Hard2bit
Wireless security

WiFi security audit for businesses

Your WiFi is a door you can't see.

We audit your wireless networks the way an attacker would from the car park: encryption, credentials, rogue access points and guest-network isolation.

The blind spot in the attack surface

Firewalls and EDR get the budget, but the network that broadcasts beyond your walls usually goes unchecked.

Physical range

The signal doesn't stop at the door. An attacker can hit your network from the street, the car park or the unit next door, without ever setting foot inside.

Invisible impersonation

Rogue access points (evil twin, rogue AP) capture credentials without the user noticing a thing. Devices connect on their own to the known network.

Fictional segmentation

The guest and IoT networks are rarely as isolated as assumed. From a printer or a meeting-room tablet you reach further than expected.

How we audit your wireless network

Spectrum reconnaissance

Mapping every network and access point in scope, identifying hidden SSIDs, channels, encryption protocols and connected devices.

Configuration and encryption analysis

Review of the real operating mode (WPA2/WPA3, PSK vs 802.1X/EAP), credential strength and WiFi controller policies.

Controlled attacks

Handshake capture, dictionary attacks, evil twin and rogue AP, deauthentication attacks and captive-portal validation, within agreed rules of engagement.

Segmentation validation

Checking isolation between guest, corporate, IoT and management networks: what can actually be reached from each segment.

Report and remediation

Risk-prioritised findings with evidence, concrete recommendations and a follow-up retest to confirm closure.

What we test

Reading the controller config is not enough. We reproduce the techniques an attacker would use against your wireless network, under real conditions and within agreed rules of engagement.

Encryption and protocols

We assess the real operating mode: WPA2, WPA3 and WPA3-Transition, which reintroduces WPA2 weaknesses whenever it has to coexist with older clients. On corporate networks we review WPA-Enterprise with 802.1X/EAP and its variants — PEAP, EAP-TLS and EAP-TTLS — where RADIUS server-certificate validation is usually the soft spot.

Handshake and PMKID capture and cracking

We capture the 4-way handshake and, where the access point allows it, the PMKID with no connected clients required. With that material we run offline dictionary and mask attacks to measure how strong the PSK passwords really are. It is the most direct way to know whether one weak credential opens the whole network.

Evil twin and rogue AP

We stand up rogue access points that impersonate the corporate SSID to see whether devices connect on their own and hand over credentials. We also hunt for rogue APs already sitting in your premises: unauthorised access points someone plugged in off the books, quietly widening the attack surface.

Deauthentication and KARMA

We test deauthentication attacks to force reconnections and capture handshakes, and KARMA-style techniques, where a malicious AP answers the networks devices automatically probe for. That tells us how quickly an attacker can get a legitimate client talking to their kit instead of yours.

Captive portals and WPS

We probe the guest network captive portal for bypasses, pre-authentication traffic leaks and portal spoofing. We check whether WPS is still enabled: its PIN is vulnerable to brute-force attacks that can hand over the network key in a matter of hours.

Client isolation and hidden networks

We check whether client isolation is genuinely enforced or whether one device can reach another on the same SSID. And we surface hidden networks: hiding an SSID is not a security control, only a way to make it less visible, and a single connected client is enough to reveal it. Obscurity gets mistaken for protection far too often.

When you need one

There are moments and contexts where the wireless vector stops being a theoretical risk and becomes a concrete priority.

New offices or sites

Every move or opening rebuilds the network from scratch, often in a hurry and on default settings. It is the ideal moment to validate the rollout before it settles into insecure configurations that are hard to undo later.

A live guest network

If you offer WiFi to visitors, suppliers or clients, you need to confirm that segment cannot reach the corporate network. The convenience of an open or semi-open network frequently becomes the first way in.

PCI DSS or ENS compliance

Frameworks like PCI DSS require periodic testing for unauthorised access points, and Spain's ENS scheme demands control over wireless access. A documented audit gives auditors the evidence they ask for.

After an incident

If you have suffered a breach or a leak and do not know how the attacker got in, WiFi is one of the vectors to rule out. A rogue AP or a weak credential can be the door nobody checked.

Lots of IoT devices

Cameras, sensors, POS terminals and industrial kit connected over WiFi multiply the attack surface. They tend to carry default credentials and unpatched firmware, so it is worth pairing the audit with a dedicated review of those devices.

Remote work on home APs

Hybrid working stretches the perimeter out to home routers nobody controls. Although the audit focuses on your premises, we assess how those devices connect and what exposure they introduce into the corporate network.

What you get at the end

A technical and executive report with each finding, its real business impact and concrete remediation, plus a retest to confirm the critical issues are closed.

  • Inventory of networks, SSIDs and access points, including unauthorised ones.
  • Assessment of encryption, authentication (PSK vs 802.1X) and credential strength.
  • A real segmentation map across guest, corporate and IoT networks.
  • Prioritised remediation plan and closure retest.

"Almost no organisation knows how many access points are really broadcasting under its name. The first finding is usually a rogue AP nobody had set up."

— Offensive Security Team, Hard2bit

What the report includes

The deliverable is built so leadership can grasp the risk and technical teams can fix it without ambiguity. No generic PDF: every finding comes with its evidence and a remediation path.

Executive summary

A business-level read on the state of your wireless network: overall risk level, critical findings and what they mean in terms of exposure. No jargon, so leadership can prioritise spend with real judgement.

Access point inventory

A full list of the networks, SSIDs and access points detected, explicitly flagging the unauthorised ones. Many organisations discover APs here that nobody had on record, including rogue APs broadcasting under their name.

Findings with CVSS severity and evidence

Each vulnerability is scored with CVSS and backed by technical evidence: captures, handshakes, credentials recovered or access paths demonstrated. Nothing is left to guesswork; it is all reproducible and verifiable.

Segmentation map

A diagram of the real isolation between guest, corporate, IoT and management networks, marking what can be reached from each segment. At a glance, the picture makes it obvious where segmentation is only on paper.

Prioritised remediation plan

Concrete actions ordered by impact and effort, so your team knows exactly where to start. We separate what must be fixed straight away from what can be planned over the medium term.

Closure retest

Once the fixes are in, we retest the critical findings to confirm they are genuinely closed. The retest gives you clean evidence you can put in front of auditors, clients or the board.

The wireless vector rarely travels alone: to cover the cabling, switches and internal services too, this audit pairs with our infrastructure and network security audit, and for a full adversarial exercise combining WiFi, physical and phishing, with a Red Team engagement.

Frequently asked questions about WiFi security

Does the audit need to be carried out on site?
Yes. WiFi security is inherently physical: signal range, rogue access points and spoofing attacks can only be truly assessed on the ground. We do the work at your premises, with agreed windows and rules of engagement so operations aren't affected.
What's the difference between a WiFi audit and internal network pentesting?
Internal network pentesting assumes you're already inside; a WiFi audit assesses exactly how an attacker would get in over the air, with no cable or credentials. They're complementary: many internal intrusions start with a poorly protected wireless network.
Do you also cover IoT devices connected over WiFi?
Yes, within the wireless scope. Cameras, sensors, printers and other connected devices are often the weak link: default credentials, unpatched firmware and placement in segments that shouldn't reach critical systems. For a dedicated assessment of these devices, we combine it with our IoT security testing.
How long does a WiFi audit take?
It depends on the scope: how many sites, how many access points and how complex the authentication is (PSK versus 802.1X/EAP). A single office is usually covered in two to three days of fieldwork, plus the follow-on analysis and writing up the report. Multi-site estates or environments with a large IoT footprint need longer. We always agree the scope and an estimate up front, so there are no surprises.
Will the audit disrupt day-to-day operations?
The aim is that it does not. Deauthentication attacks and evil-twin tests can be intrusive if run without control, so we carry them out within windows and rules of engagement agreed with you, typically outside critical hours. Most of the work — reconnaissance, handshake capture, configuration analysis — is passive and does not interrupt users.
What is a PMKID attack?
It is a WiFi credential-capture technique that exploits an identifier (the PMKID) which some access points send in the first message of the handshake, with no connected client required. It lets an attacker gather material passively and silently to crack the password offline, without firing off deauthentication. We check whether your APs are exposed and whether your credentials hold up against this kind of attack.
Is WPA3 insecure?
WPA3 is more robust than WPA2, but it is not an absolute guarantee. The WPA3-Transition mode, designed to coexist with older devices, allows WPA2 connections and reintroduces some of the weaknesses WPA3 is meant to remove. On top of that, a flawed implementation or a badly configured rollout can leave vectors open. We validate the real operating mode, not the marketing label on the router.
Do you audit WiFi across multiple sites?
Yes. We coordinate the fieldwork by location and consolidate the findings into a single report, with a site-by-site comparison and a global inventory of access points. It is common for organisations with distributed offices, franchises or industrial environments, where each site repeats — and sometimes worsens — the same configuration mistakes.
Where does this fit within the Hard2bit portfolio?
It is part of the Pentesting & Red Team area, alongside technical pentesting, infrastructure and network audits and Red Team. The WiFi audit covers the wireless vector — one of the most neglected parts of the attack surface.

What is your network broadcasting right now?

Request a WiFi security audit and we'll tell you, with evidence, what an attacker would see from outside your walls.