What is penetration testing and why is it important?

Penetration testing is a simulated cyberattack on your systems to identify vulnerabilities before hackers do. It helps businesses strengthen their defenses and prevent costly breaches.

How often should my business conduct vulnerability assessments?

We recommend conducting vulnerability assessments at least twice a year or after any significant system change to proactively identify and fix security gaps.

What is phishing simulation and how does it help my employees?

Phishing simulations send fake phishing emails to your staff to test their awareness and response. It’s a safe way to train employees to spot and avoid real phishing attacks.

What kind of businesses can benefit from Tanosec’s services?

Tanosec specializes in cybersecurity services for small and medium-sized enterprises (SMEs) across South Africa, especially those handling sensitive customer data.

How can OSINT (Open Source Intelligence) help my business?

OSINT gathers publicly available data to uncover potential threats, exposure, or risks to your business, enabling proactive security measures.

What is a digital footprint hunt?

A digital footprint hunt identifies and assesses your company’s online presence and exposure, helping to detect data leaks or risks you might not be aware of.

How long does a typical penetration test take?

Depending on your system size and complexity, a penetration test usually takes between one to two weeks, including reporting and remediation recommendations.

Are Tanosec’s services compliant with South African data protection laws?

Yes, we ensure that all our cybersecurity practices align with POPIA (Protection of Personal Information Act) and other relevant regulations.

How do I get started with Tanosec’s cybersecurity services?

Simply contact us through our website or call +27 68 629 5030. We’ll discuss your needs and tailor a security plan specific to your business.

What makes Tanosec different from other cybersecurity companies?

Tanosec offers personalized, expert services tailored for South African SMEs, with a focus on practical solutions, local compliance, and clear communication.

What cybersecurity services does Tanosec offer?

Tanosec offers penetration testing, vulnerability assessments, digital footprint hunts, OSINT investigations, security awareness training, and phishing simulations—all tailored for South African SMEs.

Who are Tanosec’s typical clients?

We work mainly with small and medium-sized businesses across South Africa that want to protect their data, comply with regulations, and improve their cybersecurity posture.

How does Tanosec tailor its services to my business?

We assess your unique needs, industry risks, and compliance requirements to create a customized cybersecurity strategy and action plan that fits your budget and goals.

How quickly can Tanosec start working with my company?

Once we understand your requirements, we typically start with a discovery call and schedule the initial assessment within 1-2 weeks, depending on availability.

Does Tanosec provide ongoing cybersecurity support?

Yes, we offer ongoing support options including periodic assessments, training refreshers, and incident response planning to keep your security up to date.

Is my business too small to need cybersecurity services?

No business is too small to benefit from cybersecurity. Cyber threats target all sizes, and early protection can save you significant costs and reputation damage.

Think Like a Hacker, Secure Like a Pro

Frequently Asked Questions

Cybersecurity FAQ South Africa

Cybersecurity questions are good questions. Most businesses only start asking them after something goes wrong — we’d rather you asked them now. Below you’ll find clear, no-jargon answers to what we get asked most often, covering everything from penetration testing and POPIA compliance to what to do if you think you’ve been hacked. If your question isn’t here, contact us directly — we’re always happy to talk it through

About Tanosec

What does Tanosec Cybersecurity do?

We provide practical, real-world cybersecurity services for South African businesses and individuals — including penetration testing, ethical hacking, vulnerability assessments, managed cybersecurity, OSINT investigations, digital footprint assessments, phishing simulations, and security awareness training. We’re based in Bloemfontein and work with clients across South Africa, fully remotely or on-site where needed.

Do you work with both individuals and businesses?

Yes. We help individuals with online privacy concerns, account compromises, data exposure, and digital harassment. For businesses, we offer the full range of security assessments, investigations, threat intelligence, and ongoing managed security services.

Are your services confidential?

Completely. Every engagement is handled under strict confidentiality. We never share your information, findings, or case details with any third party, ever.

Where are you based and do you work nationally?

We’re based in Bloemfontein, Free State, but we work with clients across South Africa — including Johannesburg, Cape Town, Durban, and Pretoria — as well as fully remotely nationwide. Geography is not a barrier to getting proper security work done.

Do you offer consultations?

Yes. A consultation helps us understand your situation and recommend the right next steps. Get in touch and we’ll take it from there.

General Cybersecurity Questions

What is the biggest cybersecurity threat facing South African businesses right now?

Phishing and ransomware are the two most common entry points. South Africa consistently ranks among the most targeted countries globally for cybercrime, and most successful attacks start with a single employee clicking a malicious link or attachment. The threat is real, it’s local, and it’s growing.

What should I do if I think I've been hacked?

Stop using the affected device or account immediately and contact us. Don’t attempt random fixes — they can make the situation worse and destroy evidence. We’ll guide you through safe containment and recovery steps as quickly as possible.

How quickly can Tanosec respond to an urgent security incident?

Urgent cases are treated as priority. Contact us through our website and indicate the severity — we’ll get back to you as fast as possible. For ongoing managed security clients, response is even faster.

What is OSINT?

OSINT stands for Open-Source Intelligence — the practice of gathering and analysing information from publicly available sources. It’s one of the first techniques real attackers use to research a target, and one of the most powerful tools defenders have when used proactively. We use OSINT in digital footprint assessments, threat intelligence work, and investigations to surface what’s already out there about you before someone else uses it against you.

What is POPIA and does my business need to comply?

POPIA — the Protection of Personal Information Act — is South Africa’s data privacy law. If your business collects, stores, or processes any personal information about customers, employees, or suppliers, you must comply. Non-compliance carries significant financial penalties and reputational risk. Our vulnerability assessments and managed security services are POPIA-aligned, and we can help you understand where your gaps are.

Is cybersecurity only for large companies?

This is one of the most dangerous misconceptions in the industry. SMEs are actually more frequently targeted than large enterprises because attackers know smaller businesses typically have weaker defences and less resources to fight back. If you run a business and handle any customer or financial data, you need cybersecurity basics at minimum.

Penetration Testing & Ethical Hacking

What is penetration testing?

Penetration testing — or pen testing — is a simulated cyberattack carried out by ethical hackers to find exploitable vulnerabilities in your systems before real attackers do. We test your infrastructure, applications, networks, or specific targets agreed upfront, attempt to exploit weaknesses in a controlled way, and deliver a clear report of what we found and how to fix it.

What is the difference between penetration testing and a vulnerability assessment?

A vulnerability assessment identifies and catalogues potential weaknesses across your environment — it’s broader and less invasive. A penetration test goes further: we actively attempt to exploit those weaknesses to confirm real-world impact. Think of a vulnerability assessment as the map of your gaps, and a penetration test as proof of what happens when someone walks through them. Many clients start with an assessment and move to pen testing once they have a clearer picture of their environment.

Will a penetration test disrupt my business?

We scope every engagement carefully to minimise disruption. In the majority of cases your team won’t notice anything unusual. We agree on rules of engagement before we start — including any systems that are off-limits — so there are no surprises.

How long does a penetration test take?

It depends on scope, but most SME engagements run between three and ten business days from kickoff to final report delivery.

What do I get at the end of a penetration test?

A formal written report with an executive summary suitable for non-technical stakeholders, detailed technical findings, risk ratings based on real-world exploitability, and a prioritised remediation roadmap. We’re also available to walk your team through the findings and support remediation.

How often should I do a penetration test?

At minimum annually, and after any significant infrastructure change — a new system deployment, a migration, or following a security incident. For businesses in regulated industries, more frequent testing is advisable.

Vulnerability Assessments

What does a vulnerability assessment cover?

We assess your entire attack surface — internal and external networks, servers, endpoints, cloud infrastructure and configuration, web applications, remote access systems, and email security. Every finding is rated by real-world exploitability so you know where to focus first.

Do I need a vulnerability assessment or a penetration test?

If you’ve never done any formal security testing, a vulnerability assessment is usually the right starting point. It gives you a comprehensive picture of your current risk exposure quickly and cost-effectively. From there, you can make an informed decision about whether a penetration test is the logical next step for your highest-risk areas.

How often should I run a vulnerability assessment?

Annually at minimum. Quarterly for businesses in regulated sectors — finance, healthcare, legal — or for any business that handles large volumes of sensitive customer data. New vulnerabilities are discovered constantly; an annual snapshot keeps you from drifting into exposure without realising it.

Managed Cybersecurity

What is managed cybersecurity?

Managed cybersecurity means Tanosec acts as your outsourced security team — monitoring your environment, flagging threats, running regular scans, and providing security guidance on an ongoing basis. It’s continuous protection without the cost of hiring an in-house security specialist

Do I need an IT team to use managed cybersecurity?

No — that’s exactly the point. Managed security is designed for businesses that don’t have dedicated IT or security staff. We handle the monitoring, analysis, and recommendations. You get clear, plain-language guidance on what to act on and when.

What's the difference between managed security and just having antivirus?

Antivirus catches known malware signatures. Managed cybersecurity is a layer above that — monitoring your network behaviour, identifying suspicious activity, catching misconfigurations, scanning for new vulnerabilities, and providing human analysis of what’s actually happening in your environment. Antivirus is a basic hygiene tool. Managed security is active defence.

Phishing & Security Awareness

What is a phishing simulation?

A phishing simulation is a controlled exercise where we design and send realistic phishing emails to your staff — without them knowing it’s a test — to measure how they respond. We track who clicks, who submits credentials, and who reports the email. The results feed into targeted training so you know exactly where your human risk is concentrated.

Will phishing simulations embarrass or punish my employees?

No. We use results as a coaching tool, not a disciplinary one. People click phishing emails because phishing is specifically designed to be convincing — not because they’re careless or incompetent. The goal is to build resilience, not blame individuals.

What does security awareness training involve?

Practical, engaging sessions covering how to recognise phishing and social engineering attacks, password hygiene, safe browsing habits, data handling, and how to report a suspected incident. We use real South African examples because local context makes training land better than generic global content.

Does POPIA require staff cybersecurity training?

Yes. POPIA places explicit obligations on organisations to ensure staff who handle personal information understand their responsibilities and the risks involved. Our training is structured to support those obligations and provides documentation you can use to demonstrate compliance.

Digital Footprint & OSINT

What is a digital footprint assessment?

We use the same open-source intelligence techniques that real attackers use to map everything publicly findable about your business — leaked passwords, exposed documents, employee contact details, domain intelligence, and social media exposure. Most businesses are genuinely surprised at what comes back. You get a full report of what we found and how to reduce your exposure.

Who is a digital footprint assessment for?

Any business that wants to know what attackers can already find out about them. It’s particularly valuable before a merger or acquisition, before submitting a government tender or public contract, when onboarding a high-value client who will be doing their own research on you, or simply as a baseline before any other security work begins.

What's the difference between a digital footprint assessment and an OSINT investigation?

A digital footprint assessment focuses on your external exposure — what’s publicly findable about your business. An OSINT investigation goes deeper — dark web monitoring, brand impersonation detection, fake social profiles, supply chain exposure, and active threat intelligence related to your organisation. They complement each other well and many clients run both.

Getting Started

How do I know which service is right for my business?

Start with Clarity — our free AI-powered security snapshot. It takes five minutes, requires no technical knowledge, and gives you an immediate read on your biggest risk areas. From there, we can recommend the right service based on what it surfaces. Or just contact us directly and we’ll talk it through.

How much do cybersecurity services cost?

Pricing varies by service and scope. We offer flexible packages designed for SME budgets — including fixed monthly pricing for managed security so there are no surprise invoices. Contact us for a no-obligation quote

Is everything done remotely?

Tanosec operates remote-first, which means we can support clients anywhere in South Africa without the travel overhead that inflates costs at larger firms. Certain services — like on-site network assessments — can be delivered in person for clients in Bloemfontein and the Free State, or by arrangement nationally.

Can I start small and scale up?

Absolutely. Most clients start with a single assessment or consultation, get a clear picture of where they stand, and build from there. There’s no minimum commitment required to get started.

Still have a question? We’re not a call centre. Send us a message and an actual human who knows what they’re talking about will get back to you.

Or run a free Clarity security snapshot right now — no sign-up, no sales call, just answers.