and frequency, we conduct the tests, and we report in the form the regulator expects. Tests are performed by independent expert teams not involved in software development.
Choose the compliance area that fits you below to reach scope, legal basis and process details on the relevant page. If you are subject to more than one framework, we combine the tests into a single engagement to reduce duplicated effort and cost.
Compliance Areas
Explore the relevant penetration testing service based on the regulation you are subject to.
BDDK-Compliant Penetration Testing
Independent penetration testing at least once a year for banks and financial institutions under the BDDK Information Systems Regulation (Article 18/7).
Learn MoreSPK-Compliant Penetration Testing
Penetration testing by certified independent experts for capital market institutions under the SPK Communiqué VII-128.10 currently in force.
Learn MoreEPDK-Compliant Penetration Testing
Security analysis and testing of ICS/OT and IT systems for the energy sector in line with EPDK Board Decision No. 11956.
Learn MoreTSE-Compliant Penetration Testing
Certified penetration testing service based on the TS 13638 methodology, meeting personnel competence, scope and reporting requirements.
Learn MorePCI-DSS-Compliant Penetration Testing
Regular internal/external penetration testing, ASV scanning and attack-surface monitoring for organizations handling cardholder data under PCI-DSS.
Learn MoreCompliance Penetration Testing — Frequently Asked Questions
For which organizations is penetration testing mandatory?
In Türkiye, penetration testing becomes an obligation depending on the regulatory framework an organization is subject to. Banks fall under BDDK, capital market institutions under SPK, and the energy sector under EPDK; organizations handling cardholder data test to maintain PCI-DSS compliance. Firms seeking official certification are assessed under TSE 13638. During scoping we clarify together which regulator applies to your organization.
How often should penetration testing be performed?
Most regulations require testing at least once a year; a re-test is also expected after any significant change to the infrastructure (a new system or architectural change). The BDDK and SPK frameworks explicitly state a minimum annual frequency. The exact frequency is set according to the framework you are subject to and your risk profile.
Must the test be performed by an independent party?
Yes. Regulations require the test to be performed by independent teams not involved in software development or system operation; some frameworks (for example SPK) require an independent party holding national or international certification. Netlore conducts the tests as an external service provider that meets these independence and competence requirements.
If I am subject to multiple regulations, must I test separately for each?
Not necessarily. The technical scope of different frameworks overlaps substantially; we plan the tests in a single engagement and deliver separate reports in the form each regulator expects, reducing duplicated effort and cost. Non-overlapping, regulation-specific requirements are addressed separately.
Let's clarify together which regulation applies to you
In a scoping call we map out your regulatory obligation, test scope and timeline together.