Security Testing
Independent validation that your cardholder data environment is genuinely isolated — with the evidence your QSA and acquirer expect to see.
If you rely on network segmentation to reduce your PCI DSS scope, you must prove that the segmentation actually works. Our PCI segmentation testing validates that your cardholder data environment (CDE) is genuinely isolated from out-of-scope networks — and produces the evidence your assessor and acquirer expect to see.
Segmentation failures are rarely dramatic. They are a forgotten firewall rule, an unmanaged switch, a flat management VLAN — small gaps that quietly connect your out-of-scope estate to your CDE and, with it, expand your compliance scope and your breach exposure. They also tend to appear after change: a migration, a new supplier connection, an emergency fix. Finding them takes active testing, not a diagram review.
Our CREST-accredited testers attempt to reach the CDE from every network segment claimed to be out of scope, verifying that segmentation controls block all unauthorised paths. This is combined with a review of the devices enforcing segmentation — rulesets, access control lists and policies — to confirm the controls are correct as well as effective. As a PCI QSA company, we know exactly what evidence your assessment requires and report it accordingly.
The engagement is delivered through Sentry: scoped via questionnaire and call against your network diagrams and scope documentation, findings uploaded in real time, and immediate alerts for anything critical. You receive a clear report confirming which segmentation controls held, which failed and what to fix, plus a debrief with your tester — and findings remain in Sentry for remediation tracking.
PCI DSS expects segmentation testing at least annually for merchants, every six months for service providers, and after significant changes to segmentation controls. We can schedule recurring engagements so the evidence is always current, and combine segmentation testing with internal infrastructure testing or a firewall review in a single engagement.
Testing and reporting designed by a PCI QSA company to satisfy assessors and acquirers first time.
Testers attempt real connections from out-of-scope segments to the CDE — proof, not assumption.
Rulesets, ACLs and policies on segmentation devices are reviewed for correctness alongside the live testing.
Confirmed segmentation keeps your PCI DSS scope — and cost of compliance — as small as possible.
Annual or six-monthly cycles keep your evidence current, with results compared in Sentry over time.
Complete a short questionnaire tailored to the test type, then join a scoping call with a consultant. You receive a clear proposal and Statement of Work, and your project is created in Sentry. Typically one to two weeks.
Your consultant is assigned and logistics are arranged: IP whitelisting, credentials, access and rules of engagement. The testing window is scheduled around your business. Typically one week.
Expert-led manual testing begins. Findings appear in Sentry in real time as they are discovered, you are alerted immediately to critical and high-severity issues, and you can message your consultant throughout. From two days for a small web application to fifteen or more for enterprise estates.
After quality assurance you receive a board-ready executive summary and detailed technical findings with evidence, CVSS scores and remediation guidance, followed by a debrief session. Findings remain in Sentry for remediation tracking and comparison with future tests.
Straight answers to what prospective clients ask us most.
It is testing that verifies the network segmentation controls isolating your cardholder data environment actually prevent access from out-of-scope networks. If you use segmentation to reduce PCI DSS scope, the standard requires you to validate it works.
At least annually for merchants and every six months for service providers, plus after any significant change to segmentation controls. We can set up a recurring schedule so the evidence is always ready for your assessment.
Network diagrams, your PCI DSS scope definition and details of the segments and controls involved — captured through our scoping questionnaire. We then agree test locations and windows before any activity begins.
You are alerted immediately through Sentry rather than at report time. The report identifies exactly which path failed and why, with remediation guidance, and we verify your fix so your compliance evidence shows the issue was closed.
Get a fixed-scope quote, usually the same working day.