Preloader
Contact Us

Address: Surry Hills, Sydney NSW 2010

Hours: 9:00 - 17:30, Mon - Fri

Phone: 0409 771 748

Our Security Engagement Process

  • Home
  • Our Security Engagement Process
01

Initial Scoping

The foundation of every successful security engagement begins with thorough scoping and understanding your unique requirements.

What Happens During Initial Scoping

Our initial scoping phase is designed to ensure we understand your environment, objectives, and constraints before any testing begins. This collaborative process helps us tailor our approach to deliver maximum value while minimising business disruption.

Discovery Call

  • Review your technology stack
  • Understand business objectives
  • Identify critical assets
  • Discuss compliance requirements

Scope Definition

  • Define target systems and applications
  • Establish testing boundaries
  • Identify out-of-scope systems
  • Set engagement rules

Key Deliverables

Scoping Document

Detailed outline of targets, methodology, and testing approach

Project Timeline

Clear schedule with milestones and expected deliverables

Cost Estimate

Transparent pricing based on scope and complexity

Timeline

Typical Duration: 1-3 business days

The scoping phase typically takes 1-3 business days, depending on the complexity of your environment. This includes initial calls, questionnaire review, and preparation of the scoping document. For large enterprise engagements, this phase may extend to ensure comprehensive coverage.

What We Need From You

  • Technical Overview: High-level architecture diagrams or system inventory
  • Business Context: Understanding of critical business processes and data
  • Previous Assessments: Results from prior security tests (if available)
  • Compliance Requirements: Any regulatory or framework requirements (PCI-DSS, ISO 27001, etc.)
  • Key Contacts: Technical and business stakeholders for the engagement

Ready to Start?

Once scoping is complete and approved, we move to the Planning & Access phase to prepare for testing.

Next Step
02

Planning & Access

Proper planning and secure access setup ensure smooth testing execution while maintaining the security of your environment.

Preparing for Success

The Planning & Access phase establishes the foundation for safe and effective security testing. We work closely with your team to ensure all necessary preparations are in place, minimising risks and maximising testing efficiency.

Rules of Engagement

We establish clear testing boundaries and rules to ensure safety:

  • Approved testing hours and maintenance windows
  • Emergency contact procedures and escalation paths
  • Data handling and confidentiality agreements
  • Acceptable testing techniques and off-limits actions

Access Configuration

Setting up secure access paths for our testing team:

  • VPN access or jump box configuration
  • Test account creation with appropriate permissions
  • IP whitelisting and firewall rule adjustments
  • API keys and authentication tokens (as needed)

Testing Environment

Ensuring the testing environment is ready:

  • System backups and recovery procedures verified
  • Monitoring and alerting configurations reviewed
  • Test data preparation (non-production where possible)
  • Communication channels established with IT teams

Documentation & Approvals

Legal Documentation
  • Signed authorisation letter
  • Non-disclosure agreements
  • Liability waivers
  • Data protection agreements
Technical Approvals
  • Change advisory board approval
  • Security team sign-off
  • Business owner consent
  • Third-party notifications

Timeline & Milestones

Day 1-2
Documentation & Legal

Complete all required agreements and authorisations

Day 2-3
Access Setup

Configure VPN, accounts, and necessary permissions

Day 3-4
Validation & Testing

Verify access and conduct pre-engagement checks

Important: Testing cannot begin until all access is properly configured and documented approvals are in place. This protects both parties and ensures legal compliance.

Communication Protocol

Daily Updates

Brief status reports during active testing

Critical Findings

Immediate notification of high-risk vulnerabilities

24/7 Hotline

Emergency contact for any testing issues

Access Configured?

With planning complete and access established, we begin the execution phase of testing.

Next Step
03

Execution

Where theory meets practice - our expert team conducts comprehensive testing using industry-leading methodologies and tools.

Testing in Action

The execution phase is where our security experts actively test your systems, applications, and infrastructure. We employ a combination of automated scanning, manual testing, and creative exploitation techniques to uncover vulnerabilities that others might miss.

Our Testing Methodology

Reconnaissance

Information gathering and attack surface mapping

Scanning

Automated and manual vulnerability identification

Exploitation

Controlled exploitation to demonstrate impact

Post-Exploitation

Lateral movement and privilege escalation

Testing Approaches

Automated Testing

We leverage industry-leading tools for comprehensive coverage:

  • Vulnerability scanners (Nessus, Qualys, OpenVAS)
  • Web application scanners (Burp Suite, OWASP ZAP)
  • Network mapping and enumeration tools
  • Cloud security posture scanners
  • Dependency and composition analysis

Manual Testing

Expert-driven testing that goes beyond automation:

  • Business logic vulnerability testing
  • Authentication and authorisation bypass
  • Complex injection attacks and chaining
  • Custom exploit development
  • Social engineering (when in scope)

Real-Time Monitoring

Continuous Communication

Throughout the execution phase, we maintain open communication channels:

  • Daily Progress Reports: Summary of testing activities and areas covered
  • Critical Finding Alerts: Immediate notification of high-risk vulnerabilities
  • Technical Queries: Quick resolution of any access or scope questions
  • Status Dashboard: Optional real-time testing progress visibility

Testing Timeline

Typical Duration: 5-15 business days depending on scope and complexity
Engagement Type Typical Duration Coverage
Web Application Test 3-5 days OWASP Top 10, business logic, authentication
Network Penetration Test 5-10 days External/internal infrastructure, segmentation
Red Team Exercise 60-90+ days Full adversary simulation, physical + digital
Cloud Security Assessment 3-7 days Configuration, IAM, data exposure, compliance

What to Expect

Safe Testing

We prioritise system stability and data integrity throughout testing

Transparency

Clear visibility into what we're testing and when

Confidentiality

All findings and data handled with strict security protocols

Collaboration

Working with your team to understand context and impact

Evidence Collection

Throughout testing, we meticulously document all findings with:

Screenshots

Code Snippets

Command Output

Video Demos

Testing Complete

Once testing concludes, we compile our findings into comprehensive reports for your team.

Next Step
04

Reporting

Clear, actionable reports that bridge the gap between technical findings and business impact.

Comprehensive Documentation

Our reporting phase transforms raw testing data into actionable intelligence. We deliver reports that are technically accurate yet accessible to all stakeholders, from developers to executives. Each report is crafted to provide maximum value for remediation efforts and security improvements.

Report Components

Executive Summary

A high-level overview designed for leadership and non-technical stakeholders:

  • Overall security posture assessment
  • Risk rating and business impact analysis
  • Key findings and critical vulnerabilities
  • Strategic recommendations and roadmap
  • Compliance implications and gaps
Technical Findings

Detailed vulnerability information for technical teams:

  • Vulnerability descriptions and CVSS scores
  • Proof-of-concept code and exploitation steps
  • Affected systems and components
  • Attack scenarios and threat modeling
  • Technical root cause analysis
Remediation Guidance

Practical steps to address identified vulnerabilities:

  • Specific fix recommendations with code examples
  • Prioritised remediation roadmap
  • Quick wins vs. long-term improvements
  • Alternative mitigation strategies
  • Security best practices and hardening guides

Severity Classification

Critical

Immediate action required. Remote code execution, data breach risk

High

Significant risk. Privilege escalation, sensitive data exposure

Medium

Moderate risk. Limited data access, partial service disruption

Low

Minor risk. Information disclosure, configuration weaknesses

Report Formats

PDF Report

Comprehensive document with all findings, evidence, and recommendations

  • Professional formatting
  • Executive-ready
  • Print-friendly
Technical Appendix

Complete evidence package included with every finding in the main report

  • Proof-of-concept code for each issue
  • Screenshots demonstrating vulnerabilities
  • Detailed reproduction steps
  • Raw request/response data
  • Configuration extracts
  • Log excerpts and evidence trails

Delivery Timeline

Testing Complete
Report Preparation
Quality Review
Day 1-2

Initial draft preparation and evidence compilation

Day 3-4

Internal review and quality assurance

Day 5

Final report delivery

What Makes Our Reports Different

Business Context: We translate technical risks into business impact
Clear Roadmap: Prioritised action items with realistic timelines
Reproducible: Step-by-step instructions to verify findings
Metrics-Driven: Quantifiable risk scores and trending analysis
Multi-Audience: Sections for executives, managers, and engineers
Compliance-Ready: Aligned with regulatory requirements

Report Delivered

After report delivery, we schedule a debrief session to discuss findings and answer questions.

Next Step
05

Debrief & Fix

Collaborative sessions to ensure your team understands findings and has a clear path to remediation.

Knowledge Transfer & Action Planning

The debrief phase is crucial for translating our findings into actionable improvements. We don't just deliver a report and disappear – we work with your team to ensure complete understanding and develop a practical remediation strategy that aligns with your resources and priorities.

Debrief Sessions

Executive Briefing

High-level presentation for leadership and decision-makers:

  • Risk overview and business impact
  • Compliance implications
  • Budget and resource requirements
  • Strategic recommendations
  • Comparison to industry peers
  • ROI of security investments
Technical Deep Dive

Detailed walkthrough with development and security teams:

  • Live vulnerability demonstrations
  • Code review and fix validation
  • Architecture recommendations
  • Tool configuration guidance
  • Security testing integration
  • Q&A and troubleshooting

Remediation Support

Guidance & Consultation

Ongoing support during remediation:

  • Fix verification
  • Code reviews
  • Architecture advice
  • Tool recommendations
Knowledge Transfer

Empowering your team:

  • Security training
  • Best practices
  • Threat modeling
  • Testing techniques
Progress Tracking

Measuring improvement:

  • Remediation metrics
  • Risk reduction
  • Milestone reviews
  • Status reports

Prioritisation Framework

We help you prioritise fixes based on multiple factors:

Risk-Based Priority
Critical
High
Medium
Low

Focus on highest risk vulnerabilities first

Effort-Based Priority
Quick Wins
Medium Effort
Major Projects

Balance quick wins with long-term improvements

Typical Remediation Timeline

Week 1-2
Critical Fixes: Address vulnerabilities that pose immediate risk
Week 3-4
High Priority: Remediate significant vulnerabilities and quick wins
Month 2-3
Systematic Improvements: Architecture changes and process updates

Support Options

Basic Support
  • Email support
  • Fix verification
  • 30-day coverage
Enhanced Support
  • Priority support
  • Weekly calls
  • Code reviews
  • 90-day coverage
Premium Support
  • Dedicated consultant
  • On-site assistance
  • Implementation help
  • 6-month coverage

Measuring Success

Risk Reduction

Quantifiable decrease in vulnerability count and severity

Time to Fix

Improved remediation velocity and efficiency

Security Maturity

Enhanced processes and team capabilities

Compliance

Meeting regulatory and framework requirements

Remediation Complete?

Consider our optional retest service to validate fixes and measure improvement.

Next Step
06

Optional Retest

Validate your remediation efforts and demonstrate security improvements with comprehensive retesting.

Verification & Validation

Retesting is a critical component of the security improvement lifecycle. It validates that vulnerabilities have been properly remediated and haven't introduced new security issues. This phase provides confidence to stakeholders and demonstrates the effectiveness of your security investments.

Why Retest?

Verify Fixes

Confirm vulnerabilities have been properly addressed and can no longer be exploited

New Vulnerability Check

Ensure fixes haven't introduced new security issues or weaknesses

Compliance Documentation

Provide evidence of remediation for auditors and compliance requirements

Progress Metrics

Quantify security improvements and demonstrate ROI to stakeholders

Retest Options

Targeted Retest

Focus on specific vulnerabilities that were remediated:

  • Verify critical and high-risk fixes
  • Test specific remediation implementations
  • Quick turnaround (1-2 days)
  • Cost-effective validation
Ideal for: Organisations that fixed specific high-risk vulnerabilities
Comprehensive Retest

Full re-examination of previously tested scope:

  • Verify all identified vulnerabilities
  • Check for regression issues
  • Identify new vulnerabilities
  • Updated security posture assessment
Ideal for: Major remediation efforts or architectural changes
Expanded Retest

Original scope plus additional systems:

  • Test remediated vulnerabilities
  • Include new systems or applications
  • Assess security improvements
  • Holistic security validation
Ideal for: Growing environments or post-deployment validation

Retest Process

1. Review Fixes

Analyse remediation documentation and changes made

2. Retest

Attempt to exploit previously identified vulnerabilities

3. Regression Check

Ensure fixes haven't introduced new issues

4. Report Update

Provide updated findings and attestation

Retest Deliverables

Retest Report

Comprehensive documentation including:

  • Status of each original finding
  • Evidence of successful remediation
  • Any remaining or new vulnerabilities
  • Security posture comparison
Attestation Letter

Formal validation document stating:

  • Scope of retesting performed
  • Verification of remediation
  • Current security status
  • Compliance attestation (if applicable)

Success Metrics

95%+

Average remediation success rate

80%

Risk reduction after fixes

2-3 Days

Typical retest duration

30-50%

Cost vs. initial test

When to Schedule Retesting

30-60 Days Post-Report

Ideal for critical fixes and quick wins - allows time for implementation while findings are fresh

90-120 Days Post-Report

Comprehensive retesting after major remediation efforts and architectural changes

Before Major Releases

Validate security before deploying significant updates or new features

Ready to Validate Your Security Improvements?

Contact us to schedule your retest and demonstrate the effectiveness of your remediation efforts.

Schedule Retest View All Services

Engagement Complete

With retesting complete, you have validated evidence of your security improvements. Consider our continuous testing services to maintain your security posture over time.