Wireless Penetration Testing
Your Wi-Fi signal does not stop at the walls, and neither does your audit liability. Whether you need a full wireless network penetration test or an initial Wi-Fi security audit, our CREST-certified testers conduct on-site testing across your UK locations to identify rogue devices, exploitable encryption, and guest isolation failures. We deliver fixed-scope, fixed-price engagements with auditor-ready reports built to satisfy ISO 27001, Cyber Essentials Plus, and PCI DSS requirements.
Why a Kismet scan is not a wireless pentest.
Running a wireless scanner inventories your SSIDs. It does not test Evil Twin resilience, crack handshakes, bypass 802.1X, or pivot from guest to corporate.
Wireless Risk Profile
Wireless attacks bypass your physical security and network firewalls. Compliance frameworks require evidence of testing.
To Crack WEP/WPA
Average time to compromise legacy wireless encryption, often still found in warehouse and retail environments.
Signal Bleed
Of corporate networks extend their signal into public areas: car parks, adjacent offices, or the street.
PCI DSS Wireless Requirement
Mandates quarterly wireless scans and penetration testing for organisations handling cardholder data. ISO 27001 A.13.1.1 applies to all certified organisations.
Controls
When Do Organisations Commission This Test?
Wireless penetration testing is typically triggered by one of these six scenarios. If any of these apply, you are in the right place.
Auditor Flagged Wireless Gap
Your ISO 27001, Cyber Essentials Plus, or PCI DSS auditor has cited the absence of wireless security testing evidence. You need a report before the next surveillance audit.
Unknown Device Detected
A rogue access point, unknown SSID, or unauthorised device has been found on your premises. You need a full sweep to confirm there are no others.
Previous Test Was a Box-Tick
Your last wireless pen test ran a scanner for an hour and produced a four-page report. You need a provider who tests 802.1X bypass, Evil Twin attacks, and guest isolation.
Office Move or New Site
You are moving office, expanding to new sites, or refreshing wireless hardware. You need to validate the new wireless environment before staff connect.
BYOD Policy Rollout
Personal devices are connecting to corporate SSIDs. You need to verify that NAC controls, VLAN isolation, and supplicant configurations prevent credential leakage.
Cyber Insurance Renewal
Your cyber insurance renewal questionnaire asks for evidence of wireless security testing. Our report provides the third-party validation underwriters require.
Wireless Audit Methodology:
Beyond the Scanner
From signal bleed to 802.1X bypass, our wireless penetration testing methodology covers every attack vector an adversary could exploit to gain air-gapped entry. Our testers carry dedicated wireless hardware (directional antennas, specialist adapters, and GPU cracking infrastructure) that most internal IT teams do not maintain.
Rogue Access Point Detection
We physically sweep your premises and parking areas for unauthorised access points, rogue wireless bridges, and Evil Twin and Karma-attack networks. Identified devices are located to the nearest port and network segment for immediate containment.
Guest Network Isolation
We verify that guest SSID VLAN tagging, firewall ACLs, and client isolation policies prevent lateral movement to your corporate segment. A successful pivot from guest to internal is a critical finding under PCI DSS 11.1 and Cyber Essentials Plus.
WPA2/WPA3 Handshake Capture
We capture WPA2 4-way handshakes and PMKID hashes using targeted de-authentication frames, then crack them offline using GPU-accelerated hashcat with dictionary and rule-based augmentation. WPA3 SAE resistance is also assessed where deployed.
Enterprise 802.1X Bypass
We test WPA2-Enterprise environments for RADIUS server spoofing, EAP-GTC downgrade attacks, PEAP certificate validation failures, and EAP-TLS client certificate weaknesses. A misconfigured supplicant can hand an attacker your Active Directory credentials before you receive a connection log entry.
BYOD and NAC Bypass
We assess whether unmanaged devices can connect to corporate SSIDs by testing MAC-based NAC bypass and 802.1X supplicant misconfigurations. We also evaluate whether BYOD devices exposed to an Evil Twin attack would yield corporate credentials, email tokens, or VPN session cookies.
RF Heatmap and Signal Bleed Report
A risk-rated findings report including an RF heatmap of signal bleed beyond your building perimeter, an auditor-ready executive summary, and a prioritised remediation plan with tracked guidance for your ISO 27001 or PCI DSS evidence pack.
The Wireless Audit
A structured four-phase wireless audit following OSSTMM and PTES guidelines to lock down your radio frequency footprint.
Signal Reconnaissance
We map your full wireless footprint, identifying all SSIDs, hidden networks, BSSID addresses, and overlapping channels across your estate. Our wireless audit begins with passive reconnaissance to avoid alerting network monitoring systems.
Attack and Exploitation
We launch active attacks: de-authentication frames to capture handshakes, GPU-accelerated offline cracking, Evil Twin spoofing to harvest credentials, and 802.1X downgrade attempts against enterprise networks.
Segmentation Testing
If we gain wireless access, we attempt to pivot into your internal infrastructure. We test whether a compromised Wi-Fi device can reach domain controllers, file servers, or executive endpoints.
Reporting
We deliver a risk-rated findings report within five working days of on-site completion, including an RF heatmap of signal bleed, an auditor-ready executive summary, and a prioritised remediation plan with tracked remediation guidance for your ISO 27001 or PCI DSS evidence pack.
What You Get
Every wireless penetration test includes the following deliverables, formatted for auditor review, board presentation, and cyber insurance submission.
Reports are delivered within five working days of on-site completion via encrypted portal. Available in PDF and DOCX formats.
Transparent pricing.
Fixed-price quotes after a free scoping call. No day-rate surprises.
Remote Drop-Box Testing
Pre-configured device shipped to your site, remote audit
Single-Site On-Site
Full on-site testing: rogue AP sweep, encryption, 802.1X, guest isolation
Multi-Site / Campus
Multiple locations, large campus environments, warehouses
Close the Loop.
After the Test.
Wireless testing validates your Wi-Fi perimeter today. These services extend protection continuously: testing the internal network behind the wireless, validating segmentation between zones, and monitoring for rogue devices on an ongoing basis.
Scope a Combined EngagementInternal Network Pentest
Test the systems behind your wireless network for vulnerabilities and lateral movement paths.
Segmentation Testing
Verify VLAN isolation between guest, corporate, and production zones.
Phishing Simulation
Test whether employees would surrender credentials to an Evil Twin or rogue captive portal.
24/7 SOC Monitoring
Continuous monitoring for rogue access points, deauthentication attacks, and wireless anomalies.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Wireless penetration testing starts from £2,500 for remote drop-box testing and typically costs between £3,000 and £7,000 for on-site engagements depending on site size, number of locations, and testing scope. A single-site wireless assessment for a standard office (1-3 floors, corporate and guest networks) averages £3,000 to £4,500 for 1-2 days of on-site testing covering rogue AP detection, encryption cracking attempts, guest isolation validation, and WPA2-Enterprise bypass testing. Multi-site assessments or large campus environments typically cost £5,000 to £7,000 or more. We provide fixed-price quotes after understanding your wireless footprint and testing objectives.
Yes, typically. Effective wireless testing requires physical proximity to capture signals. However, for remote offices, we can ship a pre-configured drop-box device that you plug in, allowing us to audit the wireless environment remotely from £2,500 per location.
We perform de-authentication attacks to capture handshakes, which technically disconnects a user for a fraction of a second. This is usually unnoticeable, but we can schedule active attacks outside of business hours to guarantee zero disruption.
Not necessarily. Misconfigured 802.1X settings on client devices can allow attackers to spoof your RADIUS server and steal Active Directory credentials through EAP-GTC downgrade or PEAP certificate validation failures. We specifically test for these attack vectors across all supported EAP methods.
Yes. Identifying unauthorised devices, including routers plugged into network ports under desks or Evil Twin access points in car parks, is a core part of our methodology. These shadow IT devices often bypass all firewall rules and corporate monitoring.
A wireless audit (or Wi-Fi security audit) is a configuration and inventory review. We identify all access points, check encryption settings, review SSID configurations, and flag misconfigurations. A wireless penetration test goes further: we actively attempt to exploit the weaknesses we find. We launch Evil Twin attacks, attempt to crack handshakes, test 802.1X bypass, and try to pivot from the wireless network into your internal infrastructure. Most compliance frameworks (ISO 27001, PCI DSS 11.1, Cyber Essentials Plus) require a penetration test, not just a configuration audit. We can advise on which engagement is appropriate for your requirements.
Our wireless penetration tests cover: passive signal reconnaissance (all SSIDs, hidden networks, BSSID mapping); active rogue access point and Evil Twin detection; WPA2-PSK handshake capture and GPU-accelerated offline cracking; PMKID attack assessment; WPA2-Enterprise 802.1X testing including PEAP certificate spoofing, EAP-GTC downgrade, and RADIUS impersonation; guest network VLAN isolation validation; BYOD and NAC bypass testing; de-authentication frame testing; and post-access segmentation testing to assess internal pivot potential. Testing follows OSSTMM Section 10 and PTES wireless module guidelines. A full scope document is available on request.
Annually as a minimum for most organisations. PCI DSS 11.1 requires quarterly wireless scans and an annual penetration test for cardholder data environments. ISO 27001 recommends testing after any significant change to your wireless infrastructure, including new access points, new sites, or network segmentation changes. We recommend testing after office moves, hardware refresh cycles, or any merger or acquisition that adds new wireless infrastructure to your estate. Multi-year agreements are available at a fixed annual rate.