Does the audit meet CITC class licensing rules?

Yes. Findings cite the CITC class licence duties that apply to VoIP providers. The compliance file reads cleaner at renewal.

Are NCA ECC 2-5 voice clauses evidenced?

Yes. SIP trunks, SBC ACLs, and call recording are tested against ECC 2-5 voice network rows. Each finding cites the sub-control.

Do you cover toll fraud and CLI spoofing?

Yes. We model real-world toll fraud against Saudi origination patterns. CLI spoofing risk on STC, Mobily, and Zain interconnects is checked.

How are call captures handled?

PCAPs and recordings stay on a KSA-region capture host. Any subscriber identifier is masked before transit during reporting.

VoIP penetration testing

Find what a port scan never places.

SIP REGISTER hijacking, RTP eavesdropping, SDP injection, IAX2 brute force, voice-VLAN hopping, Asterisk AMI exposure, and PSTN-trunk toll fraud, tested by hand against your PBX, SBC, and signalling stack. Every finding lands with a recorded call, the replayed media, and the dialplan diff your engineers can ship.

See the VoIP method

Four planes

Signalling · Media · PBX · Edge, one method, four layers of the stack.

Proof of call

Every finding ships with a recorded call, replayed RTP, or a fraudulent toll-out.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why an open port isn't a placed call

An open port is not a placed call.

A scanner reports SIP/5060 listening, AMI reachable, SRTP optional. SecureLayer7's operators take it further, register a phantom extension, hijack the next inbound call, decode the RTP stream, and run a fraudulent toll-out across your PSTN trunk. Every finding ships with the recorded call, the replayed media, and the dialplan or SBC diff your team can deploy.

Two columns. Scanner findings on the left escalate to proven exploits on the right: SIP open to REGISTER hijack, SRTP optional to RTP intercept, AMI reachable to PBX takeover, trunk ACL wide to toll fraud.

IN SCOPE.

What lands in a VoIP engagement.

SIGNALING

SIP + H.323

MEDIA

RTP + SRTP

RTP injection, eavesdropping where SRTP isn't enforced, codec-conversion abuse on media gateways.

INFRASTRUCTURE

PBX + SBC

Default credentials, admin-interface exposure, trunk-side trust, CDR tampering, voicemail PIN brute force.

INTERCONNECT

Carrier trust

Trunk-side abuse, caller-ID spoofing past STIR/SHAKEN gaps, premium-rate fraud paths, peering trust.

What we test ,

Four planes of the call. One engagement.

Each layer gets a manual, threat-modelled review against its real attack surface, signalling, media, infrastructure, and the trunk edge. Intensity tunes per scope.

Signalling, SIP / SDP

REGISTER hijacking, INVITE flooding, BYE/CANCEL race conditions, SDP rewriting, ALG bypass, digest-auth replay, contact-header rewrite, and presence-leak via SUBSCRIBE/NOTIFY.

Media, RTP / SRTP

RTP eavesdropping, ZRTP/SRTP downgrade, DTMF injection, codec confusion, replay across the media stream, comfort-noise abuse, and media-relay bypass.

Infrastructure, PBX core

Asterisk AMI/CLI exposure, FreeSWITCH event-socket misconfiguration, Cisco CUCM AXL credential leak, dialplan logic abuse, voicemail PIN brute force, IVR fingerprinting and option escape.

Edge, SBC + SIP trunk

SBC peering misconfiguration, voice-VLAN hopping, SIP trunk toll fraud, IAX2 brute force, NAT/ALG traversal abuse, peer-spoofed call replays, and geo-routing rule override.

VOIP METHODOLOGY.

Eight phases. Dial plan to media stream.

Threat-modelled to your dial plan, trunk peering, and PBX topology. Not a template we run against every voice network.

Scope & threat-model

Inventory of extensions, trunks, codecs, voicemail, and IVR is agreed before any signalling is touched. In-scope numbers and call windows defined in writing.

Recon & enumeration

SIP scanning (svmap, svwar, svcrack), extension enumeration via REGISTER and INVITE responses, codec offer probing, ALG fingerprinting, IAX2 discovery, exposed AMI or HTTP admin.

Signalling exploitation

REGISTER hijacking, contact-header rewrite, BYE or CANCEL race, INVITE replay across digest auth, SDP rewriting, dialog-ID prediction, ALG bypass. Exercised to call control.

Media exploitation

RTP capture and decode, SRTP or ZRTP downgrade where the offer permits, DTMF injection, codec mismatch leading to garbled-then-replayed audio, comfort-noise abuse.

Infrastructure exploitation

Asterisk AMI privilege escalation, FreeSWITCH event-socket abuse, CUCM AXL credential reuse, dialplan injection, voicemail PIN brute force, IVR option escape.

Toll-fraud & trunk abuse

Outbound toll fraud across the PSTN trunk, premium-rate dialing, peer-spoofed call replays, geo-routing override. Measured to a billed call.

Remediation guidance

Asterisk pjsip.conf snippets, CUCM partition diffs, SBC ACLs, dialplan rewrites, ZRTP-mandatory configurations, AMI or HTTP admin lockdown. Written for voice engineers, not auditors.

Patch verification

Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each call path is closed.

Insights

VoIP security Resources.

SIP/RTP write-ups: registration hijack, billing fraud paths, and the VoIP-side bugs we find in carrier and enterprise PBX gear.

3CX desktop supply-chain compromise infection chain diagram

VoIP

3CX Supply Chain Compromise, technical analysis and PoC

Trojanised VoIP/PBX desktop client shipped to 600,000+ orgs. Infection chain, MITRE techniques, IoCs and remediation steps from the SL7 lab.

Spoofing

Caller-ID spoofing, vishing, and how attackers fake trust

Caller-ID, IP and email spoofing primitives, how SIP and PSTN trust is abused, and the layered defences that actually hold up under a pentest.

Network

Defending against MITM attacks with network segmentation

RTP eavesdropping is a MITM problem first. How proper voice-VLAN segmentation and trust boundaries take the man out of the middle.

Meet our expert

One lead across signaling and media planes.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes VoIP and telecom engagements against your dial plan, trunk peering, and PBX topology. He guides the pod from kick-off through final report and re-test.

Scopes Asterisk, FreeSWITCH, CUCM, and SBC engagements against your real call paths.
Owns kick-off, mid-engagement check-ins, and live walkthrough of every recorded call.
Drives remediation review and re-test until every signalling and media finding is closed.

SL7 Lab. Published CVE research.

Ready to scope a VoIP pentest? Book 30 minutes with John to walk through your dial plan, trunk peering, and timeline.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Retail

Contact-center voice infrastructure, IVR, customer-PII voice paths.

See Retail pentest

Tech SaaS

SaaS-embedded voice (CCaaS), WebRTC SIP gateways, SBC boundaries.

See Tech SaaS pentest

FinTech

Banking IVR, fraud-team voice infrastructure, recording-and-retention chains.

See FinTech pentest

Built for Saudi Arabia engagements

What changes when we deliver here.

Compliance scoping
CITC class licensing rules cited per VoIP finding
Regulatory framework
NCA ECC 2-5 voice network sub-controls in deliverable
Local engagements
Khobar contact-centre cut toll fraud exposure on 4 SIP trunks
Local pricing
SAR per-trunk VoIP pricing with VAT 15%
Compliance scoping
PCAPs sealed on KSA capture host

VoIP pentest questions from KSA voice teams.

Does the audit meet CITC class licensing rules?
Yes. Findings cite the CITC class licence duties that apply to VoIP providers. The compliance file reads cleaner at renewal.
Are NCA ECC 2-5 voice clauses evidenced?
Yes. SIP trunks, SBC ACLs, and call recording are tested against ECC 2-5 voice network rows. Each finding cites the sub-control.
Do you cover toll fraud and CLI spoofing?
Yes. We model real-world toll fraud against Saudi origination patterns. CLI spoofing risk on STC, Mobily, and Zain interconnects is checked.
How are call captures handled?
PCAPs and recordings stay on a KSA-region capture host. Any subscriber identifier is masked before transit during reporting.

Delivery in Saudi Arabia

VoIP testing for CITC licensing and NCA ECC 2-5.

SIP, RTP, and SBC findings cite CITC class licensing and NCA ECC 2-5 voice network rules. KSA-region capture storage with SAR pricing.

Direct line: +966-11-000-0000
Office: Riyadh, Saudi Arabia

Frameworks scoped: NCA ECC · SAMA CSF · PDPL · ISO/IEC 27001.

Sample VoIP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working proof-of-call, code-level fix guidance for voice engineers. Sent on request after a 5-minute scoping call.