Find the holes before someone else does.
VAPT.COM.AU runs manual, attacker-style penetration tests against your web apps, APIs, cloud and networks, then hands you a report your engineers can actually act on.
One team, every layer of your stack
Every engagement is scoped to your environment and performed by hand. Scanners help us cover ground; they never write the findings.
Web application penetration testing
Authenticated, business-logic-aware testing of your web apps against the OWASP Top 10 and well beyond it.
Learn more >API penetration testing
REST, GraphQL and internal APIs tested for broken auth, object-level access control and data exposure.
Learn more >Mobile app penetration testing
iOS and Android apps reviewed on-device and at the API layer, including storage, transport and platform misuse.
Learn more >Cloud security review
AWS, Azure and Google Cloud configuration reviews: identity, network paths, storage exposure and logging.
Learn more >Network penetration testing
External and internal infrastructure testing, from your perimeter down to lateral movement inside the LAN.
Learn more >Not sure what you need?
Tell us what you're building and what keeps you up at night. We'll suggest a sensible scope, not the biggest one.
Talk to us >A process with no surprises
You'll know what we're testing, when we're testing it, and what we found, in that order. Read the full methodology.
Scope
A short call and questionnaire to agree targets, accounts, timing and rules of engagement. Fixed quote before we start.
Test
Manual testing mapped to OWASP and PTES, with daily check-ins and immediate alerts for anything critical.
Report
Findings rated with CVSS, each with reproduction steps, evidence and a concrete fix. Plus an executive summary in plain English.
Retest
Fix the findings, and we verify the fixes at no extra cost, then issue an updated report and attestation letter.
The report is the product
Every engagement ends with a document built for two audiences: an executive summary your leadership can read in five minutes, and technical findings your engineers can reproduce and fix the same day.
- Severity ratings with CVSS scores and business context
- Evidence and exact reproduction steps for every finding
- An attestation letter for customers and auditors after retest
Testing you can defend to your board, your customers and your auditor
- Manual-first testing. Automated scanners find low-hanging fruit; our testers find the logic flaws, access-control gaps and chained attacks that scanners structurally cannot see.
- Reports written for two audiences. An executive summary your leadership can read in five minutes, and technical findings with exact reproduction steps for your engineers.
- Fixed-price quotes. Scope agreed up front, price agreed up front. No day-rate creep.
- Free retesting. Every engagement includes verification of your fixes and an updated report.
- Australian-based. Your data and our testers stay onshore, and we work in your timezone.
- Standards-aligned. Testing mapped to OWASP (Top 10, ASVS, MASVS), PTES and NIST SP 800-115, suitable for ISO 27001, SOC 2 and PCI DSS evidence.
Plain-English security writing
No fear-mongering, no acronym soup. Just useful answers to the questions we get asked every week.
How much does a penetration test cost in Australia?
Typical price ranges, what drives the cost up or down, and how to compare quotes properly.
Read post >Penetration testing vs vulnerability scanning: what's the difference?
Both find security problems, but they answer different questions. When a scan is enough, and when it isn't.
Read post >What is penetration testing? A plain-English guide
What actually happens during a pentest, what you get at the end, and how to tell a real one from a rebadged scan.
Read post >Ready to get tested?
Tell us about your app or environment and we'll come back with a sensible scope and a fixed quote, usually within two business days.