VoIP penetration testing
Find what a port scan never places.
SIP REGISTER hijacking, RTP eavesdropping, SDP injection, IAX2 brute force, voice-VLAN hopping, Asterisk AMI exposure, and PSTN-trunk toll fraud, tested by hand against your PBX, SBC, and signalling stack. Every finding lands with a recorded call, the replayed media, and the dialplan diff your engineers can ship.
Four planes
Signalling · Media · PBX · Edge, one method, four layers of the stack.
Proof of call
Every finding ships with a recorded call, replayed RTP, or a fraudulent toll-out.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why an open port isn't a placed call
An open port is not a placed call.
A scanner reports SIP/5060 listening, AMI reachable, SRTP optional. SecureLayer7's operators take it further, register a phantom extension, hijack the next inbound call, decode the RTP stream, and run a fraudulent toll-out across your PSTN trunk. Every finding ships with the recorded call, the replayed media, and the dialplan or SBC diff your team can deploy.
IN SCOPE.
What lands in a VoIP engagement.
REGISTER abuse, INVITE flooding, identity spoofing, dial-plan injection, REFER abuse for toll fraud.
RTP injection, eavesdropping where SRTP isn't enforced, codec-conversion abuse on media gateways.
Default credentials, admin-interface exposure, trunk-side trust, CDR tampering, voicemail PIN brute force.
Trunk-side abuse, caller-ID spoofing past STIR/SHAKEN gaps, premium-rate fraud paths, peering trust.
What we test ,
Four planes of the call. One engagement.
Each layer gets a manual, threat-modelled review against its real attack surface, signalling, media, infrastructure, and the trunk edge. Intensity tunes per scope.
Signalling, SIP / SDP
REGISTER hijacking, INVITE flooding, BYE/CANCEL race conditions, SDP rewriting, ALG bypass, digest-auth replay, contact-header rewrite, and presence-leak via SUBSCRIBE/NOTIFY.
Media, RTP / SRTP
RTP eavesdropping, ZRTP/SRTP downgrade, DTMF injection, codec confusion, replay across the media stream, comfort-noise abuse, and media-relay bypass.
Infrastructure, PBX core
Asterisk AMI/CLI exposure, FreeSWITCH event-socket misconfiguration, Cisco CUCM AXL credential leak, dialplan logic abuse, voicemail PIN brute force, IVR fingerprinting and option escape.
Edge, SBC + SIP trunk
SBC peering misconfiguration, voice-VLAN hopping, SIP trunk toll fraud, IAX2 brute force, NAT/ALG traversal abuse, peer-spoofed call replays, and geo-routing rule override.
VOIP METHODOLOGY.
Eight phases. Dial plan to media stream.
Threat-modelled to your dial plan, trunk peering, and PBX topology. Not a template we run against every voice network.
Scope & threat-model
Inventory of extensions, trunks, codecs, voicemail, and IVR is agreed before any signalling is touched. In-scope numbers and call windows defined in writing.
Recon & enumeration
SIP scanning (svmap, svwar, svcrack), extension enumeration via REGISTER and INVITE responses, codec offer probing, ALG fingerprinting, IAX2 discovery, exposed AMI or HTTP admin.
Signalling exploitation
REGISTER hijacking, contact-header rewrite, BYE or CANCEL race, INVITE replay across digest auth, SDP rewriting, dialog-ID prediction, ALG bypass. Exercised to call control.
Media exploitation
RTP capture and decode, SRTP or ZRTP downgrade where the offer permits, DTMF injection, codec mismatch leading to garbled-then-replayed audio, comfort-noise abuse.
Infrastructure exploitation
Asterisk AMI privilege escalation, FreeSWITCH event-socket abuse, CUCM AXL credential reuse, dialplan injection, voicemail PIN brute force, IVR option escape.
Toll-fraud & trunk abuse
Outbound toll fraud across the PSTN trunk, premium-rate dialing, peer-spoofed call replays, geo-routing override. Measured to a billed call.
Remediation guidance
Asterisk pjsip.conf snippets, CUCM partition diffs, SBC ACLs, dialplan rewrites, ZRTP-mandatory configurations, AMI or HTTP admin lockdown. Written for voice engineers, not auditors.
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each call path is closed.
Insights
VoIP security Resources.
SIP/RTP write-ups: registration hijack, billing fraud paths, and the VoIP-side bugs we find in carrier and enterprise PBX gear.
Meet our expert
One lead across signaling and media planes.
John Dill
vCISO at SecureLayer7
15+
Years in offensive security
150+
Engagements led to date
99.99%
On-time engagement delivery
John scopes VoIP and telecom engagements against your dial plan, trunk peering, and PBX topology. He guides the pod from kick-off through final report and re-test.
- Scopes Asterisk, FreeSWITCH, CUCM, and SBC engagements against your real call paths.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every recorded call.
- Drives remediation review and re-test until every signalling and media finding is closed.
Ready to scope a VoIP pentest? Book 30 minutes with John to walk through your dial plan, trunk peering, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
FinTech
Banking IVR, fraud-team voice infrastructure, recording-and-retention chains.
Built for United Kingdom engagements
What changes when we deliver here.
Compliance scoping
NICC ND 1438 paragraph mapping per VoIP finding
Regulatory framework
UK TSA 2021 Code of Practice signalling-integrity evidence
Local engagements
London CCaaS firm cut toll-fraud risk after SBC pentest
Local pricing
GBP per-SBC-pair fee, fixed at scoping
Compliance scoping
NCSC Conferencing Services guidance mapping for Teams DR
VoIP testing, UK detail.
Do you test SBCs from the public side?
Yes. AudioCodes, Oracle, Ribbon and FreeSWITCH. Toll-fraud, INVITE flood and DTMF-bypass paths — each cited to NICC ND 1438 paragraph.
What about Microsoft Teams Direct Routing?
Yes. Direct Routing SBC, Teams policies and trunk-side abuse. Findings cite NCSC Conferencing Services guidance plus the SBC config control.
How does TSA 2021 apply to a UK CCaaS provider?
Tier-2 or Tier-3 designation drives the scope. Code of Practice paragraphs on signalling integrity and supplier control mapped per finding.
Do you cover WebRTC?
Yes. STUN/TURN, ICE and DTLS-SRTP. JavaScript SDK paths reviewed for token theft and meeting-replay.
Delivery in United Kingdom
VoIP pentest. NICC ND 1438 evidence.
SIP registration, RTP-injection and SBC findings cite NICC ND 1438 and the UK TSA 2021 Code of Practice. Carrier-grade and SMB stacks both covered.
- Direct line
- +44-20-0000-0000
- Office
- London, United Kingdom
Frameworks scoped: CREST · NCSC CAF · UK GDPR · PCI DSS · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working proof-of-call, code-level fix guidance for voice engineers. Sent on request after a 5-minute scoping call.