Penetration Testing

Our specialist offensive testing services include an extensive range of penetration testing capabilities at the application, network, and physical level.

  • Security Research as a Service
  • Red Teaming and Attacker Emulation
  • Web Application and API
  • External, Internal, and Wireless Networks
  • Host and SOE
  • Cloud Environments
  • Mobile Applications
  • Bespoke Systems and Applications

Security Review

Complementing our Penetration Testing we also perform network architecture and application review services. Helping your business achieve best practice design and secure-by-default approaches to your infrastructure.

  • Network Architecture Review
  • Application Architecture Review
  • Source Code Review
  • DevOps Review
  • General Security Consultancy

Incident Response

For when things go wrong, our experienced and qualified team will help with getting you back on track.

  • Incident Response Preparedness
  • Incident Management and Leadership
  • Forensic Investigations (GIAC Certified Forensic Analysts)
  • Malware Analysis

Featured Releases

Noot - Encrypted resumable ICMP exfiltration

Noot: a pair of PowerShell scripts for transferring files using ICMP (ping). Complete with encryption, partial transfer resume, and big (1GB+) file support.


A hex editor and nothing to lose - Binary patching Golang to fix net/http

This article is going to look at patching Golang code at the assembly level to modify some behaviour in the net/http standard library. The Golang maintainers aren’t super interested in changing this bit of behavior, so lets fix it ourselves!


Slack Web Hook Message Injection Advisory

Slack integrations such as webhook APIs are often used to alert on user actions to internal teams. A vulnerability was noted when user supplied data containing a large amount of white space was included in a request to the Slack webhook API. By including enough white space in this data, the messages would be split and truncated. As a result, the malicious payload after the whitespace would appear as a standalone message from the Slack bot. An attacker could exploit this to forge messages containing Slack message markup to perform social engineering and other attacks if an integration, such as a website or other software, included unvalidated user input in the message to the Slack webhook.

Get in touch

How can we help?

+64 4 889 4756