Telecoms are NIS2 essential entities by default and have always carried sector-specific security obligations under ANCOM authority and the European Electronic Communications Code. The threat surface is large — core network, BSS, OSS, customer-facing portals, retail systems, roaming partners — and the regulatory expectations now match.
Sandline runs vulnerability programmes that span the IT estate and the BSS/OSS layer, with pentests targeted at customer-portal authentication (the vector for SIM-swap fraud) and at signalling infrastructure where applicable. Reports map to ANCOM requirements alongside NIS2.
Typical engagements
- Pentest of customer portals, mobile apps and self-care
- Vulnerability assessment across BSS/OSS
- Red team with SIM-swap and account-takeover objectives
- IR retainer with ANCOM-aligned reporting
Sector-specific threats
SIM-swap fraud via customer portals
High-impact, customer-visible, regulator-attention-getting. Our customer-portal pentests target the authentication and authorisation paths that enable swap requests, including helpdesk-side workflows.
BSS/OSS lateral movement
Once an attacker is on the BSS, the impact compounds. Our internal-network pentests target the BSS/OSS perimeter from a typical user starting position.
Roaming-partner trust abuse
For operators with international roaming, signalling-side attacks remain real. We test SS7/Diameter exposure where the customer requires it.