Pentest GDPR (Portugal, Itália, União Europeia)
Pentest mapeado para GDPR — art. 32 (segurança do processamento), art. 33-34 (notificação 72h), art. 35 (DPIA). CNPD, Garante, AEPD.
Why now
The real pain
Empresa BR com operação em PT/IT/ES está sob GDPR, não LGPD. Multa GDPR vai a 4% do faturamento global (não local). CNPD (PT) e Garante (IT) fiscalizam ativamente. Pentest mapeado pra art. 32 é evidência de "medidas técnicas e organizativas adequadas".
Standard and reference
/attack-surface
GDPR (UE)
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Art. 32 — Segurança do processamento
Criptografia em repouso/trânsito, pseudonimização, integridade, disponibilidade, restauração.
Art. 33-34 — Notificação de violação
Runbook 72h, validação de canal, decisão de notificação ao titular.
Art. 35 — DPIA
Apoio a DPIA para processamento de alto risco.
Art. 25 — Privacy by design
Validação de defaults, opt-in vs opt-out, minimização.
Art. 28 — Subprocessador
Cyber DD em provider, contrato art. 28, transferência internacional.
Cookies e consent (ePrivacy)
Banner de cookie compliant, granular consent, log de consentimento.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Pentest em operações BR com filiais ou clientes na UE — saúde, fintech, SaaS B2B internacional.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — GDPR (UE)
CNPD/Garante aceitam o relatório?
Sim. Modelo em português europeu/italiano com mapeamento por artigo GDPR + DPIA-ready.
Faixa de preço?
Operação pequena: R$ 25-55k. Médio com sub-processadores: R$ 60-130k. Enterprise multi-país: R$ 120-280k.
/contact
Cotar pentest GDPR
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.