Pentest for Hotels, Inns and Resorts
Security for PMS, booking engine, RFID locks, guest Wi-Fi and OTA integrations.
Why now
The real pain
Hotels are a golden target: passports, cards, IDs, location data and consumption patterns of guests — including executives traveling for business. RFID locks cloned with $50 gadgets, booking engines integrated with OTAs, legacy PMS. Ransomware shuts down check-in in high season — million-dollar losses.
Applicable regulation
/attack-surface
Vectors we test in hotéis, pousadas e resorts
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
PMS (Property Management System)
Unauthorized access to reservations, rate manipulation, folio fraud and overnight adjustments.
RFID/NFC room lock
Card cloning, master key, proximity bypass, SDR attack.
Guest Wi-Fi
Captive portal, segregation, MitM against executives on corporate travel.
Booking engine and OTA
Booking.com, Expedia — sync, rate manipulation, malicious overbooking.
Telephony and digital safe
Improper charges, improper safe opening, consumption fraud.
Loyalty program
Point manipulation, miles/cashback fraud, upgrade abuse.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Demand from luxury hotel chains in Brazil, Portugal and Italy.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Hotéis, Pousadas e Resorts
Do you actually test the lock?
Yes. We audit RFID/NFC with SDR and Proxmark, replay/clone and proximity attack. Work is done with cards provided by the client.
How do you handle guest data during the pentest?
We don't store real PII. We work in mirror environments and, when needed, with anonymized or synthetic data.
/contact
Ready for a serious pentest in hotéis, pousadas e resorts?
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.