Penetration Testing
A penetration test, or pentest, is a simulated cyber attack carried out by ethical hackers to identify vulnerabilities in your systems, networks, or applications. It’s like hiring someone to break into your business digitally – with your permission – so they can find the gaps before a real attacker does. For small to medium businesses in New Zealand, this means uncovering weak spots like misconfigured settings, outdated software, or insecure websites that could put customer data or operations at risk.
​
By running a pentest, Kiwi businesses can get a clear, expert view of where their security stands and what needs to be fixed. It helps protect sensitive information, supports compliance with data protection standards, and shows customers you take cyber security seriously. For many SMBs, a pentest is a practical step to building trust, reducing risk, and ensuring their systems can stand up to real-world threats – without waiting for something to go wrong first.
Web Application Penetration Test
Our Web Application Penetration Testing service involves a comprehensive assessment of your web applications to identify and mitigate security vulnerabilities. Following the methodologies outlined in the OWASP Web Security Testing Guide (WSTG), our testing includes:
​
Injection Attacks: Evaluating susceptibility to injection flaws, such as SQL, NoSQL, and command injections, which can allow attackers to execute arbitrary commands or access unauthorised data.
​
Cross-Site Scripting (XSS): Identifying instances where untrusted data can be included in web pages without proper validation or escaping, enabling attackers to execute malicious scripts in users' browsers.
​​
Authentication and Session Management: Assessing the effectiveness of authentication mechanisms and session management to prevent issues like credential stuffing, session hijacking, and exposure of sensitive information.
​
Security Misconfigurations: Reviewing the application and server configurations to detect misconfigurations that could lead to security breaches, such as default settings, incomplete setups, or unnecessary features being enabled.
​
Our approach combines automated tools with manual testing to ensure a thorough evaluation. We provide detailed reports with actionable recommendations to enhance your application's security posture.
API Penetration Test
APIs are integral to modern applications and can be prime targets for attackers. Our API Penetration Testing service evaluates your APIs against the OWASP API Security Top 10, focusing on vulnerabilities such as:
​
Broken Object Level Authorisation: Ensuring that API endpoints properly enforce authorisation checks to prevent unauthorised access to sensitive data.
​
Excessive Data Exposure: Identifying APIs that return more data than necessary, which could be exploited to gather sensitive information.
​
Lack of Resources & Rate Limiting: Assessing whether APIs implement proper rate limiting to prevent issues like denial of service attacks.
​
Injection Flaws: Testing for injection vulnerabilities, such as SQL, NoSQL, and command injections, that could allow attackers to execute arbitrary commands or access unauthorised data.
​
We analyse both RESTful and SOAP APIs, providing insights into potential security gaps and offering remediation strategies to secure your data exchanges.
Mobile Application Penetration Test
Our Mobile Application Testing service assesses the security of your iOS and Android applications through a comprehensive process aligned with the OWASP Mobile Application Security Testing Guide (MASTG):
​
Security Architecture Review: Analysing the app's design and data flow to ensure security is integrated into the architecture.
​
Static Analysis: Reviewing source code or decompiled binaries for security flaws, including improper use of cryptography, insecure data storage, and code vulnerabilities.
​
Dynamic Analysis: Observing the app's behaviour during runtime to detect issues like insecure communication, data leakage, and improper session handling.
​
Network Communication Testing: Ensuring that data transmitted between the mobile app and backend services is encrypted and protected against interception.
​
Local Data Storage Assessment: Checking for sensitive data stored insecurely on the device, which could be accessed by malicious apps or attackers with physical access.
​
We identify vulnerabilities that could lead to data breaches or unauthorised access, providing detailed reports with prioritised remediation steps.
Internal Network Penetration Test
Our Internal Network Penetration Testing service simulates an attack from within your organisation's network to identify vulnerabilities that could be exploited by insiders or compromised devices. This includes:
​
Network Segmentation Testing: Ensuring that sensitive areas of the network are properly isolated to prevent unauthorised access.
​
Privilege Escalation Attempts: Identifying paths that could allow an attacker to gain higher access levels within the network.
​
Sensitive Data Access: Testing the accessibility of confidential information stored within the internal network.
​
Lateral Movement: Assessing how easily an attacker can move through the network to access additional systems and data.
​
We provide a comprehensive report detailing identified vulnerabilities, their potential impact, and actionable recommendations to strengthen your internal defences.
External Network Penetration Test
Our External Network Penetration Testing service evaluates your organisation's internet-facing infrastructure to identify and exploit vulnerabilities that external attackers could leverage. This includes:
​
Open Ports and Services Enumeration: Identifying exposed services that could be potential entry points for attackers.
​
Vulnerability Scanning and Exploitation: Detecting and attempting to exploit weaknesses in external-facing systems and applications.
​
Domain Name System (DNS) and Domain Configuration Review: Ensuring external DNS records and domain configurations are properly set up to prevent issues like subdomain takeover.
​
Breached Data Search: Reviewing data breach dumps to identify whether any user information has been breached from the company.
​
By simulating real-world attack scenarios, we help you understand your external exposure and provide recommendations to mitigate identified risks.
Hardware Penetration Test
Our Hardware Penetration Testing service evaluates the security of physical devices and embedded systems to identify vulnerabilities that could be exploited to gain unauthorised access or cause disruption. This service is crucial for organisations that rely on specialised hardware, including Internet of Things (IoT) devices, medical equipment, and industrial control systems.
​
Device Analysis: We conduct a thorough examination of the hardware to identify potential attack vectors, including debugging interfaces, exposed ports, and wireless communication channels.
​
Firmware Assessment: Our team analyses the device firmware to detect vulnerabilities such as hardcoded credentials, outdated libraries, and insecure update mechanisms.
​
Communication Protocol Evaluation: We assess the security of communication protocols used by the device, including Bluetooth, NFC, RFID, and proprietary protocols, to identify risks like unauthorised data interception or manipulation.
​
Physical Security Testing: Our experts evaluate the physical security measures of the device, such as tamper-evident features and resistance to side-channel attacks.
​
Use of Specialised Tools: We employ advanced hardware testing tools to interact with and assess various communication protocols and radio frequencies.
​
Upon completion, we provide a detailed report outlining identified vulnerabilities, their potential impact, and tailored recommendations for remediation to enhance the security of your hardware assets.
