Cybersecurity company in Seville: pentesting and audit 2026

Hiring a cybersecurity company in Seville brings particularities that do not appear in other Spanish capitals. The capital of Andalusia hosts the regional government of the Junta de Andalucía and therefore concentrates a large autonomous administration with a substantial budget and strict ENS compliance requirements. Alongside that institutional weight, the Aerópolis aerospace cluster operates with Airbus, Aciturri and the tier 1 and tier 2 chain around the A400M programme. A permanent tourism sector combines heritage, hotels, organised hospitality and events. Andalusian agroindustry, light shipbuilding along the lower Guadalquivir and renewable energy installed across the region complete a map with very specific cyber demand.

This guide summarises how the Seville and Andalusia cyber ecosystem looks in 2026, which sectors concentrate the most work, which regional authorities coexist with INCIBE-CERT and what practical criteria help select a provider that truly fits the territory. If your organisation is based in Seville, Málaga, Granada or any Andalusian province and you need pentesting, audit or incident response, the criteria differ from contracting in Madrid or Barcelona.

Key takeaways on cybersecurity in Seville

• Seville concentrates regional public administration (Junta de Andalucía), the Aerópolis aerospace cluster, continuous tourism, agroindustry, light shipbuilding and renewable energy.
• The right provider often needs Spanish and English working fluency (aerospace deals with international supply chain) and the ability to deploy on-site to plants and regional government offices.
• ENS High Category accreditation is practically mandatory to work with regional ministries and dependent entities.
• Applicable frameworks combine ENS for regional public administration, NIS2 for aerospace and energy, GDPR reinforced by tourism volume, and aeronautical sector regulation.
• Cost for standard services is comparable to Madrid. Projects with extended travel to a plant or provincial sites may carry a dedication premium.

What makes Andalusian cybersecurity different

The Andalusian ecosystem combines layers that rarely appear together in other European territories. The capital hosts the Junta de Andalucía, with its regional ministries distributed across Seville and other Andalusian cities, autonomous bodies, agencies and public companies. It is the largest autonomous administration in southern Europe measured by population served, and its entire digital perimeter falls under the Esquema Nacional de Seguridad (ENS).

The second axis is the aerospace cluster. The Aerópolis aerospace technology park, located in La Rinconada north of San Pablo Airport, gathers Airbus Defence and Space, Aciturri, Alestis, Aernnova and dozens of SMEs specialised in machining, composite materials, systems and services for programmes such as the A400M, the A330 MRTT and unmanned aircraft. The international supply chain imposes very specific and traceable cybersecurity contractual requirements on tier 2 and tier 3 suppliers, with information security audits driven by the prime contractors.

The third pillar is tourism. Seville, Málaga, Granada, Córdoba and Cádiz receive cultural and coastal tourism throughout the year, with peaks in Holy Week, spring and autumn. Hotel chains, hospitality, nightlife, theme parks and tour operators handle high volumes of credit cards and international personal data. POS terminals, online checkout and reservation engines concentrate the risk.

Finally, the agroindustry of the Guadalquivir Valley, Andalusian olive oil, Huelva strawberries, the fishing sector in Cádiz and large agri-food operators form an industrial fabric with growing digitalisation and exposure to fraud, supplier impersonation and ransomware. The renewable energy installed in Andalusia (solar photovoltaic, wind, biomass) adds critical infrastructure classifiable under NIS2.

Sectors with highest demand

Not every Andalusian sector consumes cybersecurity at the same pace. These are the ones that concentrate most of the audit, defence and consulting work in the metropolitan area of Seville and across the autonomous community.

Aerospace and supply chain

The Aerópolis cluster is the most demanding B2B cybersecurity buyer in the region. Prime contractors impose information security requirements on suppliers aligned with frameworks such as ISO 27001, controls equivalent to IEC 62443 in parts of the plant, IT and OT segmentation on lines with connected systems and regular security audits. Typical work mixes pentesting of engineering applications, review of sensitive programme data transfer, segmentation of manufacturing networks and analysis of the software supply chain for embedded components.

Regional and local public administration

The Junta de Andalucía, the provincial councils, the major Andalusian municipalities and dependent entities apply ENS. Regional ministries and agencies are usually rated as High Category under the scheme due to the volume of information they process. Typical projects include ENS audit by an accredited certifier, adaptation plans, service continuity exercises, review of digital services for citizens and training for technical staff of the regional ministries. Contractors of the Junta must also accredit ENS to qualify for many tender processes.

Tourism and hospitality

Andalusian hotel chains, direct sales platforms, inbound tour operators, organised hospitality and tourist retail live with attack surfaces that combine public web, OTA integrations (Online Travel Agencies), PMS systems, payment gateways, physical POS terminals and mobile applications. Pressure rises during specific events (Holy Week, Feria de Abril, festivals) and during the coastal high season. Typical incidents replicate the national pattern with gateway compromise, checkout skimming and ransomware affecting mid-sized chains.

Agroindustry and exporting SMEs

Agricultural cooperatives, olive oil mills, canneries, wholesale produce traders and exporters handle international invoicing with recurring exposure to BEC fraud, supplier impersonation and corporate email compromise. The progressive digitalisation of production lines and connectivity with international buyers opens new attack surface. Typical projects are lightweight audits, email hardening and operational training for administrative staff.

Renewable energy

Photovoltaic plants, wind farms, biomass and the operators that manage them have SCADA systems, remote monitoring and connectivity with electrical system operators. Under NIS2 a large share of these operators qualifies as essential or important entity. Cyber work mixes segmentation, review of vendor remote access and review of industrial protocols.

Criteria for choosing a cyber company in Seville

The basic questions are the same as in any European capital, plus some specific ones to the Andalusian environment that are worth asking directly.

• Working Spanish and English. The aerospace sector deals with international supply chain, English documentation and multilingual technical meetings. The team that signs the report must be able to defend it in English in front of the European buyer.
• On-site capability across Andalusia. Audits at Aerópolis plants, reviews at provincial regional ministry offices, internal pentesting from the client site or on-site incident response require deployment. It is worth verifying the availability of a local team or a team able to mobilise within the day and putting it in the contract.
• ENS High Category accreditation. To bid for regional ministries and many dependent agencies, the provider's own ENS accreditation is a standard requirement in the tender specifications. Without it, many tenders eliminate the company at the administrative stage.
• Documented experience in aerospace supply chain. Auditing a tier 2 aerospace supplier is not equivalent to auditing an agri-food SME. Requesting references with permission to contact is the fast way to filter out generic profiles.
• Technical certifications of the delivery team. OSCP, OSEP, OSWE, CRTO, GIAC in forensic or defensive branches, plus specific training in IEC 62443 when industrial OT is involved. It is not enough that the director holds them. Tenders and corporate buyers require them for the profiles that actually sign deliverables.
• Own research. Published CVEs, signed advisories, contributions to sector conferences. This distinguishes a team that investigates from one that only executes commercial templates.
• Handling of sensitive aerospace information. Reinforced NDAs, secure transfer, encrypted storage with documented destruction, project separation when the buyer is defence. The provider must have procedures, not improvisation.

AndalucíaCERT and regional authorities

The Andalusian Information Security Centre, known as AndalucíaCERT, is the incident response team that covers the Andalusian regional public sector. It reports to the Junta de Andalucía ministry responsible for digital transformation and coordinates the response to incidents affecting regional administration systems, as well as prevention work, training and dissemination of alerts. For a company that experiences an incident while being a contractor of the Junta or providing digital services to a regional ministry, AndalucíaCERT is one of the natural counterparts.

The interface with INCIBE-CERT works under the usual logic of the Spanish model. INCIBE-CERT keeps its national role for SMEs, citizens and operators not assigned to a regional or sector CSIRT, while AndalucíaCERT covers the Andalusian regional scope. For incidents affecting essential operators under NIS2, notification escalates to the competent CSIRT according to sector and territorial scope.

Regarding ENS, Andalusian municipalities, the eight provincial councils and entities dependent on the Junta apply the scheme like the rest of Spanish public administrations. Accredited certifiers and the procedure are national. What Seville and Andalusia add is volume: by community size, there are more active ENS projects running in parallel than in other autonomous regions.

Typical services in highest demand

The catalogue requested by the Andalusian market concentrates around five main families.

Aerospace pentesting combines application, infrastructure, segmentation and ISMS documentation review. ENS audit follows the procedure of the accredited certifier, with analysis of the statement of applicability, review of implementation and action plan. Hospitality pentesting enters through public web or reservation engine and often includes physical POS when the scope allows it. DFIR requires immediate response with a deployable team. Training for agro SMEs is normally delivered in short on-site sessions at the client or cooperative.

Applicable regulatory frameworks

For a company based in Andalusia, the regulatory map is ordered in four coexisting layers depending on the sector.

1. ENS. Mandatory for Andalusian regional public administration, its dependent bodies and its contractors processing administration information. High Category is common in regional ministries due to volume and sensitivity. Accreditation is documented and renewed through periodic external audit.
2. NIS2 transposed into Spanish law. Applies to essential and important operators according to the European annexes: aerospace and defence when the operator fits, renewable energy and electrical infrastructure, water, health, transport and significant digital providers. The Spanish transposition defines the competent authority, notification deadlines and the sanctioning regime.
3. GDPR reinforced for mass tourism. The volume of international personal data moved by the Andalusian tourism chain pushes GDPR audit beyond the checklist: international transfers, lawful basis for profiling, management of rights for non-resident guests and records of processing activities at the level required by the AEPD.
4. Aeronautical sector regulation. Military and dual programmes apply specific requirements for the protection of classified information, export controls and supply chain traceability. The cyber provider working with aerospace tier 1 contractors must understand these frameworks without an initial explanation.

To this is added, depending on the vertical, PCI DSS for entities processing payments, DORA for financial entities supervised by the Bank of Spain or ECB, and ISO 27001 as a reference standard for corporate ISMS management.

Boutique vs Big4 in the Seville ecosystem

The four provider types of the national market are present in Seville, with nuances worth knowing before comparing proposals.

The practical choice for many Andalusian companies and administrations ends up being a combination: specialised boutique for technical audit and one-off compliance, MSSP for continuous managed defence, and Big4 when there is a cross-functional project requiring orchestration capability and a recognisable signature in the tender.

Indicative cost

The price in Seville does not differ significantly from Madrid or Barcelona for standard services. Indicative ranges for 2026, for a mid-sized company in a regulated sector, are approximately at these orders of magnitude.

• Simple web pentesting (1 to 3 applications, scoped engagement): between 6,000 and 18,000 euros, depending on number of roles, integrations and requested depth.
• Mobile pentesting (iOS and Android of a single app): between 7,000 and 15,000 euros.
• ENS audit with accredited certifier (medium scope at a regional body): between 18,000 and 60,000 euros depending on number of systems and volume of the statement of applicability.
• Aerospace supply chain audit with documentary, technical and supply chain review: between 20,000 and 70,000 euros depending on scope.
• Red team for 6 to 10 weeks: between 40,000 and 120,000 euros depending on objectives and rules of engagement.
• Full NIS2 compliance (gap, remediation plan, support to notification): between 25,000 and 80,000 euros.
• DFIR with annual retainer: fees from 6,000 euros per year with reserved hours, plus an hour pool at daily rate when the case is activated.
• On-site agroindustry SME training: between 1,500 and 4,000 euros per session including materials and practical exercises.

Factors that can move the ranges upwards in Andalusia are the need for extended travel to provinces beyond Seville (Almería, western Huelva, inland Jaén, mountain ranges), sustained on-site dedication at aerospace plants and extended working hours when the goal is to minimise impact during peak tourist season or plant maintenance windows.

Frequently asked questions

Do providers come on-site to Andalusia?

Yes. For audits at Aerópolis plants, reviews at provincial offices of regional ministries, internal pentesting from the client site, in-person training and on-site incident response, serious providers deploy a team. For a company with sites distributed across the community, finding a boutique with a local or same-day deployable team is common in the Seville, Málaga and Granada axis. In less densely populated provinces travel is planned with margin. It is worth asking it explicitly and writing it into the contract.

Is ENS High Category accreditation required?

It depends on who the provider works for. To bid for Junta ministries and many Andalusian regional agencies, the provider's own ENS accreditation is a standard tender requirement. The High Category covers the most sensitive systems, and obtaining it shows that the cyber company handles data and processes at the highest level of the scheme. For purely private engagements it may not be mandatory, but it is usually a good indicator of maturity.

How does an aerospace supply chain audit work?

It combines several planes. The supplier's ISMS is reviewed (policies, risk management, access controls, incident management), technical pentesting is performed on infrastructure and applications, segmentation between corporate and manufacturing networks is evaluated, sensitive programme data transfers are reviewed and the supplier's own software supply chain is analysed. The deliverable is usually aligned with the frameworks requested by the prime contractor (ISO 27001, controls equivalent to IEC 62443 when OT is involved, programme-specific requirements) and is delivered in Spanish and English.

What about tourism data under GDPR?

Processing of international guest data involves international transfers, rights management for non-residents, processing of minors when families travel and, in some cases, commercial profiling that requires a carefully chosen lawful basis. The AEPD has fined hotel chains for breaches and for poor consent management. A cyber provider working in the Andalusian tourism sector should understand these dimensions beyond the technical report and help align them with the security audit.

Is cost higher or lower than in Madrid?

For standard services (web, mobile, API, cloud pentesting), rates are comparable between Seville and Madrid. For projects with sustained travel to aerospace plants, to provincial regional ministry offices or to operators in less densely populated provinces, cost may rise slightly due to specific team dedication. For managed services, prices follow homogeneous national rates from each MSSP, so the geographical origin of the client has little influence.

How are NDAs and confidentiality handled in aerospace?

The sector standard is signing a mutual NDA before any sensitive information is shared, including detailed project scope. In aerospace and defence, NDAs are reinforced with clauses about programme information handling, physical and logical separation of the project in the provider's infrastructure, documented destruction of evidence and traceability of who accessed what material and when. For regulated companies a data processing agreement is also signed when the scope touches systems with personal data.

Related resources

• Cybersecurity companies in Spain: how to choose: the national framework with provider types and general criteria.
• Cybersecurity company in Madrid: the equivalent guide for the capital and its cyber ecosystem.
• Cybersecurity company in Barcelona: the equivalent guide for Catalonia with its own authority.
• Cybersecurity audit for businesses: complete guide: what a complete audit includes and how it is structured.
• ENS certification complete guide: the framework applicable to Andalusian public administration and its contractors.
• NIS2 Directive: enforcement and fines: the framework for aerospace, energy and essential operators in Andalusia.
• Penetration testing pricing in Spain: ranges and factors that influence the price.

Work with Secra in Seville

At Secra we cover projects in Seville and across Andalusia with on-demand on-site deployment for aerospace, regional public administration, hospitality and industry. The team works in Spanish and English with certified profiles (OSCP, OSEP, OSWE, CRTO) and we deliver pentesting on web, mobile, API, internal and external infrastructure, cloud, IoT and OT, plus red team and DFIR, with OWASP WSTG, MASVS, API Top 10, PTES and MITRE ATT&CK methodologies. We are prepared for ENS tenders with regional bodies, we map projects to NIS2, DORA, ISO 27001 and PCI DSS as applicable, and we maintain our own research with published CVEs. For aerospace supply chain we work with reinforced NDAs and documented project separation. If you want a specific proposal, write to us from contact and you will talk directly with a senior consultant, with no commercial filters.