We test what is otherwise not tested.

Independent, proactive cyber security testing - for a secure digital Switzerland.

The National Test Institute for Cybersecurity NTC is an independent, non-profit organization serving the public. As a neutral entity, we proactively identify critical vulnerabilities and specifically promote their remediation.

In doing so, we are closing a critical gap and strengthening Switzerland's digital resilience.

More information about the NTC

Tests at the NTC

Tests on behalf of critical infrastructure operators and public authorities

The NTC conducts tests on behalf of critical infrastructure operators, public authorities, the police and the army when the highest level of independence and objectivity is required. Our tests are carried out according to transparent guidelines, free from any influence from product manufacturers, service providers or political interests. Examples include security tests of e-government applications, critical control systems, and cross-agency platforms.

The scope, depth and schedule of the testing process are determined in collaboration with the contractor. Tests are only carried out with the consent of those directly involved. The contractor receives a final test report documenting all identified vulnerabilities, assessments and specific recommendations for action. Upon request, the NTC provides support with responsible disclosure.

Our test methodology

What we test

The NTC examines digital products and connected infrastructures that are highly relevant to the economy and society, especially those that are not adequately tested due to a lack of incentives or legal obligations.

The NTC systematically analyzes connected systems and infrastructures, including hardware components, web and mobile applications, cloud environments, industrial control systems, Internet of Things (IoT) devices, and complex critical infrastructures. Using modern attack methods, the NTC identifies vulnerabilities in hardware and software at an early stage and minimizes risks.

The NTC does not conduct testing on behalf of product suppliers, manufacturers, or private-sector service providers.
How we test

The NTC tests independently and free from the influence of manufacturers, service providers, or politics. The NTC proactively identifies risks associated with new technologies and supports efforts to address them.
Why we do not certify

Instead of issuing certificates or labels that are only valid for a limited time, the NTC provides transparent test reports that document the test results and date. These reports provide a reliable basis for informed security decisions.
Why we analyze systems holistically

The in-depth security analyses performed at the NTC go beyond technical tests. More comprehensive analyses take into account not only technical vulnerabilities, but also insecure configurations, processes, and organizational aspects.
How we support the remediation of vulnerabilities

The NTC actively supports the remediation and validation of vulnerabilities to achieve sustainable security improvements. Ideally, the NTC accompanies the process by providing technical support, reviewing drafts, and performing retests. This helps implement effective protective measures and avoid long-term follow-up risks.
How we accommodate urgent testing requests

Timely results are important when it comes to urgent testing requests. Since a significant share of security analyses are initiated by the NTC, meeting deadlines does not depend on external contractors. This flexibility allows us to prioritize urgent projects and complete them in a timely manner.
Why our work is recognized

In December 2024, the Swiss Federal Parliament adopted the motion Durchführung dringend notwendiger Cybersicherheitsprüfungen (Conducting urgently needed cybersecurity tests), recognizing the importance of independent security testing.

The NTC is actively contributing to the implementation of the National Cyber Strategy (NCS), particularly measures M4, "Analysis of trends, risks, and dependencies", and M5, "Identifying and preventing vulnerabilities". These contributions are highlighted in the latest report on the implementation of the National Cyber Strategy (NCS) from May 2025.

To further understand trends, risks and dependencies at an early stage, the National Test Institute for Cybersecurity NTC analyses digital technologies and developments. For example, the NTC has analyzed potential risks in connection with Europe's system dependencies and commonly used Apps including Temu and TikTok (in consultation with the NCSC) and issued specific recommendations for action.
With its work, NTC contributes to strategic resilience decisions, strengthens Switzerland's expertise and raises awareness of technological trends.

National Cyber Security Centre (NCSC)

More information in the FAQ

Our test fields

Application Penetration Testing

Security testing of applications – whether web and mobile applications, desktop applications or APIs – including code review and in accordance with recognized standards such as OWASP ASVS.

Mobile Application Penetration Testing

Security testing of mobile applications for Android and iOS according to recognized standards such as OWASP MASVS.

Security Testing of IoT and OT Systems

Assessment of connected devices (Internet of Things) and industrial control systems (ICS/SCADA/DCS) in accordance with standards such as IEC 62443.

Testing of Hardware Components

Analysis of physical devices and embedded systems such as control units, sensors, and chips. This also includes reading out and reverse engineering firmware images or firmware files as well as attacks on debugging or other internal interfaces. Standards such as EN 18031 are taken into account.

Cloud-Security Assessment

Assessments of cloud environments and SaaS platforms for misconfigurations, insufficient access controls, or vulnerabilities in hybrid cloud scenarios. These can be cloud environments from hyperscalers such as Azure, AWS, or GCP, but also those from local IT service providers. Recommendations such as CIS benchmarks are taken into account.

Security Analysis of Open Source Software

Testing of open source software and libraries that are widely used and relevant in Switzerland. The aim is to identify critical vulnerabilities such as those that occurred in Log4j in 2021 or backdoors such as those discovered in XZ Utils in 2024.

Network and Security Infrastructure Assessments

Analysis of network infrastructures—including firewalls, VPNs, routers, WLAN networks, and basic services such as DNS, email, and VoIP—to identify configuration errors, protocol weaknesses, or inadequate segmentation.

Client/Server Infrastructure Assessments

Security assessments of clients (e.g., Windows, Linux, Android, iOS, VDI), servers (e.g., Windows, Unix), virtualization solutions (e.g., VMware, Hyper-V), and container technologies (e.g., Docker).

Analysis of New Technologies (e.g., AI Systems)

Analyzing emerging technologies such as AI and machine learning systems, charging infrastructure for electric mobility, smart grids with regard to the expansion of renewable energies, and quantum computers in order to identify vulnerabilities and raise awareness of new risks for Swiss society.

Legal context and responsible disclosure

Legal integrity

Security tests in third-party systems are carried out with the consent of the responsible parties and in accordance with the applicable legal framework in Switzerland.

Responsible disclosure of vulnerabilities

Confidential notification: To enable a rapid remediation, vulnerabilities are initially reported confidentially to the manufacturer or operator.
Public disclosure: In consultation with the testing partners and upon expiry of a reasonable time period, the test results may be published. This intends to indicate typical vulnerability patterns and enable early warning in the event of unresolved or delayed remediation.

Vulnerability Disclosure Policy