VoIP penetration testing
Find what a port scan never places.
SIP REGISTER hijacking, RTP eavesdropping, SDP injection, IAX2 brute force, voice-VLAN hopping, Asterisk AMI exposure, and PSTN-trunk toll fraud, tested by hand against your PBX, SBC, and signalling stack. Every finding lands with a recorded call, the replayed media, and the dialplan diff your engineers can ship.
Four planes
Signalling · Media · PBX · Edge, one method, four layers of the stack.
Proof of call
Every finding ships with a recorded call, replayed RTP, or a fraudulent toll-out.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why an open port isn't a placed call
An open port is not a placed call.
A scanner reports SIP/5060 listening, AMI reachable, SRTP optional. SecureLayer7's operators take it further, register a phantom extension, hijack the next inbound call, decode the RTP stream, and run a fraudulent toll-out across your PSTN trunk. Every finding ships with the recorded call, the replayed media, and the dialplan or SBC diff your team can deploy.
IN SCOPE.
What lands in a VoIP engagement.
REGISTER abuse, INVITE flooding, identity spoofing, dial-plan injection, REFER abuse for toll fraud.
RTP injection, eavesdropping where SRTP isn't enforced, codec-conversion abuse on media gateways.
Default credentials, admin-interface exposure, trunk-side trust, CDR tampering, voicemail PIN brute force.
Trunk-side abuse, caller-ID spoofing past STIR/SHAKEN gaps, premium-rate fraud paths, peering trust.
What we test ,
Four planes of the call. One engagement.
Each layer gets a manual, threat-modelled review against its real attack surface, signalling, media, infrastructure, and the trunk edge. Intensity tunes per scope.
Signalling, SIP / SDP
REGISTER hijacking, INVITE flooding, BYE/CANCEL race conditions, SDP rewriting, ALG bypass, digest-auth replay, contact-header rewrite, and presence-leak via SUBSCRIBE/NOTIFY.
Media, RTP / SRTP
RTP eavesdropping, ZRTP/SRTP downgrade, DTMF injection, codec confusion, replay across the media stream, comfort-noise abuse, and media-relay bypass.
Infrastructure, PBX core
Asterisk AMI/CLI exposure, FreeSWITCH event-socket misconfiguration, Cisco CUCM AXL credential leak, dialplan logic abuse, voicemail PIN brute force, IVR fingerprinting and option escape.
Edge, SBC + SIP trunk
SBC peering misconfiguration, voice-VLAN hopping, SIP trunk toll fraud, IAX2 brute force, NAT/ALG traversal abuse, peer-spoofed call replays, and geo-routing rule override.
VOIP METHODOLOGY.
Eight phases. Dial plan to media stream.
Threat-modelled to your dial plan, trunk peering, and PBX topology. Not a template we run against every voice network.
Scope & threat-model
Inventory of extensions, trunks, codecs, voicemail, and IVR is agreed before any signalling is touched. In-scope numbers and call windows defined in writing.
Recon & enumeration
SIP scanning (svmap, svwar, svcrack), extension enumeration via REGISTER and INVITE responses, codec offer probing, ALG fingerprinting, IAX2 discovery, exposed AMI or HTTP admin.
Signalling exploitation
REGISTER hijacking, contact-header rewrite, BYE or CANCEL race, INVITE replay across digest auth, SDP rewriting, dialog-ID prediction, ALG bypass. Exercised to call control.
Media exploitation
RTP capture and decode, SRTP or ZRTP downgrade where the offer permits, DTMF injection, codec mismatch leading to garbled-then-replayed audio, comfort-noise abuse.
Infrastructure exploitation
Asterisk AMI privilege escalation, FreeSWITCH event-socket abuse, CUCM AXL credential reuse, dialplan injection, voicemail PIN brute force, IVR option escape.
Toll-fraud & trunk abuse
Outbound toll fraud across the PSTN trunk, premium-rate dialing, peer-spoofed call replays, geo-routing override. Measured to a billed call.
Remediation guidance
Asterisk pjsip.conf snippets, CUCM partition diffs, SBC ACLs, dialplan rewrites, ZRTP-mandatory configurations, AMI or HTTP admin lockdown. Written for voice engineers, not auditors.
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each call path is closed.
Insights
VoIP security Resources.
SIP/RTP write-ups: registration hijack, billing fraud paths, and the VoIP-side bugs we find in carrier and enterprise PBX gear.
Meet our expert
One lead across signaling and media planes.
John Dill
vCISO at SecureLayer7
15+
Years in offensive security
150+
Engagements led to date
99.99%
On-time engagement delivery
John scopes VoIP and telecom engagements against your dial plan, trunk peering, and PBX topology. He guides the pod from kick-off through final report and re-test.
- Scopes Asterisk, FreeSWITCH, CUCM, and SBC engagements against your real call paths.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every recorded call.
- Drives remediation review and re-test until every signalling and media finding is closed.
Ready to scope a VoIP pentest? Book 30 minutes with John to walk through your dial plan, trunk peering, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
FinTech
Banking IVR, fraud-team voice infrastructure, recording-and-retention chains.
Built for United States engagements
What changes when we deliver here.
Compliance scoping
STIR/SHAKEN A/B/C attestation chain review per outbound flow.
Regulatory framework
TCPA §227(b) exposure flagged per autodialer path.
Local engagements
Healthcare BPO closed HIPAA §164.312(e) gap on SRTP keys.
Local pricing
USD per-trunk pricing, no surcharge for multi-vendor scope.
Compliance scoping
FCC Robocall Mitigation Database posture review included.
Questions US VoIP and contact-center teams ask first.
Will you check STIR/SHAKEN attestation on our outbound calls?
Yes. A/B/C attestation tagging, certificate-chain validity and Robocall Mitigation Database posture are part of the default scope.
How do you frame TCPA risk for autodialer flows?
Findings flag any flow that could become a TCPA §227(b) automated call without consent capture. Telephony counsel reuses the language.
Do you cover HIPAA §164.312 on healthcare voice?
Yes. SRTP key handling, call recording at rest and provider-portal access are mapped to §164.312(a)(2)(iv) and §164.312(e).
Can you test Zoom Phone, Genesys and Twilio in one engagement?
Yes. SIP trunk, WebRTC stack and provider portals are tested together. Findings tagged per vendor for ownership.
Delivery in United States
STIR/SHAKEN attestation. TCPA. HIPAA voice.
SIP, WebRTC and SRTP tested for toll fraud, eavesdropping and call-spoofing. Findings frame TCPA exposure for outbound dialers and HIPAA §164.312 controls for healthcare voice traffic.
- Direct line
- +1-512-643-7291
- Office
- Austin, TX, United States
Frameworks scoped: SOC 2 · HIPAA · PCI DSS · NIST CSF · FedRAMP · CMMC.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working proof-of-call, code-level fix guidance for voice engineers. Sent on request after a 5-minute scoping call.