Penetration Testing

A vulnerability scan tells you what is exposed. A penetration test tells you what can actually be exploited, how far an attacker can get, and what the damage looks like.

Testing scope

1. Web and mobile application testing. Testing against the OWASP Testing Guide. Covers authentication, authorisation, input validation, session management, API security, and business logic flaws. Conducted as authenticated and unauthenticated testing across all relevant user roles.
2. Network penetration testing. Internal and external network testing. Identifies exploitable vulnerabilities in network infrastructure, firewalls, routing configurations, and exposed services.
3. Cloud configuration review. Assessment of AWS, Azure, or GCP environments against security best practice. Identifies misconfigurations, over-permissive IAM policies, and exposed storage or compute resources.

What you receive

1. Penetration test report including executive summary, methodology, findings with CVSS risk ratings, evidence, and prioritised remediation recommendations.
2. Remediation validation. Re-test of critical and high findings after remediation. Scoped and priced separately.

Timeline

2 to 4 weeks from scope confirmation to report delivery.

How often does penetration test need to be completed?

Annual penetration testing is required under ISO 27001, Essential Eight Maturity Level 3, PCI DSS, and SOC 2.

If you are meeting an annual testing requirement, contact us at least four weeks before your testing window to allow time for scoping.

Pricing

Contact us with your application or network scope and we will respond with a fixed-price proposal within one business day,