Pentest for LGPD: Art. 46 as Evidence, Art. 52 as Mitigator
Manual pentest as objective evidence of adequate technical measures (art. 46) — explicit mitigator in the ANPD's fine dosimetry (art. 52, §3).
Why now
The real pain
ANPD imposes fines, suspension and data blocking. Officers face personal liability for misconduct and reimbursement. Auditors demand technical-measure evidence — scanner reports don't pass. Manual pentest with findings-to-LGPD-article mapping is the only deliverable lawyers, data officers and prosecutors accept.
Standard and reference
/attack-surface
LGPD
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Findings ↔ LGPD article mapping
Every technical finding maps to the violated article and the impacted data category (personal, sensitive, minor).
Legal basis audit
Validation of consent, legitimate interest, contract execution, public policy (public sector art. 23).
Sensitive data handling (art. 11)
Health, biometrics, religious, racial, political — segregation, at-rest encryption, access control audit.
Data subject rights (arts. 18-22)
Portability, deletion, anonymization, automated decision review — functional and security testing.
DPO and governance
Validation of subject-request channel, incident workflow (art. 48), RIPD evidence.
Sharing and international transfer
Processor and contract auditing (art. 33-36).
Breach and ANPD notification
Detection time, communication runbook, mitigation attempt evidence.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Engagements with controllers and processors in healthcare, fintech, retail and the public sector. Findings mapping accepted by DPOs during ANPD inspections.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — LGPD
Does pentest count as art. 46 evidence?
Yes. Art. 46 requires "technical and administrative security measures fit to protect personal data". Manual pentest with technical report, remediation plan and recurring cycle is the most objective evidence accepted by lawyers, auditors and prosecutors.
And as a fine mitigator?
Yes. Art. 52, §1, IX and §3 consider "reiterated and demonstrated adoption of internal mechanisms and procedures" and "adoption of best practices and governance". Pentest is exactly that.
How high can LGPD fines go?
Up to 2% of revenue, capped at BRL 50 million per infraction. For public entities, ANPD uses a different basis (unit budget). Daily fines with the same cap. Suspension and blocking are also possible.
Do you produce the RIPD too?
No. RIPD is the DPO's work. We deliver the technical report in a format that feeds the RIPD directly, with per-article mapping.
Does a small company need it?
If it processes personal data regularly, yes. ANPD doesn't exempt SMBs from LGPD — it only adjusts the dosimetry. Lean SMB packages exist starting at BRL 12-25k.
/contact
Reduce LGPD risk
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.