Security testing without the theatre
VAPT.COM.AU exists because too many "penetration tests" are a scanner run, a logo swap and an invoice. We think testing should be done by hand, explained in plain English, and priced before it starts.
Who we are
We're an Australian team of offensive security specialists who have spent our careers breaking into applications, networks and cloud environments with permission. We test for startups shipping their first enterprise deal, for established businesses facing ISO 27001 or SOC 2 audits, and for anyone whose customers have started asking hard questions about security.
We stay deliberately small. Every engagement is run by a senior tester, not sold by a senior and delivered by whoever was free that week.
What we believe
- A finding you can't reproduce is a rumour. Every issue we report comes with exact steps and evidence.
- The report is the product. If your engineers can't act on it and your leadership can't understand it, the test was wasted.
- Scope should fit the question you're trying to answer, not the largest number we could quote.
- Retesting is part of the job. Finding problems and then charging extra to confirm you fixed them is a racket.
How we work
Our testing is mapped to recognised standards: OWASP Top 10, ASVS and MASVS, the OWASP API Security Top 10, PTES and NIST SP 800-115. Reports are structured so they slot straight into ISO 27001, SOC 2 and PCI DSS evidence requests. The full process is documented on our methodology page.
Data handling is boring by design: findings and evidence are stored encrypted, shared only with named contacts, and deleted on an agreed schedule after the engagement closes.
Work with us
Tell us what you're building and what you need to prove, to a customer, an auditor or yourself. We'll suggest the smallest engagement that gets you there.