For over 25 years, dotSec has provided penetration testing services for a wide range of corporate and government organisations, but what makes dotSec’s pen tests unique?
Surprise: dotSec’s pen testers don’t just do pen testing!
Instead, our pen testers can build things like AWS-hosted services, IAM systems, they have system hardening skills, and they rotate through roles including EDR and SIEM analyst.
As a result, dotSec’s testers are uniquely experienced to provide you with pen testing services and deliver prioritised strategies that are practical and reasonable to implement.
A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).
Penetration testing almost always includes a vulnerability assessment, where the assessor will use scanning tools in an attempt to identify known vulnerabilities in the target asset(s). Pen testing builds on vulnerability scanning and assessment: The assessor will use automated and manual techniques to first confirm that the reported vulnerabilities are real (not false positives) before then seeking to exploit those vulnerabilities in order to engineer a successful attack, within any pre-agreed constraints or conditions.
Penetration testing can benefit your business in a number of ways. Most obviously, pen testing will provide you with:
A list of problems is not going to help anyone so dotSec’s pen testing services always focus on the risks associated with each shortcoming, and on the associated remediation options.
The idea is to present a qualitative risk assessment that is consistent with relevant AS/NZ, and ISO/IEC Risk Assessment and Management standards and security guidelines.
And where appropriate, we will refer to vulnerability descriptions such as (where relevant) vulnerabilities described in the OWASP Top Ten guidelines. And we will assign a severity rating to vulnerabilities using the Common Vulnerability Scoring System (CVSS v3.1).
The most important part of a pen test is a prioritised list of recommendations, describing how each of the identified risks may be reduced to an acceptable level.
dotSec has been implementing and maintaining secure systems for over 25 years. For example, we’ve built secure hosted services for federal government, cryptographic systems for APRA, and Identity and Access Management systems for utilities companies. And more!
Since we know what it takes to build secure systems, our pen test reports provide you with a prioritised and practical path to address the risks associated shortcomings we discover.
Most governance, risk management and compliance frameworks and standards require some kind of testing program:
The PCI DSS requires that testing be conducted on a regular basis and following any significant system changes. For example, CPS 243 requires a systematic testing program. And ISO 27001 notes that Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards.
But whether compliance requirements are relevant or not, a penetration test will still help you. We can help you (the target/resource owner) to understand the level of risk, so that you can therefore prioritise your risk management programs of work.
An equally valuable outcome of a pen test is independent validation of your cyber risk-management strategies:
dotSec’s pen tests will deliver an unbiased view of how well your security controls actually perform when tested by experienced attackers.
dotSec has been independently assessing, building, and operating secure environments for over 25 years. Some examples include federal government systems, APRA-aligned cryptographic services, and Identity and Access Management (IAM) platforms for major utilities. Our assessments don’t rely on assumptions or theory; they provide objective, evidence-driven verification of what is secure, what isn’t, and what needs attention
Answer:A penetration test is an evidence-based assessment where a skilled tester discovers, validates and attempts to exploit vulnerabilities to understand real-world business impact. A vulnerability scan is automated and does not determine whether weaknesses are exploitable or meaningful. Penetration testing requires manual analysis, attacker-style reasoning and contextual risk evaluation.
Reference: https://csrc.nist.gov/pubs/sp/800/115/final
Answer: Testing frequency depends on risk appetite, regulatory requirements and how often systems change. PCI DSS requires at least annual testing and after significant changes. NIST and ACSC guidance recommend conducting tests as part of a continuous assurance regime, especially when modifying authentication, deploying cloud services or introducing new technologies.
References:
PCI DSS v4.0 Requirement 11.4 – Penetration Testing
NIST SP 800-53 CA-8 – Penetration Testing
Answer: DotSec provides external, internal, web application, mobile, cloud, API and authentication-system penetration testing. Our testers also bring broader engineering experience across AWS, IAM systems, hardening, SIEM and EDR, allowing them to identify chained attack paths that automated scanners often miss.
Reference: NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment
Answer: A well-run test has documented rules of engagement and uses safe-to-perform techniques unless you explicitly authorise otherwise. DotSec follows documented methodologies, and coordinates with operational staff to minimise disruption.
Reference: NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment
Answer: A meaningful report verifies each finding, explains exploitability and business impact, and provides a prioritised remediation plan aligned with your environment. It should reference standards, guidelines and systems such as OWASP, CVE, ISO 27001, NIST or PCI DSS, and provide evidence-based guidance for control improvement.
Reference:
Prudential practice guide – CPS 234
A penetration test is only the first step. The real value comes from converting testing evidence into practical security and compliance outcomes. DotSec’s strength is that we do not just deliver a list of problems. Instead, using our 25+ years of experience building, securing and operating systems for corporate and government clients, we help you turn test-results into measurable improvements.
Our engineers can assist with remediation planning, secure configuration, IAM hardening, log and telemetry uplift, cloud security controls, segmentation reviews, and implementation of security baselines mapped to the ACSC Essential Eight, NIST, ISO 27001 and PCI DSS. Because our testers also work across AWS security, IAM systems, EDR, SIEM and infrastructure projects, their recommendations reflect what is actually achievable in a production environment.
If your organisation also needs governance and assurance support, DotSec’s GRC specialists can help align remediation work with your risk register, provide objective evidence for internal and external audits, and improve your maturity against frameworks including ISO 27001, CPS 234 and the Essential Eight Maturity Model. This combination of testing, engineering and GRC capability ensures that you do not just fix individual findings, but strengthen your entire security posture in a structured and defensible way.
If you would like to discuss how DotSec can support testing, implementation or broader risk and compliance objectives, we would be pleased to assist.
