Service · Offensive security
Penetration Testing
Manual penetration testing delivered by a certified offensive security practitioner. No automated scan dressed up as a pen test, no graduate teams, no findings that would not survive a real adversary. Reports written to be read, fixes designed to be implemented.
Position
A practitioner-led test, not a templated one.
The penetration testing market in Australia is bifurcated. The lower tier sells lightly-customised vulnerability scans rebranded as pen tests. The upper tier sells expensive engagements where the senior name on the proposal is not the person doing the work.
This practice operates in neither category. Each engagement is delivered hands-on by a senior offensive practitioner with experience in financial services, government, and regulated mid-cap environments. The person who scopes the test is the person who runs the test and writes the report. That is the entire pitch.
What we test
Six engagement types, scoped per project.
Web application
Authenticated and unauthenticated testing of web applications and customer portals against OWASP Top 10 and beyond. Business-logic flaws, broken access control, injection, authentication and session weaknesses, IDORs.
API and integration
REST, GraphQL, and webhook surfaces. Authentication and authorisation flaws, mass assignment, rate limiting, schema introspection, server-side request forgery in cloud-hosted APIs.
Cloud configuration review
AWS, Azure, and Google Cloud posture review. Identity and privilege misconfiguration, exposed storage, network segmentation gaps, misconfigured logging, secrets exposure. Mapped against CIS Benchmarks.
External network and perimeter
External attack surface enumeration and exploitation. Edge service exposure, VPN and remote access weakness, supply-chain ingress points. Realistic threat-actor pathways from the public internet.
Internal and assumed-breach
Lateral movement and privilege escalation from a foothold. Active Directory and Entra ID configuration weaknesses, EDR evasion, data exfiltration paths. The view of an attacker who is already inside.
Red team engagement
Goal-based adversary simulation. Defined objective (data exfiltration, ransomware simulation, executive impersonation), defined rules of engagement, end-to-end testing of detection, response, and recovery.
Methodology
How an engagement runs.
The methodology is the same across engagement types — what changes is the scope and the rules of engagement.
01
Scoping and rules of engagement
Targets, methods, time windows, escalation contacts, and out-of-scope assets are agreed in writing before any testing begins. Statement of work and a separate authorisation letter signed.
02
Reconnaissance and threat modelling
Passive and active reconnaissance against the in-scope assets. We model the realistic adversary for your sector — opportunistic, targeted, or insider — and test accordingly.
03
Exploitation and post-exploitation
Identified vulnerabilities are exploited to demonstrate impact. Post-exploitation explores how a real attacker would extend access, escalate privilege, and reach data of consequence.
04
Continuous reporting
Critical and high-severity findings are reported within twenty-four hours of discovery, before the engagement ends, so urgent issues can be remediated immediately. No surprises in the final report.
05
Final report and debrief
Written report with executive summary, technical findings, severity ratings (CVSS v3.1), evidence, and prioritised remediation guidance. Debrief session with the technical and risk teams.
06
Retest
Free retest of all findings within 60 days of report delivery. We confirm fixes worked, document residual issues, and update the report with verification evidence.
Deliverables
What you take away.
- ›Written report with executive summary and technical findings
- ›CVSS v3.1 severity ratings with environmental scoring
- ›Reproduction steps and evidence for every finding
- ›Prioritised remediation guidance with effort estimates
- ›One-hour technical debrief with the engineering team
- ›Free retest of all findings within 60 days
- ›Optional executive or board briefing on request
Engagement parameters
Investment by engagement type.
- Web app / API / cloud
- AUD 12,000 to 30,000
- 5 to 15 business days. Final fee scoped to size of attack surface.
- Internal / assumed-breach
- AUD 18,000 to 40,000
- 10 to 20 business days. Includes Active Directory and identity testing.
- Red team engagement
- AUD 35,000 to 90,000
- 3 to 8 weeks. Goal-based, multi-phase. Tests detection and response.
Standards and methodology
What we test against.
Engagements are designed against published standards so the deliverable is auditable and the methodology is defensible. Reports are written so a regulator, an auditor, or a developer can act on them.
Practical notes
A few things worth knowing.
Insurance and authorisation
Each engagement is covered under Australian-issued professional indemnity. A signed authorisation letter ("rules of engagement") is mandatory before any testing begins.
Compatible with regulator expectations
Engagements are structured to satisfy APRA CPS 234 paragraph 27 (regular vulnerability assessment), CPS 230 scenario testing, and the typical SOC 2 / ISO 27001 audit evidence expectation.
Fits alongside your existing controls
If you already have a SOC, EDR, and SIEM, we'll coordinate with your defenders. Red team engagements specifically can be run with or without prior notification — your call, documented in the rules of engagement.
No reseller arrangements
We don't take commissions on tools we recommend in the report. Remediation guidance is tied to control objectives, not to vendor relationships.
Get started
An adversary-grade test, delivered by a senior practitioner.
Discovery call to confirm scope and timing, fixed-fee SOW within two business days, signed rules of engagement, then we test.