Identify exploitable vulnerabilities across vessel IT networks (crew, business, bridge management) and OT networks (cargo, engine, navigation) before attackers do. Codesecure runs OT-safe penetration testing with named maritime cyber consultants and class-society-aligned reporting.
Maritime Vulnerability Assessment and Penetration Testing (VAPT) is a structured engagement to identify exploitable vulnerabilities in vessel IT networks (business, crew, bridge management) and OT networks (engine control, cargo control, navigation integration). Unlike enterprise VAPT, maritime VAPT must respect operational safety: aggressive scanning of an engine control PLC or ECDIS in production can disrupt navigation or propulsion, so techniques are tailored to maritime constraints.
Codesecure delivers maritime VAPT with named OSCP / CEH / maritime-experienced consultants. We use a hybrid model: shore-side review of architecture and configurations, remote testing of internet-facing components, and on-board passive monitoring plus carefully scoped active testing. Reports are aligned to IMO Resolution MSC.428(98), IACS UR E26 / E27 and class-society audit expectations.
Vessels run a complex mix of modern IT and legacy OT often manufactured before cyber threats were considered. The result is exploitable surfaces: unpatched bridge PCs, default credentials on cargo control, weak segmentation between crew Wi-Fi and bridge integrated navigation, exposed VSAT management interfaces. Public maritime incidents have been traced back to exactly these issues.
VAPT is also increasingly required. IMO MSC.428(98) requires cyber risk to be addressed in vessel Safety Management Systems, and class societies require evidence including penetration test reports during IACS E26 / E27 audits and during charter due diligence. Insurance underwriters now ask for VAPT evidence in cyber-policy quotations. Without it, you cannot demonstrate due diligence.
Codesecure's maritime VAPT covers IT, OT and bridge layers with OT-safe methodology:
45-minute call with our maritime VAPT lead. Bring your fleet inventory, ship architecture and target audit / charter date, leave with a phased VAPT roadmap. Instant response, no delay.
Book Free Strategy CallEvery Maritime VAPT engagement follows a 5-phase methodology aligned with IMO and IACS guidance:
Free scoping call, NDA, vessel and network inventory, OT system inventory, audit deadline review, rules of engagement.
Per-vessel threat model, scope definition split between shore-side remote testing and on-board phases, OT-safety constraints documented.
Internet-facing components, web apps, APIs, shore-link management interfaces tested from Codesecure shore-side environment.
On-board engineer visit during port call or dry-dock. Passive OT capture, active IT testing, bridge integrated navigation review, wireless assessment.
Class-society aligned report with prioritised findings, remediation guidance, retest of fixes within 90 days included.
Every Maritime VAPT engagement ships with the same operational handoff:
Most maritime VAPT engagements complete within 3-5 weeks per vessel. Instant response, no delay, kickoff scheduled same or next business day after scoping.
Free scoping, NDA, inventory, rules of engagement, threat model, test plan.
Shore-side remote testing of internet-facing and management interfaces. On-board phase during port call or planned visit.
Class-society-aligned report delivered. Remediation support. Free retest of fixes within 90 days.
// Frameworks & Standards We Cover
30-minute call with our maritime VAPT lead. Discuss your fleet, OT estate and audit / charter timelines with no sales pressure.
Schedule Free CallYes, with the right methodology. Codesecure uses an OT-safe approach: passive packet capture on OT networks, no aggressive scans of PLCs or engine controllers, careful coordination with master, chief engineer and ship operations. IT-side testing follows enterprise standards. We document rules of engagement before any active testing begins.
Maritime VAPT pricing varies by vessel architecture, fleet size and OT scope. We provide a fixed-fee scoped proposal within 24-48 hours of scoping. Repeat fleet-wide engagements scale down per-vessel as we reuse architecture knowledge.
We strongly prefer an on-board phase to cover bridge integrated navigation, OT visibility and wireless assessment realistically. For fleets with limited port-visit windows we can pre-deploy a small capture appliance, accompanied by remote analysis, and add the on-board phase opportunistically at the next port call.
Instant response, no delay. We respond within an hour during business hours, send a fixed-fee proposal in 24-48 hours under NDA, and start scoping same or next business day after sign-off.
Yes. Reports are aligned to IMO Resolution MSC.428(98), IACS UR E26 (new build cyber resilience) and UR E27 (ship systems cyber resilience), BIMCO Guidelines and class-society audit programmes. Reports are accepted by IRS, DNV, BV, LR, ABS and others in our experience.
Yes, as an optional add-on. Crew-side simulated phishing campaigns covering crew-Wi-Fi-connected personal devices and shipboard email, with debrief and targeted training for clickers. We coordinate with the master and crew manager so the campaign does not affect operations.
Yes. For tanker operators in particular, findings are mapped to TMSA 3 KPIs (especially Element 13 Maritime Security) and OCIMF expectations. This makes the report directly usable in TMSA self-assessment and vetting submissions.
Codesecure delivers maritime VAPT with OT-safe methodology, class-society-aligned reporting and free retest. Free 30-minute scoping call, instant response, no obligation.
Get a Free Strategy Call See All Maritime Services
