Home
Corporate
About TUGAY Certificates Partners Careers
Services
Penetration Testing Source Code Analysis Training References Contact Startup Application
Get a Quote
Ana Sayfa /Knowledge Base /Government Penetration Testing
Public Sector

Penetration Testing and Information Security for Government Agencies

Security testing for public infrastructure aligned with BTK, Presidential Digital Transformation Office, and USOM requirements.

Legal Framework for Public Sector Cybersecurity

The cybersecurity obligations of public institutions in Türkiye are governed by multiple legislative frameworks. Presidential Circular No. 2019/12 defines minimum security standards for public IT systems; the Information Technologies and Communication Authority (BTK) and the National Cyber Incident Response Centre (USOM) conduct regular audits.

Public institutions with critical infrastructure status — those operating in the energy, transportation, water, healthcare, and finance sectors — are subject to additional obligations and must be prepared for Cybersecurity Board inspections. Regular penetration testing has now become a legal requirement for these institutions.

USOM Notification

When vulnerabilities are identified, public institutions are obliged to notify USOM. TUGAY reports are prepared in a format that can be used directly in these notification processes.

Public Infrastructure Test Scope

TUGAY provides penetration testing services to public institutions using specialized methodologies and confidentiality protocols. The test scope is customized according to the institution's criticality level and regulatory requirements:

  • Institutional websites and e-government integrations
  • Central databases and identity management systems
  • Inter-agency network connections and VPN infrastructure
  • SCADA and industrial control systems
  • Email infrastructure and communication systems security
  • Personnel awareness tests (phishing simulations)

Security Maturity Assessment

  1. Regulatory Mapping: All cybersecurity regulations applicable to the institution are identified; gaps are prioritized.
  2. Infrastructure Discovery: All digital assets of the institution are mapped; unknown or unmanaged system components are identified.
  3. Technical Penetration Testing: The appropriate method from white/grey/black box approaches is selected; realistic attack scenarios are applied.
  4. Personnel Testing: The security awareness of personnel is measured through social engineering and phishing simulations.
  5. Reporting and Compliance Support: All outputs are presented in a format compatible with BTK and USOM reporting requirements.

Reporting and Audit Readiness

Comprehensive reporting services are provided to support the accountability of public institutions to the Court of Accounts, USOM, and sector-specific audit bodies.

  • Separate report sections for senior management and technical teams
  • USOM-compliant vulnerability notification format
  • Institutional risk score and comparative sector analysis
  • Semi-annual periodic testing programme option
Startup Program

Secure your product
before it hits the market.

Security isn't just for large enterprises. Every startup needs a solid foundation from day one. Let us find the vulnerabilities before attackers do. For free.

Apply for Startup Program

Application is free. No commitment required.

Assessment scope

  • Initial security assessment by an expert
  • Critical vulnerability and weakness identification
  • Prioritized findings summary report
  • GDPR preliminary compliance assessment
  • Expert feedback within 48 hours
Completely free & non-binding
Free Assessment Request Pentest Startup Application