Advisory

Penetration Testing

Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.

Every finding verified. Every fix retested.

Vectra has been a CREST-certified Australian penetration testing provider since 2001. Our consultants hold OSCP, CEH, eCPPT, CRTP, CRTE, IRAP and PCI-QSA credentials and run engagements that combine commercial tools, open-source tradecraft and custom instrumentation tailored to your environment - not a template report regenerated for every client. Every finding is hand-verified by a senior tester, ranked by business impact, and handed over with concrete remediation guidance and a retest to prove the fix landed.

Deep dive into the capabilities
Active since
2001
Certified testers
CREST
Customer base
ASX 100/200 · Federal, State & Local Government · Defence
Standards covered
PCI · SOX HIPAA · GLBA

What makes a Vectra pen test different.

The same named team stays with you from kick-off through delivery. Engagements are shaped to your risk profile, not our template library.

Efficient

A single portal handles scope, scheduling, live engagement status, findings, evidence and retests. Your team stops chasing PDFs by email and starts acting on verified findings in minutes instead of days.

Qualified

Every consultant on the bench holds at least two of OSCP, CEH, eCPPT, CRTP, CRTE, IRAP or PCI-QSA - and a signed CREST methodology undertaking. No graduate-on-the-bench pricing, no bait-and-switch staffing.

Proactive

Continuous-mode programs schedule rolling tests against your change pipeline and highlight emerging weaknesses before the next compliance window - not a once-a-year surprise audit.

Valued

Engagements are shaped to your actual risk profile and compliance obligations. Retests, remediation guidance, executive debriefs and developer pairing are included - not priced as add-ons.

Our CREST-aligned six-step methodology.

Every engagement follows the same six-step CREST-aligned methodology. You get visibility into every phase and an audit trail of every action taken by the test team.

  1. 01

    Scope & kick-off

    Named engineer scopes the engagement, agrees rules of engagement, confirms escalation contacts and locks the test window.

  2. 02

    Reconnaissance

    Passive and active discovery maps the attack surface the way an adversary would - not the way your asset register describes it.

  3. 03

    Threat modelling

    We prioritise what actually matters to your business - threat trees and abuse cases documented in the scope pack before exploitation starts.

  4. 04

    Exploitation

    Manual verification of every issue with full chain-of-evidence capture. Proof-of-exploit for every High-and-above severity finding.

  5. 05

    Post-exploitation

    Pivot, persist, exfiltrate - we test the blast radius, not just the initial foothold. Detection opportunities captured for your SOC team.

  6. 06

    Reporting & retest

    Executive narrative, technical walkthrough, remediation guidance, developer debrief, and retest session - all bundled into one engagement.

Scope the engagement to your stack.

Every Vectra engagement is scoped around your environment. Mix and match focus areas - most customers bundle two or three together under a single statement of work.

Network penetration testing

External and internal network assessments covering the perimeter, segmentation boundaries, remote access, VPN concentrators, wireless and physical network layers.

  • External, internal and wireless scopes
  • Firewall and segmentation rule validation
  • Active Directory privilege-escalation chains
  • Lateral movement and post-exploitation paths

Application penetration testing

Deep-dive testing of web, SPA, API and thick-client applications against the OWASP Top 10 and ASVS, including business-logic and authorisation abuse.

  • OWASP Top 10, ASVS Level 2 coverage
  • Authenticated and unauthenticated testing
  • REST, GraphQL and gRPC API assessment
  • SAST / DAST correlation where source is available

Infrastructure penetration testing

Servers, storage, virtualisation, container platforms, Active Directory and cloud posture assessed as one connected estate - because attackers don't respect your team boundaries.

  • AWS, Azure and GCP cloud posture reviews
  • Kubernetes and container runtime assessment
  • Active Directory tiering and Kerberoast chains
  • Backup, DR and recovery path validation

Mobile application testing

iOS and Android apps assessed against OWASP MASVS with static binary analysis, runtime instrumentation and API backplane testing.

  • OWASP MASVS and MSTG alignment
  • Binary reverse-engineering and anti-tamper review
  • Runtime hooking with Frida / Objection
  • Backend API assessment as a bundled scope

Everything bundled into the engagement.

No tiered upsells, no "platinum" package. What you see is what you get - one contract, one team, one number to call.

Red-team escalation

Any engagement can be uplifted to a stealth red-team scope covering social engineering, physical and cloud objectives.

Dev-team pairing

Findings can be delivered through a paired developer briefing so the fix lands with context, not just a ticket.

Retest included

Every finding of High severity and above includes a retest window at no extra cost - fix is verified, not assumed.

Regulator-ready reporting

Report structure is accepted by APRA, IRAP assessors and PCI QSAs - we've written more than any other AU provider.

Executive debrief

Separate narrative report for the exec team that translates findings into business, legal and reputational terms.

Australian-only delivery

All testing delivered from our Adelaide and Sydney offices by Australian citizens with appropriate clearances for your domain.

One portal for every engagement.

Every engagement runs through a unified portal. Scope, schedule, consume findings and measure the program across years of history - without a single PDF attachment hitting your inbox.

Single source of insight

All current and historic findings in one dashboard, queryable by asset, tester, severity and framework. No more stitching together PDFs from prior years to prove a regression.

Self-service scheduling

Book engagements directly against your asset inventory. Scope, window, objectives and escalation contacts captured once and re-used each cycle.

Live engagement updates

Real-time status during the test, findings published the moment they're validated, and a full audit trail of every action taken by the test team.

Compliance-ready evidence

Evidence packages pre-mapped to PCI DSS, ISO 27001, APRA CPS 234, SOCI Act, Essential 8 and IRAP so the auditor sign-off happens first time.

Actionable remediation

Every finding ships with reproduction steps, affected assets, developer-ready remediation and a suggested code-level fix where applicable.

Program-level insight

Trend dashboards across engagements, assets and teams so you can see where the program is genuinely improving - and where it's regressing.

What you walk away with.

Measurable, reportable, auditable - every outcome tracks to a control in your compliance framework.

  • Every finding reproducible, with exact steps, affected assets and screen captures of the exploit chain

  • Prioritised remediation roadmap aligned to PCI DSS, Essential 8, ISO 27001 and APRA CPS 234 obligations

  • Retest engagements included in scope so fixed findings are verified, not assumed

  • Executive-level narrative report suitable for board risk committee and regulator submission

  • Dashboard-driven trend analysis across engagements, assets and teams

Credentials our pen testers hold.

OSCP CEH eCPPT CRTP CRTE ITIL IRAP PCI-QSA CREST OSCP CEH eCPPT CRTP CRTE ITIL IRAP PCI-QSA CREST

Pen testing, answered.

Can't find the answer here? The team responds to scoping queries within one business day - usually faster.

Ask the team directly
Are your testers actually CREST certified?

Yes. Vectra is an accredited CREST Penetration Testing Provider. Every engagement is led by a CREST-registered Practitioner or Senior Consultant and every consultant on the bench holds at least two of OSCP, CEH, eCPPT, CRTP, CRTE, IRAP or PCI-QSA.

Do you use scanners or actual people?

Scanners find what's easy. People find what matters. Nessus / Burp / OWASP ZAP output feeds our triage step, but every High-severity issue is hand-exploited to confirm impact - no scanner dumps in our reports, ever.

Can you support PCI DSS requirement 11.3 / 11.4?

Yes. Vectra became Australia's first certified QSA company in 2006 and has been running PCI-aligned penetration tests ever since. Our reports are written to satisfy 11.3.1, 11.3.2 and 11.4 segmentation testing requirements in a single engagement.

How long does a typical engagement take?

Most scoped engagements run 5-15 business days of test time, plus a three-day reporting window. Emergency / breach-driven scopes can start in 48 hours. Continuous program engagements run on a rolling monthly cadence.

Do you test our production or a staging environment?

Both, depending on scope. Production testing is controlled with throttled request rates, pre-approved destructive-action restrictions and a live bridge to your team. Staging environments are tested against the assumption the prod config is bit-identical - verified ahead of time.

What happens after the engagement finishes?

You get a findings debrief, the full written report, a developer-facing walkthrough, a retest window for every High-and-above finding and a 90-day access window into the findings portal for remediation tracking.

Can you run the same engagement annually?

Absolutely - and we encourage it. Year-on-year trend analysis is where program improvement becomes visible. Recurring engagement pricing is discounted against the baseline scope.

Security, engineered around you.

Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.

+61 8 8208 0800 1800 816 044 info@vectra-corp.com