Build + Sustain · Penetration Testing

Penetration Testing —
Real-World Attacks, With Accountability After.

Evidence-backed findings with proof-of-vulnerability for every issue. Prioritised by your business impact, not just CVSS scores. Certified testers, OWASP and WASC methodology, and a zero-cost retest within 45 days to verify fixes. We scope it, manage it, and stay accountable until your gaps are closed.

Book a Free 30-Min Call → View all services

Web + Infra

External, internal, cloud, API testing

ISO + E8

Reports aligned to compliance frameworks

45^days

Zero-cost retest included

Sound Familiar?

You Got a Pentest Report.
Nothing Was Fixed.

Most penetration testing engagements produce a report. Fewer produce verified remediation. Here's what goes wrong, and how we do it differently.

🔍

Your compliance framework requires pentesting, but you don't know who to trust

ISO 27001, Essential Eight, SOC 2, and enterprise vendor questionnaires all ask about penetration testing. Finding testers who understand your context, not just your IP range, is harder than it looks.

📄

You got a pentest report and nothing was fixed

A list of CVEs without context is useless. If findings aren't prioritised by business impact and tracked to verified closure, the exercise was compliance theatre, not real assurance.

❓

You don't know what was actually tested or how thorough it was

"Web application test" can mean anything from a 2-hour automated scan to a week of manual testing. Without a scoping document and evidence-backed findings, you can't defend the test to auditors or customers.

⚠️

Your dev team treats the report as someone else's problem

Technical findings need to land with the right people in a form they can act on. A raw technical report without an executive summary and prioritised remediation guidance doesn't drive change.

What We Test

Six Test Types.
Scoped to Your Environment.

We cover external and internal infrastructure, web applications, APIs, cloud configuration, and human vulnerability, scoped and sequenced for your environment, not a generic package.

Web Application

External Web App Testing

OWASP methodology. Tests public-facing web applications for injection, authentication flaws, broken access controls, and business logic vulnerabilities. The most common pentest scope for Australian SMBs.

Infrastructure

External Infrastructure Testing

Tests externally exposed network infrastructure, services, and systems for vulnerabilities, misconfigurations, and exploitable weaknesses, including open ports, unpatched services, and weak TLS.

Internal Network

Internal Network Testing

Tests internal network paths, lateral movement vectors, and privilege escalation, simulating an insider threat or compromised credential scenario. Validates network segmentation and access controls.

Cloud

Cloud Configuration Review

AWS, Azure, GCP. Tests IAM policies, exposed storage buckets, security group misconfigurations, and cloud-specific vulnerabilities. Essential for organisations running workloads in public cloud.

API

API Security Testing

Tests REST and GraphQL APIs for authentication bypass, IDOR, injection, rate limiting failures, and sensitive data exposure. Increasingly critical as SaaS products expose APIs to customers and partners.

Social Engineering

Phishing Simulation

Controlled phishing simulations to test human vulnerability and security awareness program effectiveness. Identifies which teams and roles are most susceptible — and where training investment is needed.

How We Deliver

Scope, Test, Report, Retest.
We Own the Outcome.

External infrastructure and web application testing, OWASP and WASC methodology. Scoped to your environment, aligned with ISO 27001, Essential Eight and SOC 2. Flexible testing windows including after-hours or weekends to minimise operational impact.

Kick-off & scoping — Agreed scope, schedule and testing windows. We can work after-hours or weekends to minimise operational impact.
Execution — Real-world attack simulations by certified testers (OSCP, CEH, CREST). OWASP and WASC methodology. Manual testing — not just automated scanning.
Evidence-backed report
- Executive summary for stakeholders, board, or auditors
- Screenshots and proof-of-vulnerability for every finding
- Severity rated by business impact and ease of exploit — not just CVSS scores
- Debrief session with your IT and security teams
Prioritised remediation — Clear fix roadmap. We own the gap list and stay accountable until vulnerabilities are verified closed — not just acknowledged.
Retest & sign-off — Zero-cost retest within 45 days of report delivery. We verify critical and high findings are remediated before signing off — no extra cost.

Why Logic Weave

Enterprise-grade expertise with a tailored approach. Globally certified (OSCP, CEH, CREST, CCSK, ISO 27001 LA, CISM, CRISC). Security-vetted personnel. Delivered for Neuro+, Profile Financial, Accurateli, Isuzu Australia, Kyocera, Airwallex, NSW Education and others.

Book a Free 30-Min Call →

How We Compare

Logic Weave Pentesting vs Commodity Scan-and-Report

Many pentesting providers run automated scanners, wrap the output in a branded PDF, and call it a penetration test. Here's how a manual-first, accountability-driven engagement differs from a commodity approach.

Manual-First vs Automated Scanning

Commodity providers rely heavily on tools like Nessus or Burp Suite in automated mode. Logic Weave uses automated tools for discovery but validates every finding through manual exploitation. Business logic flaws, chained vulnerabilities, and access control issues only surface through manual testing.

Zero-Cost Retest Included

Most providers charge extra for retesting — or don't offer it at all. Logic Weave includes a zero-cost retest within 45 days for all critical and high findings. We verify that fixes are properly implemented before signing off, because a finding that's "acknowledged" but not fixed is still a vulnerability.

Business Impact, Not Just CVSS

Commodity reports sort by CVSS score — a metric that doesn't account for your business context. Logic Weave rates findings by actual business impact and ease of exploit, so your dev team knows what to fix first and why it matters to the organisation, not just to a scanner.

Certification-Aligned Reports

Reports are structured for ISO 27001, Essential Eight, and SOC 2 compliance — with an executive summary for board and auditor consumption, not just raw technical output. When an auditor asks "show me your pentest report," ours answers their questions without translation.

Accountability After Delivery

Commodity providers deliver a PDF and disappear. Logic Weave owns the gap list and stays accountable until vulnerabilities are verified closed. We track remediation, debrief with your IT and security teams, and verify fixes before the engagement formally closes.

Globally Certified Testers

All testers hold OSCP, CEH, CREST, or CCSK certifications. Security-vetted personnel with professional indemnity and public liability insurance. We've delivered for Neuro+, Isuzu Australia, Kyocera, Airwallex, NSW Education, and others across Australia.

Common Questions

Penetration Testing — Frequently Asked Questions

How long does a penetration test take?

Most web application tests take 3–5 business days. External infrastructure for a typical SMB takes 3–7 days. We give you a firm timeline and deliverable date before any work starts.

What methodology do you use?

OWASP for web apps and APIs; PTES and OSSTMM for infrastructure. All testers are certified (OSCP, CEH, CREST) and testing is manual-first. Reports include an executive summary, technical findings, and prioritised remediation roadmap.

Is the retest really free?

Yes. Zero-cost retest within 45 days for all critical and high findings. We verify fixes are properly implemented before signing off, included in the engagement cost, no hidden charges.

Will testing disrupt our production environment?

We design the engagement to minimise operational impact. Production systems can be tested off-hours; critical systems can use staging environments. We carry professional indemnity and public liability insurance.

What's the difference between a pentest and a vulnerability scan?

A vulnerability scan runs automated tools to identify known weaknesses — it's a surface-level check. A penetration test goes further: certified testers manually attempt to exploit vulnerabilities, chain findings, and test business logic. Scans find what's known; pentests find what's exploitable.

Do you test APIs and cloud infrastructure?

Yes. We test REST and GraphQL APIs for authentication bypass, IDOR, injection, and sensitive data exposure. Cloud configuration reviews cover AWS, Azure, and GCP — including IAM policies, exposed storage, and security group misconfigurations.

How do pentest reports help with ISO 27001 or Essential Eight compliance?

Our reports are structured to satisfy the evidence requirements of ISO 27001 (Annex A control testing), Essential Eight (maturity assessment input), and SOC 2 (trust service criteria). The executive summary is written for auditors and board members, not just technical teams.

What happens after the retest?

After verifying remediation of critical and high findings, we issue a retest report confirming closure. This becomes part of your compliance evidence pack. If new findings emerge during retest, we document them and discuss next steps — no additional charges for the retest itself.

Penetration Testing —Real-World Attacks, With Accountability After.

You Got a Pentest Report.Nothing Was Fixed.

Six Test Types.Scoped to Your Environment.