Cyber security · Penetration testing · Melbourne
Specialised penetration testing for the web apps, APIs and surfaces your business actually relies on.
Growing businesses often need proof—not assumptions—that customer data, payments and admin tools can withstand real attack paths. I deliver scoped penetration testing for web applications, APIs and common cloud misconfigurations, with written findings ranked by risk and practical remediation guidance for your developers.
Scoped engagements · Written rules of engagement · Findings ranked by severity with remediation notes
Testing is always authorised, in scope, and aligned to your risk—whether you are preparing for a launch, satisfying a partner questionnaire, or hardening systems I have already built for you. I focus on exploitable issues and clear next steps, not fear-mongering slide decks.
WHAT I TEST
- Web applications and customer-facing portals (auth, sessions, access control, input handling)
- REST and GraphQL APIs—including mobile app backends and webhook endpoints
- Admin panels, Retool apps and internal tools exposed beyond the office VPN
- Common cloud and hosting misconfigurations on stacks I know (Firebase, Vercel, WordPress, typical LAMP/Node setups)
- Integration points: Stripe, forms, CRM syncs and automation webhooks
HOW A TEST RUNS
- Scoping call: assets in scope, environments, credentials, blackout windows and success criteria.
- Rules of engagement: written authorisation, contact paths, and what is off-limits (e.g. production denial-of-service).
- Testing: manual and tooling-assisted assessment against OWASP-aligned checks relevant to your stack.
- Report: executive summary, ranked findings, evidence, and remediation guidance your developers can act on.
- Optional retest: verify critical fixes after you ship patches.
WHAT YOU RECEIVE
- Findings ranked by severity (critical → informational) with reproducible steps
- Plain-language impact for owners and technical detail for developers
- Remediation suggestions tied to your stack—not generic boilerplate
- Optional call to walk through the report and prioritise fixes
- Melbourne-based · AEST-friendly
- Reply within one business day
- Fixed-price options where scope allows
- You own the data, code and systems
FAQ
- How much does penetration testing cost for a Melbourne small business?
- Price depends on scope—number of apps, APIs, environments and whether retesting is included. After a short scoping call I provide a fixed quote with deliverables and timeline. Small single-app tests are priced differently than multi-surface programmes.
- Will testing take down our production site?
- Rules of engagement define safe boundaries. Many tests run against staging mirrors; when production is in scope we avoid destructive techniques and agree maintenance windows for anything higher risk.
- Do you test Firebase, Stripe and Next.js stacks?
- Yes—these are common in my build work. I understand typical misconfigurations (Firestore rules, exposed keys, webhook validation, session handling) as well as generic web application risks.
- Can you test systems you did not build?
- Yes, with written authorisation from the system owner. Testing systems I have built can be faster because I already know the architecture—but independent tests are still valuable.
- What is not included?
- Ongoing SOC monitoring, compliance certification as the only outcome, and testing without clear scope or sign-off. I can recommend specialists for programme-level security governance if you need that layer.
Get a clear picture of your attack surface
Brief your URLs or apps, environments (staging vs production), and why you need the test—launch, partner request, or peace of mind.
- We agree scope and rules of engagement in writing before any testing.
- You receive ranked findings with evidence and practical fix guidance.
- Optional retest after your team ships patches on critical items.