Penetration Tests
We do what attackers do, before they do it.

Sundbybergs Stad is a growing municipality in the Stockholm region. As the city expands and its operations become more digital, the need for strong cybersecurity keeps growing. To stay ahead of both current and emerging threats, the city has committed to an ongoing collaboration with Cyloq, built around regular penetration tests, weekly vulnerability scans, and close strategic alignment.

A long-term partner who understands our IT environment

Before working with Cyloq, the city’s approach to security was more reactive than proactive. Tests and scans were run from time to time, but without a consistent structure. That’s something IT Security Strategist Klas Strömberg set out to change.  

Through a formal procurement process involving several vendors, Sundbybergs Stad chose Cyloq and signed a four-year contract covering penetration testing and vulnerability scanning.

“We wanted a long-term agreement so we could test continuously and adjust based on real-world threats,” says Klas. “That means we use different methods and different targets each time, and it’s always adapted to what’s most important right now.”

One of the biggest advantages of the long-term deal is that Cyloq now knows Sundbyberg’s IT environment inside and out. With ongoing dialogue between the teams, Cyloq can make proactive recommendations based on live threat intelligence, while Sundbyberg can request specific assessments tied to current needs.

“They understand our environment now and tailor suggestions based on real-world threats. That’s incredibly valuable.”

A smooth process and reports that drive action

You can’t test everything at once. You have to be intentional and focus on what matters most. Together with Cyloq, they agree on a scenario or an area to focus on for each test.

“We usually run it in two phases. First a broad mapping, then we regroup and decide what to drill deeper into.”

After each test, Cyloq delivers a detailed report.

“The reports are clear, well-structured, and easy to act on. They give us everything we need to fix and close off any identified vulnerabilities. Most of the time, our internal team handles the fixes, but Cyloq is always there when we need a hand.”

Today, Sundbybergs Stad runs two to three penetration tests per year, and weekly vulnerability scans to maintain constant visibility.

Fewer risks. Fewer unknowns.

The goal of the continuous testing was clear from the beginning: reduce risk, close gaps, and do it before someone else finds them. And it’s working.

“We’ve got fewer vulnerabilities in the environment, and that was the whole point. Cyloq helps us spot weak points early and fix them fast, before they turn into real problems.”

But the impact goes beyond technical fixes. The reports have also helped spark deeper internal conversations and increase security awareness among the internal IT staff.  

“Sometimes you need an external perspective. Otherwise, it’s too easy to go blind to your own assumptions.”

Cyloq delivers. And yes, Sundbyberg recommends them.

One of the biggest advantages of working with Cyloq, Klas says, is how responsive they are.

“If something comes up, we get immediate feedback. Cyloq is fast and incredibly easy to work with.”

So, would he recommend Cyloq to other organizations?

“Absolutely. They know what they’re doing, and they genuinely care about delivering great results. The personal connection and engagement we get from Cyloq is on a totally different level from what we’ve seen with larger vendors.”

‍

VX Fiber is an international broadband provider serving municipalities and enterprises that have their own fiber networks. With 80 employees and a rapidly growing infrastructure, cybersecurity has become a core priority. “Security is such a key issue now that it’s reported directly to the  board,” says Tim Cambrant, Chief Security Officer at VX Fiber.

Bringing in an external partner became essential

Before working with Cyloq, security at VX Fiber was handled by a capable internal team. But something was missing. “We had good processes and the right mindset. But we realized that customers and investors started to expect third-party validation.” Tim explains.

As the company scaled up, the stakes grew. “The more customers we serve, the more critical we become to society. Questions concerning security now come up in sales meetings. We need to be able to show that our structure actually holds up.”

Even with strong in-house talent, the team knew: no matter how well you think you're doing, you need someone from the outside to challenge your assumptions.

“We wanted a clear picture of where we stood and someone independent to back it up.”

When VX Fiber started looking for a security partner, they didn’t want a big-box consultancy. They wanted someone who was agile, responsive, and easy to work with.

“They weren’t like the big vendors. They were easy to get in contact with, they were small and adaptable, and clearly ready to do the actual work instead of trying to sell a massive package.” After an initial meeting, VX Fiber brought in Cyloq to run a penetration test.

Penetration tests are now part of the policy

Tim admits they initially weren’t sure how much Cyloq would find in just two weeks.

“We had people on standby, ready to help or answer questions. But Cyloq didn’t need much. They just went in and got to work.”

Two weeks later, Cyloq delivered their report. The results spoke for themselves.

“Honestly, we were surprised by how much they found. Of course you want them to find something, but you still hope it’s not much. They dug deep, they were thorough, and it felt like they put in more time than they billed for.”

The process was smooth and effective. “We explain what we want them to focus on, grant access to relevant systems, and they take it from there. If something critical shows up, they let us know right away. They also offer to explain the results and assist with the fixes”

VX Fiber has now worked with Cyloq on three separate penetration tests and has made it policy to run one at least once a year. Each test targets a different area of the business, and when everything’s been tested, they start over.

“It’s not a one-off. It’s a continuous process. We rotate areas and keep the cycle going.”

Clear results and a stronger security culture

“The biggest shift is clarity. We now have a clear picture of our vulnerability profile. Cyloq gave us that external stamp of approval, which matters to our customers, our board, and our investors.”

But the impact wasn’t just structural, Cyloq reshaped the company’s security culture. “We have a young development team. Working with Cyloq gave them a new level of respect for security. They’ve seen firsthand why external reviews matter.”

“It’s not enough to have in-house experts. We all have blind spots. This partnership has shown us that no matter how thorough we think we are, we’ve definitely missed something. It’s raised awareness that even the most experienced people can overlook critical details, and we always need someone else reviewing what we do.”

Advice for other companies looking to tighten up security

Tim’s first tip: start with an honest audit.

“What are you trying to protect? For most, it’s customer data. Then take a hard look at access controls and storage practices. Smaller companies often overlook simple things, and what leaks is usually a document stored in the wrong place.”

His second tip: don’t do it alone.

“Not every company can afford a large security team. But even if you manage IT yourself, you need a third party to identify and close security gaps.”

Would they recommend Cyloq? No hesitation.

When asked if they would recommend Cyloq to others, the answer is clear:  

“Definitely. They’re easy to work with, they’re fast, flexible, and knowledgeable. They deliver value and make our security efforts easier.”

“We see no reason to switch – or even supplement – with anyone else. So far, we haven’t given them a challenge they couldn’t handle.”

Want us to find the vulnerabilities you didn’t know were there?

Book a meeting

‍

Stravito is an AI-powered insights platform that helps global enterprises centralize and organize their market and consumer data to drive better, data-informed decisions.

“We’re an AI company with strict security demands and as a SaaS provider, external validation is essential,” says Marcus Södervall, Head of Trust at Stravito.

A different experience from previous penetration tests

Stravito reached out to Cyloq in the summer of 2023 after a client requested a penetration test.  

“We’d avoided traditional pentests in the past. Frankly, we never saw much value in the results. Instead, we’ve been running a bug bounty program as our ongoing testing method. But when a customer specifically asked for a formal test, we figured we’d give it a go.”

Marcus admits expectations were low, but the outcome turned out to be more valuable than anticipated.

“We were pleasantly surprised. Cyloq found several issues that hadn’t been caught by previous tests or our bug bounty program. So yeah, we were really happy with the results.”

The process was fast and efficient. Cyloq worked within a defined timeline, delivered a clear report, and outlined practical fixes the team could implement themselves – which they did.

“It was fast, frictionless, and communication was easy. Everyone at Cyloq was great to work with. They were professional and straight to the point. Compared to past penetration tests we’ve done, both the expertise and final report were at a completely different level.”

Red Teaming: Attacking the company on all fronts

After the success of the penetration test, Stravito decided to move forward with a full red teaming operation – a broader simulation where the attacker can come at the company from any angle.

“We told Cyloq what absolutely couldn’t end up in the wrong hands and asked them to go after it, using whatever means they had.”

Just like before, Cyloq kept communication clear, understood the assignment right away, and maintained alignment throughout the engagement. They kept a tight feedback loop during the test and wrapped up with a well-structured report outlining what worked, what didn’t, and what could be improved.

“It took longer and was more comprehensive than a standard test, but it was incredibly valuable. Both for the security team and the entire organization.”

“Everyone should experience a planned attack”

The red teaming exercise led to immediate changes across the business.

“We’ve already made several improvements based on Cyloq’s findings. This partnership has made us better prepared, no doubt about it.”

But the real value wasn’t just technical. The simulation had a tangible impact on awareness across the company.

“It really raised the bar. Our employees now understand how attacks actually play out and what they personally need to pay attention to. If you haven’t gone through a red teaming exercise, you should. Everyone benefits from experiencing what a real-world attack looks like and how people respond.”

One of the key takeaways Marcus emphasizes is how attackers often don’t go through firewalls - they go through people.

“If someone’s going to breach you, chances are they’ll go through an employee. So we have to support our people and give them the tools to maintain good cyber hygiene.”

A long-term partner for Stravito

With two successful projects, Stravito plans to keep working with Cyloq.

“We’ll definitely keep testing with them. We’re also looking at bringing them in to break down the AI features in our platform, and we’ll likely ask them to run a security training session for our developers too.”

Cyloq hasn’t just delivered solid results, they’ve helped raise the security bar for the whole organization. For Marcus, recommending them is a no-brainer:

“Absolutely. They’re straightforward, easy to work with, and they know what they’re doing. Zero fluff, just real results.”

‍

Marginalen Bank is a Swedish bank that offers a broad portfolio of financial services. But as a smaller player in a tightly regulated market, the bar for cybersecurity is set especially high. “We’re a financial company with a wide range of products, which brings unique security challenges,” says Yngve Swanström, Head of Security at Marginalen Bank.

A long-term partnership from day one

Security is a core pillar of operations at Marginalen Bank, and they have worked with Cyloq ever since Cyloq was founded in 2022. Before Cyloq, the bank had worked with various providers. That’s when they came across Andreas and Sam and were immediately impressed by their skills. So when those two went on to start Cyloq, continuing the collaboration was an easy decision.  

“We rely on Cyloq for both penetration tests and security training, and we plan to keep it that way.”

Marginalen Bank has a clear policy. The security in the systems needs to be tested often and thoroughly. The bank conducts multiple penetration tests each year to make sure every system holds up at all times. But the partnership with Cyloq goes beyond just technical expertise.

“It’s not just about the results, they’re also flexible, responsive, and adapt to how we work. That matters just as much.”

A process that runs itself

Every engagement starts with a clear scoping session involving Cyloq, the security team, and project stakeholders. Thanks to the ongoing collaboration, Cyloq already has access to much of what they need to get going right away.

“They’re self-sufficient from the start. They know what’s expected and what we need. Full credit to them.”

Cyloq gets access to the right accounts and systems, runs the test quickly and effectively, and delivers a clear final report with concrete, prioritized recommendations.

“We handle most of the fixes in-house, but Cyloq is always there as a sounding board if we need to talk things through. That makes them a great partner too.”

Beyond testing, Cyloq also runs developer training sessions for Marginalen Bank’s tech teams.

“The trainings are always well received. Practical, straightforward, and easy to apply. We’ve got another one coming up soon.”

Currently, Marginalen Bank runs about ten penetration tests per year, along with regular training sessions. Looking ahead, they’re also planning to bring Cyloq in for a red teaming exercise.

Would they recommend Cyloq? No doubt about it.

Even after years of working together, Cyloq keeps raising the bar.

“They deliver beyond expectations, every time. They’re fast, thorough, and really easy to work with. It’s a partnership that just works.”

With Marginalen Bank’s agile way of working, tight timelines and fast-changing priorities, Cyloq has proven time and again that they can keep pace and stay in sync.

“We highly recommend Cyloq. They’re responsive, deliver top-tier quality, and are incredibly easy to collaborate with.”

‍