SHT-Cyber Compliant Service

For Civil Aviation Operators
Penetration Tests

SHGM Audit Focused – Audit-Ready Reporting

SHT-Cyber Management System Standard framework, we test the IT/OT assets of civil aviation operators with real attack scenarios, technically verifying the risks, and provide usable in SHGM audits reports, a CAPA plan and a re-test service.

The SHT-Cyber Management System – What Is It?

SHT-Cyber (Civil Aviation Cybersecurity Management System Standard) is a regulation published by the Directorate General of Civil Aviation (SHGM) to enable operators in the civil aviation sector to manage their cybersecurity risks. It is a regulation. Covering critical infrastructure such as airports, airlines, navigation service providers and ground handling, this standard requires operators to secure their IT (Information Technology) and OT (Operational Technology) assets.

Core Expectation in Audits
The constantly asked question in SHGM audits is: "How did you technically verify your risk assessment?" The most concrete answer to this question is to have a professional penetration test performed to identify the real weaknesses in the systems and to run a documented remediation process.

Who Is This Service For?

Airline Operators

Reservation, check-in, flight planning systems

Airport Operators

Terminal management, security, baggage tracking systems

Navigation Service Providers

Air traffic control, radar, communication systems

Ground Handling & Maintenance Organisations

Operations management with critical systems

Terminal Operators

Passenger handling, cargo management systems

Supplier/Integrator Companies

Critical software/hardware providers in the aviation ecosystem

Whichever category your operation falls into — Group 1, Group 2 or Group 3 — the test scope is determined accordingly.

Penetration Test Scope

Our SHT-Cyber compliant penetration tests cover all your technical assets, starting from your externally exposed attack surface through to internal network security, critical applications and OT/IoT components.

Test Areas

External Network Tests

Attack surface scanning and vulnerability exploitation tests on internet-facing servers, web applications, VPN, e-mail servers and DNS services.

Internal Network Tests

Active Directory, domain policies, internal servers, segmentation checks, privilege escalation and lateral movement scenarios.

Web Applications

OWASP Top 10 security vulnerabilities, SQL Injection, XSS, authentication and authorisation flaws, business logic tests, API security.

Mobile Applications

Local data storage, encryption, API communication, application permissions and code security tests in iOS/Android applications.

Wireless Networks (WiFi)

WLAN encryption security, guest network isolation, rogue access point detection, WPA2/WPA3 configuration assessment.

Social Engineering

Phishing e-mail campaigns, security awareness tests, physical security assessment (on request).

Database Security

Database authorisation checks, encryption status, backup security, SQL injection protections, sensitive data access tests.

OT/IoT Systems

Security assessment of operational technology components such as baggage tracking, CCTV, access control, SCADA and BMS (Building Management System).

Cloud Infrastructures

AWS, Azure, Google Cloud configuration reviews, IAM policies, storage security, container security tests (if any).

Test Process & Methodology

Our penetration testing process progresses in a professional and transparent structure, from the planning stage to the final re-test report. At every stage we work in coordination with your operation, applying a methodology that does not disrupt operations but reveals the real risks.

1
Preliminary Meeting & Scoping

The scope is clarified with your asset inventory, critical systems, test window and target list. A Test Instruction (ToR) is prepared.

2
Reconnaissance & Information Gathering

Passive/active scanning of target systems; open ports, services, technologies and potential attack vectors are identified.

3
Vulnerability Analysis & Exploitation

Identified vulnerabilities are verified manually; their impact on the systems is measured with real attack scenarios (exploits).

4
Reporting & Presentation

Findings are classified by risk level; an executive summary + technical detail + business impact + remediation recommendations are prepared.

Methodologies We Use

OWASP Testing Guide

Industry-standard methodology for web application and API security testing

OSSTMM (Open Source Security Testing)

A comprehensive security testing methodology; network, physical and human factor

PTES (Penetration Testing Execution Standard)

Standardised execution of penetration testing processes

Deliverables & Outputs

Main Penetration Test Report

Executive summary, findings (technical evidence + screenshots), risk rating, business impact analysis and remediation recommendations

Corrective/Preventive Action (CAPA) Plan

An action plan for each finding, including the responsible person, due date, expected evidence and tracking fields

Re-test Report

Technical verification of remediations; the status of closed/remaining findings and the final risk level

Annexes & Supporting Documents

Scope list, test schedule, tools used, CVE references, methodology summary

Use in SHGM Audits
All deliverables are prepared in a format that can be submitted as evidence in SHGM audits. Our reports provide a clear answer to the question "how did you technically verify the risks?".

Why Nesil Teknoloji?

10+ Years of Cybersecurity Experience
50+ Completed Penetration Test Projects
100% Audit-Compliant Reporting

SHT-Cyber Audit Experience

A practical, solution-oriented approach that knows SHGM audit expectations in the aviation sector

Certified Expert Team

Cybersecurity experts certified with OSCP, CEH, GPEN, CISSP

Operational Sensitivity

Test planning coordinated with maintenance windows that does not disrupt 24/7 operations

Confidentiality & Security

All test data is stored in an encrypted environment and securely destroyed at the end of the project

Follow-up & Support

3 months of Q&A support after the re-test; additional consultancy before the audit

Transparent Pricing

A clear budget based on scope; no hidden costs, flexible payment plans

Frequently Asked Questions

Is a penetration test mandatory under SHT-Cyber?

Although the SHT-Cyber standard does not contain a direct provision such as "perform a pentest X times a year", technical verification of risks in audit practice is invariably required. SHGM auditors expect a concrete answer to the question "How did you verify these risks?". The strongest and most accepted answer to this question is to present a professional penetration test report. For this reason, a penetration test effectively becomes mandatory, especially for Group 1 and Group 2 operators with critical systems.

Is there a downtime risk in the production environment during the test?

Our tests are planned on the principle of "not affecting operations". On critical systems a maintenance window is always used; DoS (denial of service) and load tests are never applied without written approval. Thanks to our experience in 24/7 aviation operations, we run a risk-free test process. A rollback plan is prepared before all tests.

Can the report be used directly in an SHGM audit?

Yes. Our reports are prepared in a format that can be presented to SHGM auditors. Their content includes: executive summary (for senior management), technical findings (screenshots and step-by-step evidence), risk rating (critical/high/medium/low), business impact analysis and remediation steps. Together with the re-test report, "findings closed" evidence is also provided.

Are OT systems (SCADA, BMS, CCTV) tested?

If OT/IoT components are in your asset inventory and scope approval has been given, yes, they are tested. However, on systems with high operational risk (for example baggage tracking, air traffic control) safe verification methods are preferred. If necessary, only configuration reviews or limited tests are performed; interventions that would stop operations are strictly avoided.

How long does the test take?

The duration varies by scope. For a typical small-to-medium operation it may be 2-3 weeks; for a large-scale airport or airline it may be 4-6 weeks. The process is planned as: Reconnaissance (2-5 days) → Active testing (5-15 days) → Reporting (3-5 days) → Re-test (2-3 days). At the first meeting a test schedule tailored to you is presented.

Which certificates do you hold?

Our team holds international certificates such as OSCP (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), GPEN (GIAC Penetration Tester), CISSP and CISA . We are also a firm accredited in Türkiye with the TSE Approved Penetration Testing Company (TSE-STF-065) certificate.

Do you provide post-test remediation support?

Yes. We provide Q&A support for 3 months after the re-test. We answer your technical questions about the findings and verify your remediation steps. We also evaluate your requests for additional consultancy before the SHGM audit. Optionally, we also offer a service to perform the remediations on your behalf.

How is the cost determined?

The cost is determined by the test scope (external network, internal network, number of web/mobile applications, OT systems), operation size and test duration. After the first meeting we provide you with a scope document (ToR) and a clear quote. There are no hidden costs; flexible payment plans are available.

Start Your SHGM Audit Preparation Now

Let's define the test scope (ToR), the test window and the deliverables together. Let's prepare an output package that gives a clear answer to the "how did you technically verify the risks?" question that will be asked in the audit.