Choosing a cybersecurity company in Spain has become a strategic decision any mid-sized or large organisation has to make at least once a year, and the difference between getting it right or wrong is measured in incidents avoided, regulatory fines under NIS2 or DORA, and internal team hours burned fixing problems the provider should have caught. The Spanish market runs from specialised boutiques with own research and signed advisories to cyber divisions inside Big Four firms selling audits and compliance bundled into enterprise projects. Each has its place, none works for everything, and the choice should start from the concrete problem you want to solve, not from the size of the provider's logo.
This guide explains what a cybersecurity company does and doesn't do, the provider types that coexist in Spain (boutique, Big Four, MSSP, vendor), the service areas that make up the standard catalogue, how to evaluate a proposal before signing, what red flags to spot and how the choice shifts based on buyer maturity and regulated sector.
What a cybersecurity company does
A cybersecurity company groups technical and consulting services aimed at assessing, defending and responding to risks on the digital assets of another organisation. What gets contracted varies with the product:
- Offensive technical audit (pentesting, red team): authorised simulation of an attacker to find vulnerabilities before they do.
- Defence and monitoring (SOC, SIEM, EDR, MDR): real-time detection and response to incidents, usually under a managed contract.
- GRC consulting (NIS2, DORA, ENS, ISO 27001): implementation of compliance frameworks, risk management, certification audits.
- Incident response (DFIR): containment, forensic analysis and recovery after a breach.
- Threat intelligence: feeds, monitoring of actors and campaigns, context for the defensive team.
- Training and awareness: phishing simulations, technical training, exec tabletop exercises.
What a pure cybersecurity company normally doesn't do, even if the market blurs the line:
- Sell product without service (that's a vendor, not a cybersecurity company).
- Cover "all of IT" (helpdesk, networks, generic infrastructure). That's a generalist consultancy or an MSP.
- Sell "fast" compliance certificates without a real audit. That's a regulatory risk, not a service.
Identifying the concrete problem before requesting a quote is what prevents buying capacity you don't need or falling short on what matters.
Types of cybersecurity company in Spain
The Spanish market has four well-differentiated profiles. None is better in the abstract.
Specialised boutiques
Teams of 10 to 100 people focused exclusively on offensive, GRC, DFIR or threat intelligence. Own research, conference talks, advisories, open source contribution. Examples in Spain: Tarlogic, Hispasec, BlackArrow, Internet Security Auditors, Securízame and a group of mid-sized boutiques (Secra among them).
Where they fit: organisations that value technical depth and direct contact with whoever does the work. Year-over-year continuity is common because the team learns the context.
Big Four and large consultancies
PwC, Deloitte, KPMG, EY run cyber divisions inside their risk advisory practice. They fit when the buying decision sits with the executive committee and the reputational badge matters, or when the audit is contracted as part of a broader compliance project (ENS, NIS2, ISO 27001) the same provider is already leading.
Common limitation: offensive technical profile inside the firm rotates a lot and report depth often falls below a boutique's. The best version of a Big Four in pentesting is when they subcontract to a boutique and sign on top, which is public and accepted across the industry.
MSSP and MDR (managed services)
Telefónica Tech, S2 Grupo, Innotec (Accenture), Indra, GMV, Entelgy offer managed cybersecurity as one piece within a broader programme (24/7 SOC, MDR, EDR, GRC, platform management). Clear fit when you already consume their SOC and want to consolidate vendors.
Limitation: ad-hoc pentesting is not their core product, so deliverable quality depends heavily on the specific team assigned. Continuous managed defence is where they perform best.
Vendors with professional services
Some vendors (Microsoft, AWS, Cloudflare, CrowdStrike, Palo Alto, Datadog, SentinelOne) offer professional services that include pentesting or red team of their own platform. Useful when the asset sits inside their ecosystem and you want the test run by whoever knows the internals.
Limitation: they tend to focus on their own ecosystem. If your surface is heterogeneous (multi-cloud, multiple SaaS, on-prem infra), they don't cover the full map.
Service areas in the standard catalogue
When you compare companies, most organise the catalogue in some combination of these families:
| Family | Typical services | When it applies |
|---|---|---|
| Offensive | Pentesting web, mobile, API, infrastructure, cloud, IoT/OT, Red Team, Purple Team | Validate the technical posture annually or after changes |
| Defence | SOC, SIEM, EDR, MDR, NDR | Continuous monitoring and response |
| GRC | NIS2, DORA, ENS, ISO 27001, PCI DSS, GDPR, risk | Regulatory compliance and certification |
| DFIR | Incident response, forensics, recovery | During or after an incident |
| Threat intelligence | Feeds, threat hunting, OSINT | Advanced defensive maturity |
| Training | Phishing simulation, technical training, tabletops | Reducing human risk |
A mature company usually covers 3-4 of these families well and partners for the rest. Few do all six with the same depth.
How to evaluate a proposal before signing
Five criteria that separate a provider that adds value from one that delivers paper:
- Identifiable and technically active team. Ask for the names of the people who will execute the project, their certifications (OSCP, OSWE, OSEP, CRTO, GPEN, CISA, CISSP depending on the product), references for similar projects and public footprint (talks, advisories, open source tooling). A serious team answers without hesitation.
- Methodology traceable to a standard. OWASP WSTG/MASVS for web/mobile, OWASP API Security Top 10 for APIs, PTES and NIST 800-115 for infrastructure, MITRE ATT&CK for red team, ISO 27001 for GRC. If the methodology is "proprietary" without reference, that's a sign of improvisation.
- Anonymised sample report. The real deliverable, not the marketing template. Look for: clarity of executive summary separated from technical, justified CVSS severity, reproducible proof of concept, recommendations prioritised by effort.
- Retest included in scope. After fixes, the provider validates each finding. If they charge it as extra, they monetise your finding instead of closing it.
- Sector-fit capability. Auditing fintech, healthcare, public sector or industry calls for different profiles. A serious provider tells you when it's not their niche.
For specific pentesting criteria there's a dedicated guide at how to choose a penetration testing company.
Red flags before signing
Patterns that consistently correlate with weak audits:
- Closed proposal before technical scoping. The salesperson quotes without a technical contact asking questions (how many endpoints, what user types, which critical modules, what SSO). The team improvises on arrival.
- Disguised automated scanner only. The proposal promises "exhaustive audit" but the deliverable is a Nessus, Acunetix or MobSF PDF dressed up. Identifiable because findings look suspiciously like the scanner output.
- Cascading subcontracting. The main company sells, a second one coordinates, freelancers execute. Each link cuts margin and quality. Detection: ask for names and verify public footprint.
- No own research or public contribution. A company that in five years hasn't published an advisory, a talk or a tool has little real technical muscle.
- Templated report in financial-audit style. A 400-page corporate document with abstract risks and no concrete payloads. Useless for fixing anything technical.
Sector specialisation in Spain
Some verticals carry specific requirements worth keeping in mind:
- Banking and financial services: DORA in application since January 2026, TLPT under TIBER-EU for significant entities, supervision by Banco de España and CNMV. Companies with documented TIBER-EU experience are scarce (publicly: S21sec/Innotec, Telefónica Tech, Mnemo and a small group of boutiques have executed TLPT projects).
- Healthcare: reinforced GDPR, essential NIS2 sector, aggravated sanction regime for health data. Mobile pentests of patient apps and audits of electronic health records are common.
- Public sector: mandatory ENS (Royal Decree 311/2022), medium and high categories demand biennial/annual documented audits, certification by an ENAC-accredited entity.
- Industry and OT: IoT/OT pentesting handled cautiously (don't audit production without a replica), familiarity with Modbus, S7, OPC UA, IEC 62443. Few providers with dedicated profiles; ask for specific industrial references.
- Retail and e-commerce: PCI DSS if payment is processed directly, mandatory annual pentest, focus on business logic and APIs.
- Telecommunications: essential NIS2, supervision by the Secretaría de Estado de Telecomunicaciones, sector-specific frameworks.
Compliance: NIS2, DORA, ENS, ISO 27001, PCI DSS
For the audit to hold up in front of a regulator or external auditor, the scope should explicitly map to the applicable framework.
- NIS2 (articles 21 and 23). Effectiveness of technical measures and incident notification. A documented audit with methodology, findings and fixes is the evidence the competent authority can request. More in NIS2 in Spain: a compliance guide for 2026.
- DORA (articles 24-26). Annual operational resilience testing and, for significant entities, TLPT under TIBER-EU every three years with accredited provider. More in DORA compliance guide for financial entities 2026.
- ENS (Royal Decree 311/2022, Operational Framework). Regular technical audit for medium and high category systems. Minimum biennial in high.
- ISO 27001:2022 (control 8.29). Documented security testing within the ISMS. The audit with methodology, findings, fixes and retest covers the control.
- PCI DSS v4.0 (req. 11.4). Annual internal and external pentest, plus after any significant change. "Industry-accepted" methodology required (PTES, OWASP, NIST 800-115). Team organisationally independent from the asset owner.
Asking the provider to indicate in the proposal which specific controls the deliverable maps to simplifies the following year's auditor work.
How the choice shifts depending on the moment
Contracting your first audit is not the same as the seventh.
- First audit of the organisation. Accept that the first report will be loaded, plan 2-3 consecutive cycles to close the initial debt, choose a provider that helps prioritise (not one that delivers a flat list of 200 findings).
- Recurring audit with stable provider. Year-over-year continuity speeds things up because the team knows the context. Consider switching every 2-3 years to refresh the critical eye, without making it rigid policy.
- Audit after incident. Combine DFIR with external technical audit. Ideally different providers so the audit isn't done by whoever responded to the incident.
- Urgent compliance (DORA, NIS2 with closed deadline). Look for a provider with documented experience in the specific framework. Ask for references.
- Mature programme with in-house SOC. Fits to contract one-off pentesting with a specialised boutique and leave daily operations to the internal team plus a backup MSSP.
Frequently asked questions
How do I tell a serious cybersecurity company from one that just sells?
Three quick signals that filter well: (1) the provider's team publishes research, talks or signed advisories with name and surname; (2) the proposal closes after real technical scoping with concrete questions, not before; (3) the anonymised sample report has reproducible proof of concept, not abstract risks. If all three fail, drop it.
Is a small boutique or a large company better?
Depends on the asset and the buying organisation. The boutique brings technical depth, direct contact and continuity. The large company brings geographic coverage, integration with other services and reputational badge. What matters is not size but the profile of the specific team that executes. Ask for it by name.
How much does a cybersecurity project cost in Spain?
Varies a lot by service type, scope and target compliance. A mid-sized web pentest can run from several thousand to tens of thousands of euros; a full NIS2 implementation project, in the order of several tens of thousands. What's most useful when comparing is not the absolute figure but the cost per person-day of the team and the proposed duration for the same scope. Two proposals with the same bottom line can hide a factor of three in real hours worked. More in penetration testing pricing in Spain.
Is a single provider better or several specialised ones?
Mature programmes usually combine: one company for technical audit (offensive boutique), another for managed services (MSSP) and GRC consulting with a third provider (consulting boutique or Big Four). Concentrating everything with a single provider creates dependence and limits external perspective. Concentrating across too many raises governance overhead.
Do I need a Spanish company or will an international one do?
For pure technical services (pentesting, red team, DFIR), an international company can work if it has the profile. For ENS compliance, Spanish NIS2, GDPR and projects with public administrations, a provider with presence and documented experience in Spain is preferable: they know the regulator, the timelines and the formats better. For sectors with state-level regulation (banking with Banco de España, telco with SETID), local presence is practically mandatory.
How do I verify the assigned team is really the one that signed the proposal?
Ask for it in the contract as an explicit clause: the named team in the proposal is who executes. Any substitution requires prior notice and client acceptance. Most serious providers accept it; those who resist usually have internal rotation issues they don't want to acknowledge.
Related resources
- How to choose a penetration testing company: specific criteria for offensive audit.
- What is a penetration test: the technical pillar of the offensive cluster.
- Penetration testing pricing in Spain: how engagement budgets really get scoped.
- Web security audit complete guide: what a concrete web audit includes and how to evaluate the proposal.
- NIS2 in Spain: compliance guide for 2026: the main regulatory framework in essential sectors.
How we work at Secra
Secra is a boutique offensive cybersecurity company based in Spain. We cover web, mobile, API, internal and external infrastructure, cloud, IoT/OT pentesting and red team with OWASP WSTG/MASVS, API Top 10, PTES and MITRE ATT&CK methodologies. We run an internal research programme that has published advisories on NVD and INCIBE-CERT (including CVE-2025-40652 in CoverManager and CVE-2023-3512 in Setelsa ConacWin CB). Every report includes reproducible proof of concept, justified CVSS severity, retest at no extra cost and mapping to NIS2, DORA, ENS, ISO 27001 or PCI DSS as applicable. If you want a concrete proposal for your organisation, get in touch through contact or explore the services and managed cybersecurity catalogue.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.