How we test
No black box around the black-box testing. This is the process every VAPT.COM.AU engagement follows, from first call to final attestation letter.
Scoping and rules of engagement
A short call and questionnaire establish targets, test accounts, environments, timing windows, emergency contacts and exclusions. You receive a fixed quote and a written authorisation form. Nothing is tested until both are signed off.
Reconnaissance and mapping
We enumerate the attack surface: endpoints, parameters, roles, technologies, exposed services and anything the internet already knows about you. Automated tooling gives breadth here; the output becomes our testing checklist, not our findings list.
Manual testing and exploitation
Testers work through the surface systematically, guided by OWASP (Top 10, ASVS, MASVS, API Top 10), PTES and NIST SP 800-115. Suspected issues are exploited far enough to prove impact, and chained where a combination is worse than its parts. Critical findings are reported to you the same day.
Severity rating
Every finding gets a CVSS 3.1 score plus a contextual rating that accounts for your environment, because a "medium" that exposes customer data in your context may deserve to be top of the list. We say so explicitly when the two differ.
Reporting and debrief
The report contains an executive summary in plain English, a findings table, and per-finding detail: description, evidence, reproduction steps, affected assets and a concrete fix. We walk your team through it on a debrief call and stay available while you remediate.
Retest and attestation
When you've remediated, we verify every fix at no extra cost and reissue the report with updated statuses, plus an attestation letter suitable for customers, auditors and due-diligence requests.
Written to be acted on
Findings are grouped by severity, tied to the assets they affect, and paired with a concrete fix. The executive summary stands alone, so the people approving the remediation budget never need to read a payload.
Standards we map to
- OWASP Top 10, ASVS, MASVS and the API Security Top 10 for application and mobile testing
- PTES (Penetration Testing Execution Standard) for engagement structure
- NIST SP 800-115 for technical assessment practices
- CIS Benchmarks and vendor best practice for cloud configuration reviews
- CVSS 3.1 for severity scoring
What we don't do
- No unverified scanner output in reports. Every finding is manually confirmed.
- No denial-of-service testing unless you explicitly request and schedule it.
- No social engineering or phishing unless it's an agreed part of scope.
- No surprises: rules of engagement are written down and followed.
See it applied to your stack
The methodology flexes to fit web apps, APIs, mobile, cloud and networks. Pick a service to see the specifics, or get straight to a quote.