Penetration Testing Scenarios Development
CIRCAT, funded by the European Union under the Digital Europe Programme, launches its Open Call 1 to support European organisations in strengthening cybersecurity resilience by defining and documenting realistic cyber threats against critical infrastructures.
We will select up to 18 proposals to design advanced penetration testing and customised risk scenarios. These scenarios must address the most pressing cyber threats facing prioritised critical infrastructure verticals: Energy, Health, Public Administration, Digital infrastructure, ICT Service management (B2B), and Financial market infrastructures.
The Penetration Testing Scenarios Development Open Call is part of the wider CIRCAT initiative, leveraging cutting-edge AI-enhanced tools to foster the protection of critical infrastructure sectors. OC1 will fund up to 18 projects with a total available budget of €720,000. It is the first of two open calls and will be followed by a second call later in the project dedicated to executing the defined scenarios through vulnerability and penetration testing.
Key facts
- Funding: Up to €40,000 lump sum per selected proposal
- Co-financing: Minimum 50% of total project costs
- Programme length: 6 months
- Opening date: 8 May 2026 at 10:00 Brussels time
- Deadline: 9 July 2026, 15:00 Brussels time
Who can apply
Proposals can be submitted by National Cybersecurity Authorities, National Coordination Centres, Operators of Essential Services, large industrial installations, governmental entities, and other stakeholders with the capacity to aggregate demand.
Eligible applicants include SMEs, mid-caps, large companies, research centres including universities, and public bodies that are registered in, and controlled by, an entity or person established in a Member State of the European Union or the European Economic Area.
What can be funded
Selected beneficiaries must develop testing scenarios for Networks, Applications, Virtualisation, Cloud, Industrial Control Systems (ICS), and IoT within CIRCAT prioritised verticals.
- Vulnerability Testing Support: developing and documenting realistic penetration testing scenarios
- Threat & Risk Assessment Support: conducting customised risk scenario analyses
Support Programme
The support programme provides expert guidance to help selected third-party projects design and document realistic penetration testing scenarios for critical infrastructures. The programme lasts up to 6 months and is divided into three stages.
Individual Mentoring Plan
Duration: Up to 1 month
Participants define a structured work plan tailored to the project, including final budget, KPIs, deliverables, and any ethics assessment requirements.
Funding tranche: Up to 10% of the grant amount
Scenario Definition
Duration: Up to 3 months
Mentors assist participants in identifying relevant threat vectors and detailing the technical steps, tools, and methodologies required to replicate these threats safely in a controlled environment.
Funding tranche: Up to 57.5% of the grant amount
Scenario Integration and Validation
Duration: Up to 2 months
Mentors and participants validate the scenarios to ensure they reflect emerging attack patterns and exploit techniques and produce a comprehensive set of test plans and guidelines.
Funding tranche: Up to 32.5% of the grant amount
Useful links
Info Days
Join our online InfoDays to learn more about the Open Call scope, the 6-month Support Programme, and the application process. Participants will have the opportunity to ask questions live.
- 1st InfoDay webinar: to be announced soon
- 2nd InfoDay webinar: to be announced soon
Ready to apply?
Submit your proposal before 9 July 2026, 15:00 Brussels time. Proposals must be submitted in English through the online form. Applications may be modified after submission only until the deadline.
Start application
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Industrial, Technology and Research Competence Centre. Neither the European Union nor the granting authority can be held responsible for them. The project is supported by the European Cybersecurity Competence Centre (ECCC) and its members.