WiFi security audit for businesses
Your WiFi is a door you can't see.
We audit your wireless networks the way an attacker would from the car park: encryption, credentials, rogue access points and guest-network isolation.
The blind spot in the attack surface
Firewalls and EDR get the budget, but the network that broadcasts beyond your walls usually goes unchecked.
Physical range
The signal doesn't stop at the door. An attacker can hit your network from the street, the car park or the unit next door, without ever setting foot inside.
Invisible impersonation
Rogue access points (evil twin, rogue AP) capture credentials without the user noticing a thing. Devices connect on their own to the known network.
Fictional segmentation
The guest and IoT networks are rarely as isolated as assumed. From a printer or a meeting-room tablet you reach further than expected.
How we audit your wireless network
Spectrum reconnaissance
Mapping every network and access point in scope, identifying hidden SSIDs, channels, encryption protocols and connected devices.
Configuration and encryption analysis
Review of the real operating mode (WPA2/WPA3, PSK vs 802.1X/EAP), credential strength and WiFi controller policies.
Controlled attacks
Handshake capture, dictionary attacks, evil twin and rogue AP, deauthentication attacks and captive-portal validation, within agreed rules of engagement.
Segmentation validation
Checking isolation between guest, corporate, IoT and management networks: what can actually be reached from each segment.
Report and remediation
Risk-prioritised findings with evidence, concrete recommendations and a follow-up retest to confirm closure.
What we test
Reading the controller config is not enough. We reproduce the techniques an attacker would use against your wireless network, under real conditions and within agreed rules of engagement.
Encryption and protocols
We assess the real operating mode: WPA2, WPA3 and WPA3-Transition, which reintroduces WPA2 weaknesses whenever it has to coexist with older clients. On corporate networks we review WPA-Enterprise with 802.1X/EAP and its variants — PEAP, EAP-TLS and EAP-TTLS — where RADIUS server-certificate validation is usually the soft spot.
Handshake and PMKID capture and cracking
We capture the 4-way handshake and, where the access point allows it, the PMKID with no connected clients required. With that material we run offline dictionary and mask attacks to measure how strong the PSK passwords really are. It is the most direct way to know whether one weak credential opens the whole network.
Evil twin and rogue AP
We stand up rogue access points that impersonate the corporate SSID to see whether devices connect on their own and hand over credentials. We also hunt for rogue APs already sitting in your premises: unauthorised access points someone plugged in off the books, quietly widening the attack surface.
Deauthentication and KARMA
We test deauthentication attacks to force reconnections and capture handshakes, and KARMA-style techniques, where a malicious AP answers the networks devices automatically probe for. That tells us how quickly an attacker can get a legitimate client talking to their kit instead of yours.
Captive portals and WPS
We probe the guest network captive portal for bypasses, pre-authentication traffic leaks and portal spoofing. We check whether WPS is still enabled: its PIN is vulnerable to brute-force attacks that can hand over the network key in a matter of hours.
Client isolation and hidden networks
We check whether client isolation is genuinely enforced or whether one device can reach another on the same SSID. And we surface hidden networks: hiding an SSID is not a security control, only a way to make it less visible, and a single connected client is enough to reveal it. Obscurity gets mistaken for protection far too often.
When you need one
There are moments and contexts where the wireless vector stops being a theoretical risk and becomes a concrete priority.
New offices or sites
Every move or opening rebuilds the network from scratch, often in a hurry and on default settings. It is the ideal moment to validate the rollout before it settles into insecure configurations that are hard to undo later.
A live guest network
If you offer WiFi to visitors, suppliers or clients, you need to confirm that segment cannot reach the corporate network. The convenience of an open or semi-open network frequently becomes the first way in.
PCI DSS or ENS compliance
Frameworks like PCI DSS require periodic testing for unauthorised access points, and Spain's ENS scheme demands control over wireless access. A documented audit gives auditors the evidence they ask for.
After an incident
If you have suffered a breach or a leak and do not know how the attacker got in, WiFi is one of the vectors to rule out. A rogue AP or a weak credential can be the door nobody checked.
Lots of IoT devices
Cameras, sensors, POS terminals and industrial kit connected over WiFi multiply the attack surface. They tend to carry default credentials and unpatched firmware, so it is worth pairing the audit with a dedicated review of those devices.
Remote work on home APs
Hybrid working stretches the perimeter out to home routers nobody controls. Although the audit focuses on your premises, we assess how those devices connect and what exposure they introduce into the corporate network.
What you get at the end
A technical and executive report with each finding, its real business impact and concrete remediation, plus a retest to confirm the critical issues are closed.
- Inventory of networks, SSIDs and access points, including unauthorised ones.
- Assessment of encryption, authentication (PSK vs 802.1X) and credential strength.
- A real segmentation map across guest, corporate and IoT networks.
- Prioritised remediation plan and closure retest.
"Almost no organisation knows how many access points are really broadcasting under its name. The first finding is usually a rogue AP nobody had set up."
— Offensive Security Team, Hard2bit
What the report includes
The deliverable is built so leadership can grasp the risk and technical teams can fix it without ambiguity. No generic PDF: every finding comes with its evidence and a remediation path.
Executive summary
A business-level read on the state of your wireless network: overall risk level, critical findings and what they mean in terms of exposure. No jargon, so leadership can prioritise spend with real judgement.
Access point inventory
A full list of the networks, SSIDs and access points detected, explicitly flagging the unauthorised ones. Many organisations discover APs here that nobody had on record, including rogue APs broadcasting under their name.
Findings with CVSS severity and evidence
Each vulnerability is scored with CVSS and backed by technical evidence: captures, handshakes, credentials recovered or access paths demonstrated. Nothing is left to guesswork; it is all reproducible and verifiable.
Segmentation map
A diagram of the real isolation between guest, corporate, IoT and management networks, marking what can be reached from each segment. At a glance, the picture makes it obvious where segmentation is only on paper.
Prioritised remediation plan
Concrete actions ordered by impact and effort, so your team knows exactly where to start. We separate what must be fixed straight away from what can be planned over the medium term.
Closure retest
Once the fixes are in, we retest the critical findings to confirm they are genuinely closed. The retest gives you clean evidence you can put in front of auditors, clients or the board.
The wireless vector rarely travels alone: to cover the cabling, switches and internal services too, this audit pairs with our infrastructure and network security audit, and for a full adversarial exercise combining WiFi, physical and phishing, with a Red Team engagement.
Frequently asked questions about WiFi security
Does the audit need to be carried out on site?
What's the difference between a WiFi audit and internal network pentesting?
Do you also cover IoT devices connected over WiFi?
How long does a WiFi audit take?
Will the audit disrupt day-to-day operations?
What is a PMKID attack?
Is WPA3 insecure?
Do you audit WiFi across multiple sites?
Where does this fit within the Hard2bit portfolio?
What is your network broadcasting right now?
Request a WiFi security audit and we'll tell you, with evidence, what an attacker would see from outside your walls.