VoIP penetration testing
Find what a port scan never places.
SIP REGISTER hijacking, RTP eavesdropping, SDP injection, IAX2 brute force, voice-VLAN hopping, Asterisk AMI exposure, and PSTN-trunk toll fraud, tested by hand against your PBX, SBC, and signalling stack. Every finding lands with a recorded call, the replayed media, and the dialplan diff your engineers can ship.
Four planes
Signalling · Media · PBX · Edge, one method, four layers of the stack.
Proof of call
Every finding ships with a recorded call, replayed RTP, or a fraudulent toll-out.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why an open port isn't a placed call
An open port is not a placed call.
A scanner reports SIP/5060 listening, AMI reachable, SRTP optional. SecureLayer7's operators take it further, register a phantom extension, hijack the next inbound call, decode the RTP stream, and run a fraudulent toll-out across your PSTN trunk. Every finding ships with the recorded call, the replayed media, and the dialplan or SBC diff your team can deploy.
IN SCOPE.
What lands in a VoIP engagement.
REGISTER abuse, INVITE flooding, identity spoofing, dial-plan injection, REFER abuse for toll fraud.
RTP injection, eavesdropping where SRTP isn't enforced, codec-conversion abuse on media gateways.
Default credentials, admin-interface exposure, trunk-side trust, CDR tampering, voicemail PIN brute force.
Trunk-side abuse, caller-ID spoofing past STIR/SHAKEN gaps, premium-rate fraud paths, peering trust.
What we test ,
Four planes of the call. One engagement.
Each layer gets a manual, threat-modelled review against its real attack surface, signalling, media, infrastructure, and the trunk edge. Intensity tunes per scope.
Signalling, SIP / SDP
REGISTER hijacking, INVITE flooding, BYE/CANCEL race conditions, SDP rewriting, ALG bypass, digest-auth replay, contact-header rewrite, and presence-leak via SUBSCRIBE/NOTIFY.
Media, RTP / SRTP
RTP eavesdropping, ZRTP/SRTP downgrade, DTMF injection, codec confusion, replay across the media stream, comfort-noise abuse, and media-relay bypass.
Infrastructure, PBX core
Asterisk AMI/CLI exposure, FreeSWITCH event-socket misconfiguration, Cisco CUCM AXL credential leak, dialplan logic abuse, voicemail PIN brute force, IVR fingerprinting and option escape.
Edge, SBC + SIP trunk
SBC peering misconfiguration, voice-VLAN hopping, SIP trunk toll fraud, IAX2 brute force, NAT/ALG traversal abuse, peer-spoofed call replays, and geo-routing rule override.
VOIP METHODOLOGY.
Eight phases. Dial plan to media stream.
Threat-modelled to your dial plan, trunk peering, and PBX topology. Not a template we run against every voice network.
Scope & threat-model
Inventory of extensions, trunks, codecs, voicemail, and IVR is agreed before any signalling is touched. In-scope numbers and call windows defined in writing.
Recon & enumeration
SIP scanning (svmap, svwar, svcrack), extension enumeration via REGISTER and INVITE responses, codec offer probing, ALG fingerprinting, IAX2 discovery, exposed AMI or HTTP admin.
Signalling exploitation
REGISTER hijacking, contact-header rewrite, BYE or CANCEL race, INVITE replay across digest auth, SDP rewriting, dialog-ID prediction, ALG bypass. Exercised to call control.
Media exploitation
RTP capture and decode, SRTP or ZRTP downgrade where the offer permits, DTMF injection, codec mismatch leading to garbled-then-replayed audio, comfort-noise abuse.
Infrastructure exploitation
Asterisk AMI privilege escalation, FreeSWITCH event-socket abuse, CUCM AXL credential reuse, dialplan injection, voicemail PIN brute force, IVR option escape.
Toll-fraud & trunk abuse
Outbound toll fraud across the PSTN trunk, premium-rate dialing, peer-spoofed call replays, geo-routing override. Measured to a billed call.
Remediation guidance
Asterisk pjsip.conf snippets, CUCM partition diffs, SBC ACLs, dialplan rewrites, ZRTP-mandatory configurations, AMI or HTTP admin lockdown. Written for voice engineers, not auditors.
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each call path is closed.
Insights
VoIP security Resources.
SIP/RTP write-ups: registration hijack, billing fraud paths, and the VoIP-side bugs we find in carrier and enterprise PBX gear.
Meet our expert
One lead across signaling and media planes.
John Dill
vCISO at SecureLayer7
15+
Years in offensive security
150+
Engagements led to date
99.99%
On-time engagement delivery
John scopes VoIP and telecom engagements against your dial plan, trunk peering, and PBX topology. He guides the pod from kick-off through final report and re-test.
- Scopes Asterisk, FreeSWITCH, CUCM, and SBC engagements against your real call paths.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every recorded call.
- Drives remediation review and re-test until every signalling and media finding is closed.
Ready to scope a VoIP pentest? Book 30 minutes with John to walk through your dial plan, trunk peering, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
FinTech
Banking IVR, fraud-team voice infrastructure, recording-and-retention chains.
Built for Australia engagements
What changes when we deliver here.
Regulatory framework
T(C)SA section 314A clause per finding
Compliance scoping
ASD ISM voice-network controls map
Local engagements
AU UCaaS — 27 PBX tenants tested in 4 weeks
Local pricing
AUD per-tenant pricing, GST itemised
Compliance scoping
AUD toll fraud exposure rate per finding
Questions Australian unified-comms teams ask first.
Do you cover SIP toll fraud paths?
Yes. SIP registration, INVITE flood, and dial-plan abuse are tested. Each finding lists the AUD toll fraud exposure rate.
How are SBC findings reported?
Per vendor — Ribbon, AudioCodes, Oracle ACME — with the configuration item and the ASD ISM voice-network control gap stated.
Is media encryption checked?
Yes. SRTP, ZRTP, and DTLS-SRTP are tested. Missing encryption is flagged for PSPF voice-handling clauses where applicable.
Does the report help an ACMA enquiry?
Yes. Carrier-grade findings list the T(C)SA section 314A clause. ACMA-relevant evidence is in a dedicated appendix.
Delivery in Australia
T(C)SA voice. ASD ISM voice net.
SIP, RTP, and SBC findings cite ASD ISM voice-network controls. Carrier-side gaps are flagged against the T(C)SA section 314A duty to protect.
- Direct line
- +61-2-0000-0000
- Office
- Sydney, Australia
Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working proof-of-call, code-level fix guidance for voice engineers. Sent on request after a 5-minute scoping call.