Penetration Testing

A vulnerability scan tells you what is exposed. A penetration test tells you what can actually be exploited, how far an attacker can get, and what the damage looks like.

Testing scope

1. Web/Mobile Application testing: Testing of web or mobile applications against the OWASP Testing Guide. Covers authentication, authorisation, input validation, session management, API security, and business logic flaws. Conducted as authenticated and unauthenticated testing across all relevant user roles.
2. Network penetration testing: Internal and external network testing. Identifies exploitable vulnerabilities in network infrastructure, firewalls, routing configurations, and exposed services.
3. Cloud configuration review: Assessment of AWS, Azure, or GCP environment configurations against security best practice. Identifies misconfigurations, over-permissive IAM policies, and exposed storage or compute resources.

Deliverables

1. Penetration Test Report: executive summary, methodology, findings with CVSS risk ratings, evidence, and prioritised remediation recommendations.
2. Remediation validation: re-test of critical and high findings after you have remediated them (scoped and priced separately).

Timeline

2 to 4 weeks from scope confirmation to report delivery.

Annual penetration testing is required under ISO 27001, Essential Eight ML3, PCI DSS, and SOC 2. If you are currently meeting an annual testing requirement, contact us at least four weeks before your testing window to allow time for scoping.