Find out exactly how a real attacker would break into your network, application, or cloud environment, before they do. Our certified ethical hackers combine manual exploitation with industry-standard methodology (PTES, OWASP, NIST) to deliver evidence-based findings your board, your auditor, and your IT team can all act on.
Get a free scoping call → | Typical turnaround: 2–4 weeks | POPIA & PCI DSS-ready reporting
What Is Penetration Testing?
Penetration testing, often shortened to “pen testing,” is an authorised, simulated cyberattack against your own systems, carried out by a qualified human tester rather than software alone. The objective is straightforward: find the security gaps that a real attacker would find first, prove they’re exploitable by actually exploiting them under controlled conditions, and hand your team a prioritised plan to close them before anyone with bad intentions gets the chance.
This distinguishes a genuine penetration test from an automated vulnerability scan. A scanner checks software versions and configurations against a known database of flaws and produces a list. A penetration test takes that list and asks the harder question: can these flaws actually be chained together to reach something that matters, such as customer records, financial systems, or domain administrator access? That distinction is exactly why PCI DSS, ISO 27001, and most cyber insurance underwriters require testing performed by people, not just tools.
Why South African Businesses Need Penetration Testing Now
South Africa consistently ranks among the most targeted countries in Africa for cybercrime, and the regulatory environment has caught up with that reality. Three pressures are driving demand for proper testing right now:
POPIA enforcement is active. The Information Regulator has shown it will issue findings and penalties against organisations that fail to take “appropriate technical and organisational measures” to protect personal information. Documented, regular penetration testing is one of the clearest forms of evidence you can show a regulator or a court that you took security seriously.
PCI DSS Requirement 11.4 is explicit. Any business that stores, processes, or transmits card data must undergo penetration testing at least annually, and after any significant infrastructure or application change. Banks and payment processors in South Africa are increasingly enforcing this on their merchants directly.
Cyber insurance and tender requirements now ask for proof. Insurers are tightening underwriting criteria, and public sector and enterprise RFPs increasingly list a current penetration test report as a prerequisite for doing business, not a nice-to-have.
Our Penetration Testing Services
Network Penetration Testing
We test your external perimeter (everything internet-facing: firewalls, VPNs, mail gateways, exposed services) and your internal network (what happens if a laptop, an employee account, or a single workstation is compromised). Internal testing matters because most real breaches start with one foothold and spread, we show you exactly how far that foothold could travel.
Web Application Penetration Testing
Manual testing against the OWASP Top 10 and beyond: authentication and session flaws, broken access control, injection vulnerabilities, business logic abuse, and API weaknesses hiding behind the interface. Automated scanners routinely miss business logic flaws because there’s no signature to match, this is where a skilled human tester earns their fee.
Mobile Application Penetration Testing
iOS and Android apps tested for insecure data storage, weak certificate pinning, exposed API endpoints, and reverse-engineering risk, covering both the client app and the backend services it talks to.
Cloud Security Testing
Configuration review and exploitation testing across AWS, Azure, and Google Cloud environments, identity and access management, storage bucket permissions, container security, and the misconfigurations that cause the majority of cloud breaches.
API Penetration Testing
REST, GraphQL, and SOAP APIs tested for broken object-level authorisation, excessive data exposure, and rate-limiting failures, increasingly the most attacked layer as businesses shift to API-first architectures.
Social Engineering & Phishing Simulation
Controlled phishing campaigns, vishing (phone-based) tests, and on-site physical access attempts to measure how your people, not just your technology, respond to a real attack attempt.
Choosing Your Testing Approach: Black, Grey & White Box
The right testing approach depends on what question you’re trying to answer, and we’ll recommend one during scoping rather than asking you to guess.
Black box testing simulates an outsider with zero prior knowledge, exactly like a real external attacker starting from scratch. It’s the most realistic simulation of an opportunistic attack but takes longer and may not reach deeper systems within a limited time window.
Grey box testing gives the tester limited information or access, similar to what a malicious customer, contractor, or supplier might already have. This is the most common real-world starting point for breaches and usually the best balance of realism and depth for a fixed-budget engagement.
White box testing gives the tester full access, source code, architecture diagrams, credentials, to find the maximum number of issues in the available time. It’s the deepest option and best suited to high-value applications or systems undergoing major changes before launch.
Our Methodology
We follow the Penetration Testing Execution Standard (PTES) framework, recognised across the industry for turning testing into a repeatable, auditable discipline rather than ad hoc poking around:
1. Pre-engagement. We agree scope, rules of engagement, testing windows, and emergency stop conditions in writing before any testing begins.
2. Intelligence gathering. Reconnaissance using OSINT and technical foot printing to map your real attack surface, including what you may not know is exposed.
3. Threat modelling. We prioritise testing effort around the assets and attack paths most relevant to your business, not a generic checklist.
4. Vulnerability analysis. Combining automated tooling with manual verification to separate real risk from noise.
5. Exploitation. We attempt to safely exploit validated vulnerabilities to prove real-world impact, under the rules of engagement agreed upfront.
6. Post-exploitation. Where access is gained, we assess how far an attacker could move and what they could ultimately reach, this is where business impact, not just technical severity, becomes clear.
7. Reporting. A two-part report: an executive summary your leadership can act on, and a technical report your engineers can use to fix issues line by line.
What’s in Your Report
A weak report turns a good test into a wasted budget. Every report we deliver includes a plain-language executive summary scored by business risk, not just technical severity; a CVSS-scored technical breakdown of every finding with exact reproduction steps; annotated evidence (screenshots, request/response data) so your developers don’t have to take our word for it; prioritised, specific remediation guidance instead of generic “patch your systems” advice; and a mapping of findings to relevant compliance frameworks (POPIA, PCI DSS, ISO 27001) where applicable. One round of retesting is included to confirm fixes actually closed the gap.
Understanding Your Findings: Severity, CVSS Score & Business Impact
Every finding in your report is scored using the industry-standard CVSS (Common Vulnerability Scoring System) framework, so severity ratings are consistent, defensible, and comparable across engagements and over time. Here’s what each rating actually means for your business:
| Severity | CVSS Score Range | Typical Business Impact |
|---|---|---|
| Critical | 9.0 – 10.0 | Likely full system compromise, data breach, or domain admin takeover with little or no skill required. Remediate immediately; often warrants an out-of-cycle patch. |
| High | 7.0 – 8.9 | Significant exposure of sensitive data or systems; exploitable with moderate effort. Typically the trigger for POPIA/PCI DSS remediation deadlines and insurer scrutiny. |
| Medium | 4.0 – 6.9 | Limited exploitability or impact on its own, but often a building block in an attack chain. Should be scheduled into the next regular patch or release cycle. |
| Low | 0.1 – 3.9 | Minimal direct risk; usually informational hardening (e.g., verbose error messages, missing security headers). Address opportunistically. |
| None / Info | 0.0 | No direct exploitability identified; included for completeness or as a best-practice recommendation. |
Scoring follows the CVSS v3.1/v4.0 standard maintained by FIRST.org. Every finding in your report includes its full CVSS vector string alongside the score, so your team can verify the rating independently rather than taking our word for it.
Why Work With Us
Testing quality comes down to the people doing the testing, not the logo on the report. Every engagement is led by S.S., our lead penetration tester, who holds CISA, CISM, CEH, OSCP, CISSP, and CHFI certifications, CompTIA Security+, multi-cloud security credentials across AWS, GCP, and Azure, and a Certified Linux Professional qualification. Your test isn’t handed to whoever’s available, it’s led start to finish by the person with the credentials to back it. We test South African businesses operating under South African regulation, which means our recommendations are written with POPIA, PCI DSS, and King IV in mind from the outset, not bolted on afterward. And because we know budgets get scrutinised, every quote is fixed and scoped upfront, no surprise change orders halfway through an engagement.
Credentials verifiable via [ISC²/ISACA/EC-Council public member registries
Frequently Asked Questions
How much does penetration testing cost in South Africa?
Most engagements range from roughly R55,000 for a focused single web application test to R250,000+ for a multi-asset engagement covering network, cloud, applications, and social engineering. Cost scales with the number of IPs, applications, or user roles in scope. We provide a fixed, written quote after a free scoping call, never a vague estimate.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is automated software checking your systems against a database of known flaws. A penetration test is a certified human manually attempting to exploit those flaws and chain them together, the way a real attacker would, to prove actual business impact.
How long does a penetration test take?
A single web application or small network test typically runs 5–10 working days of active testing plus 3–5 days for reporting. Larger, multi-asset engagements can take 3–6 weeks. We confirm exact timing during scoping.
Is penetration testing required for POPIA or PCI DSS compliance?
POPIA doesn’t name penetration testing directly but requires “appropriate technical and organisational measures,” and regulators treat regular testing as evidence of compliance. PCI DSS Requirement 11.4 explicitly mandates penetration testing at least annually for any business handling card data.
What happens after the report is delivered?
You get an executive summary for leadership and a technical report for your engineers, plus one round of free retesting within 60–90 days once fixes are deployed, to confirm vulnerabilities are actually closed.
Is it safe to test production systems?
Yes, when scoped properly. We agree testing windows, exclusion lists, and stop conditions upfront. For highly sensitive systems, we often recommend testing a staging environment that mirrors production, or scheduling intrusive tests during low-traffic periods.
Get Started
Tell us about your environment and we’ll recommend the right scope and testing approach on a free call, no obligation, no generic sales pitch.
