VoIP penetration testing
Find what a port scan never places.
SIP REGISTER hijacking, RTP eavesdropping, SDP injection, IAX2 brute force, voice-VLAN hopping, Asterisk AMI exposure, and PSTN-trunk toll fraud, tested by hand against your PBX, SBC, and signalling stack. Every finding lands with a recorded call, the replayed media, and the dialplan diff your engineers can ship.
Four planes
Signalling · Media · PBX · Edge, one method, four layers of the stack.
Proof of call
Every finding ships with a recorded call, replayed RTP, or a fraudulent toll-out.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
A SIP REGISTER reflection turns your PBX into a toll-fraud relay overnight.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why an open port isn't a placed call
An open port is not a placed call.
A scanner reports SIP/5060 listening, AMI reachable, SRTP optional. SecureLayer7's operators take it further, register a phantom extension, hijack the next inbound call, decode the RTP stream, and run a fraudulent toll-out across your PSTN trunk. Every finding ships with the recorded call, the replayed media, and the dialplan or SBC diff your team can deploy.
IN SCOPE.
What lands in a VoIP engagement.
REGISTER abuse, INVITE flooding, identity spoofing, dial-plan injection, REFER abuse for toll fraud.
RTP injection, eavesdropping where SRTP isn't enforced, codec-conversion abuse on media gateways.
Default credentials, admin-interface exposure, trunk-side trust, CDR tampering, voicemail PIN brute force.
Trunk-side abuse, caller-ID spoofing past STIR/SHAKEN gaps, premium-rate fraud paths, peering trust.
What we test ,
Four planes of the call. One engagement.
Each layer gets a manual, threat-modelled review against its real attack surface, signalling, media, infrastructure, and the trunk edge. Intensity tunes per scope.
Signalling, SIP / SDP
REGISTER hijacking, INVITE flooding, BYE/CANCEL race conditions, SDP rewriting, ALG bypass, digest-auth replay, contact-header rewrite, and presence-leak via SUBSCRIBE/NOTIFY.
Media, RTP / SRTP
RTP eavesdropping, ZRTP/SRTP downgrade, DTMF injection, codec confusion, replay across the media stream, comfort-noise abuse, and media-relay bypass.
Infrastructure, PBX core
Asterisk AMI/CLI exposure, FreeSWITCH event-socket misconfiguration, Cisco CUCM AXL credential leak, dialplan logic abuse, voicemail PIN brute force, IVR fingerprinting and option escape.
Edge, SBC + SIP trunk
SBC peering misconfiguration, voice-VLAN hopping, SIP trunk toll fraud, IAX2 brute force, NAT/ALG traversal abuse, peer-spoofed call replays, and geo-routing rule override.
VOIP METHODOLOGY.
Eight phases. Dial plan to media stream.
Threat-modelled to your dial plan, trunk peering, and PBX topology. Not a template we run against every voice network.
Scope & threat-model
Inventory of extensions, trunks, codecs, voicemail, and IVR is agreed before any signalling is touched. In-scope numbers and call windows defined in writing.
Recon & enumeration
SIP scanning (svmap, svwar, svcrack), extension enumeration via REGISTER and INVITE responses, codec offer probing, ALG fingerprinting, IAX2 discovery, exposed AMI or HTTP admin.
Signalling exploitation
REGISTER hijacking, contact-header rewrite, BYE or CANCEL race, INVITE replay across digest auth, SDP rewriting, dialog-ID prediction, ALG bypass. Exercised to call control.
Media exploitation
RTP capture and decode, SRTP or ZRTP downgrade where the offer permits, DTMF injection, codec mismatch leading to garbled-then-replayed audio, comfort-noise abuse.
Infrastructure exploitation
Asterisk AMI privilege escalation, FreeSWITCH event-socket abuse, CUCM AXL credential reuse, dialplan injection, voicemail PIN brute force, IVR option escape.
Toll-fraud & trunk abuse
Outbound toll fraud across the PSTN trunk, premium-rate dialing, peer-spoofed call replays, geo-routing override. Measured to a billed call.
Remediation guidance
Asterisk pjsip.conf snippets, CUCM partition diffs, SBC ACLs, dialplan rewrites, ZRTP-mandatory configurations, AMI or HTTP admin lockdown. Written for voice engineers, not auditors.
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each call path is closed.
Insights
VoIP security Resources.
SIP/RTP write-ups: registration hijack, billing fraud paths, and the VoIP-side bugs we find in carrier and enterprise PBX gear.
Meet our expert
One lead across signaling and media planes.
John Dill
vCISO at SecureLayer7
15+
Years in offensive security
150+
Engagements led to date
99.99%
On-time engagement delivery
John scopes VoIP and telecom engagements against your dial plan, trunk peering, and PBX topology. He guides the pod from kick-off through final report and re-test.
- Scopes Asterisk, FreeSWITCH, CUCM, and SBC engagements against your real call paths.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every recorded call.
- Drives remediation review and re-test until every signalling and media finding is closed.
Ready to scope a VoIP pentest? Book 30 minutes with John to walk through your dial plan, trunk peering, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
FinTech
Banking IVR, fraud-team voice infrastructure, recording-and-retention chains.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working proof-of-call, code-level fix guidance for voice engineers. Sent on request after a 5-minute scoping call.