APPLICATION PENETRATION TEST

Your applications—whether they run in a web browser or as a standalone program on a desktop—are the gateway to your most critical data. A vulnerability can lead to a significant data breach, reputational damage, and loss of customer trust.

Our Application Penetration Testing services are designed to identify and remediate these vulnerabilities. Each assessment is conducted manually by our experienced, Australian-based testers, following industry-leading standards from OWASP and NIST.

Featured
Web Application Penetration Test
Web Application Penetration Test
from A$5,200.00

This is our comprehensive "black-box" assessment, designed for the majority of business-critical web applications.

This package is ideal for testing applications with multiple user roles (e.g., users, managers, administrators) and complex business logic. We simulate the actions of a real-world attacker to identify vulnerabilities that could compromise your application and its data.

  • Who is this for? Businesses needing to satisfy regulatory obligations (PCI DSS, ISO 27001), meet tender or customer security requirements, and proactively secure their primary web platforms.

  • Methodology: A thorough, manual penetration test based on OWASP and NIST standards, conducted by a senior certified penetration tester.

  • Deliverable: A comprehensive penetration testing report detailing all findings with a clear remediation plan, and a formal Certificate of Penetration Testing to share with your clients and stakeholders.

Thick Client Penetration Test
Thick Client Penetration Test
from A$5,200.00

This package is designed for business-critical desktop applications (Windows, macOS) that process or handle sensitive customer, financial, or healthcare data. It provides the assurance that this data is protected both on the user's computer and during transit to your servers.

Our assessment provides a comprehensive 'grey-box' review. We analyse the installed application to find client-side vulnerabilities like insecure local data storage, weak encryption, and potential for reverse engineering. We then rigorously test the backend APIs to ensure that all data is securely transmitted, authenticated, and authorised, preventing breaches at the server level.

  • Who is this for? Organisations in finance, healthcare, or other regulated industries that rely on thick client applications and require a high degree of assurance that sensitive data is being handled securely.

  • Deliverable: A comprehensive report, a remediation plan, and a Certificate of Penetration Testing.

Application Penetration Test + Source Code review bundle
Application Penetration Test + Source Code review bundle
from A$7,800.00

This is our most in-depth "white-box" assessment, providing unparalleled insight into your application's security posture.

This package is designed for organisations with highly sensitive applications, such as those in the healthcare and financial services sectors. In addition to the full penetration test, our experts perform a manual review of your application's source code. This allows us to identify deep-seated architectural flaws, insecure coding practices, and vulnerabilities that are impossible to find from the outside.

  • Who is this for? Businesses that require the highest level of assurance for their most critical and sensitive applications.

  • Methodology: Combines the full external penetration test with an internal "white-box" source code security review.

  • Deliverable: A consolidated report with all external and source code findings and detailed remediation guidance, plus a formal Certificate of Penetration Testing to demonstrate your commitment to security.

Cloud Security Penetration Test (AWS, Azure, GCP)

As Australian organisations accelerate their migration to the cloud, the security of these environments has become a primary business concern. While cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offer powerful and secure infrastructure, the shared responsibility model means that you are ultimately responsible for configuring and securing your own cloud environment.

A single misconfiguration—an overly permissive IAM role, a publicly exposed S3 bucket, or an unsecured container—can lead to a catastrophic data breach. Our Cloud Security Penetration Test is a specialised service designed to identify these critical misconfigurations in your cloud-native architecture before an attacker does.

Featured
Gemini_Generated_Image_42g8rh42g8rh42g8.png
Cloud Security Penetration Test (AWS, Azure, GCP)
A$5,200.00

This package provides a comprehensive security assessment of a single cloud account or subscription (AWS, Azure, or GCP).

We simulate the actions of a determined attacker to identify and validate critical misconfigurations across your cloud environment. This assessment provides the assurance you need that your data, applications, and infrastructure are securely configured according to industry best practices.

  • Who is this for? Any organisation using cloud infrastructure to store or process sensitive data and wanting to prevent cloud-based data breaches.

  • Methodology: An expert-led "white-box" assessment of your cloud environment's configuration and security controls.

  • Deliverable: A comprehensive report detailing all misconfigurations, their potential business impact, and a clear, prioritised remediation plan, plus a Certificate of Penetration Testing.

Mobile Application Penetration Testing (iOS & Android)

Mobile applications are a primary channel for engaging with your customers, but they also represent a unique and complex security challenge. Unlike web applications, mobile apps store data directly on a user's device and interact with a wide range of platform-specific services and APIs, creating a broad and often overlooked attack surface.

A single vulnerability can lead to the compromise of sensitive user data stored on the device, interception of communications, and unauthorised access to your backend systems. Our Mobile Application Penetration Test provides a comprehensive security assessment to identify and remediate these critical risks.

Featured
Mobile Application Penetration Test Package
Mobile Application Penetration Test Package
from A$5,200.00

This package is designed to perform a thorough penetration test of a single mobile application binary (either iOS or Android) to satisfy regulatory, tender, or compliance requirements.

The test is conducted by our senior, Australian-based certified penetration testers. Our methodology is based on the OWASP Mobile Application Security Verification Standard (MASVS) and recommendations from NIST. The final report provides the assurance you need to meet regulatory obligations, tender requirements, and standards like PCI DSS or ISO 27001.

  • Scope: A comprehensive security assessment of one application binary (iOS or Android).

  • Deliverable: A detailed report with all findings, their potential impact, and a clear remediation plan, plus a Certificate of Penetration Testing.

Infrastructure Penetration Testing

Your organisation's infrastructure is the foundation of your operations. Securing it requires a two-pronged approach: defending your internet-facing perimeter from outside attackers, and securing your internal network against threats that have already made it past the frontline.

A single misconfigured firewall can expose you to the world, while a lack of internal security can allow a minor breach to escalate into a catastrophic one. Our infrastructure penetration tests simulate real-world attacks from both outside and inside your network to provide a complete view of your security posture.

Featured
External Infrastructure Penetration Test
External Infrastructure Penetration Test
from A$6,200.00

This assessment answers the question: "How would an attacker get in from the internet?"

We simulate the actions of an external attacker with no prior knowledge of your systems. Our test focuses on your internet-facing perimeter, including your web servers, VPNs, firewalls, and cloud services. We identify and validate vulnerabilities that could allow an attacker to breach your defences.

  • Who is this for? All organisations. This is the foundational assessment for understanding and securing your public-facing attack surface.

  • Methodology: An expert-led test simulating an external attacker, covering reconnaissance, vulnerability scanning, and controlled exploitation of perimeter systems.

  • Deliverable: A detailed report on all external vulnerabilities and a clear remediation plan, plus a Certificate of Penetration Testing.

Internal Infrastructure Penetration Test
Internal Infrastructure Penetration Test
from A$6,200.00

This assessment answers the question: "What could an attacker do if they were already inside our network?"

We simulate the actions of a malicious insider or an attacker who has successfully bypassed your perimeter defences (e.g., through a phishing attack). Starting from a position inside your network, we test for weaknesses in Active Directory, internal servers, and network segregation to see how far an attacker could get and what data they could access.

  • Who is this for? Organisations looking to defend against modern threats like ransomware and insider attacks and validate their internal security controls.

  • Methodology: A "white-box" test simulating an internal threat, focused on privilege escalation, lateral movement, and accessing critical internal assets.

  • Deliverable: A comprehensive report on internal network vulnerabilities and misconfigurations, plus a Certificate of Penetration Testing.

API Security Assessment

APIs (Application Programming Interfaces) are the engine of modern digital business. They power your mobile apps, connect your cloud services, and handle the critical data exchange between your business and your customers. Unlike traditional websites, APIs are designed for direct, programmatic interaction, making them a prime target for sophisticated attackers.

Because APIs expose application logic and direct data access, they are susceptible to unique and severe vulnerabilities that standard security scans often miss. A single flaw in an API can lead to a catastrophic data breach. Our specialised API Security Assessment focuses on finding and fixing these critical vulnerabilities—from broken authorisation flaws to complex injection attacks—ensuring the backbone of your business is secure.

Featured
API Security Assessment
API Security Assessment
from A$5,200.00

A comprehensive security assessment for a single API application (typically up to 20 endpoints). We provide expert penetration testing for modern REST and GraphQL APIs, as well as legacy SOAP services, to identify critical vulnerabilities that automated scanners miss.

Static Source Code Analysis

The most effective way to eliminate vulnerabilities is to find them before they ever reach a production environment. Static Source Code Analysis is a "white-box" security assessment where we examine your application's source code without executing it.

This proactive approach allows us to identify deep-seated security flaws, insecure coding practices, and architectural issues early in the development lifecycle, when they are cheapest and easiest to fix.

By integrating security analysis into your development process, you gain significant advantages:

  • Find Flaws Early: Identify vulnerabilities at the implementation stage, dramatically reducing the cost and complexity of remediation compared to finding them post-deployment.

  • Educate Your Developers: Our findings provide direct, code-level feedback to your development team, helping them learn and apply secure coding practices in future projects.

  • Comprehensive Coverage: We analyse 100% of your codebase, including complex logic paths and functions that are difficult to reach in a live testing environment.

Featured
Static Source Code Analysis Package
Static Source Code Analysis Package
A$5,200.00

This package provides a comprehensive "white-box" security review for a single application codebase. It combines the efficiency of automated scanning with the critical thinking of an expert security analyst to deliver thorough and accurate results.

  • Scope: Up to 500,000 lines of code (LoC).

  • Languages: We support over 21 programming languages, including Java, C#, Python, JavaScript, Go, and more.

  • Standards: Our methodology is based on leading industry recommendations from OWASP and NIST.

Threat Modelling Service

Are you building security into your new applications from day one, or treating it as an afterthought? How do you identify critical security flaws in the design of a new feature, before a single line of code is even written? Do you know the true cost of fixing a vulnerability found in production versus one caught on the whiteboard?

Lean Security’s Threat Modelling service shifts your organisation's security from reactive to proactive. This isn't a standard penetration test on finished code; it is a collaborative analysis of your application's design. We help your team identify architectural flaws and potential attack paths before they become expensive and time-consuming problems to fix. This is about making a strategic investment in secure-by-design principles to build fundamentally resilient applications.

Featured
Threat Modelling Service
Threat Modelling Service
A$4,200.00

An expert-led threat modelling workshop for a single application or system. We work with your team to proactively identify and prioritise design-level security flaws before a single line of code is written, saving you time and reducing future costs.