Cybersecurity network visualization representing KiwiQA penetration testing and security services
Security Testing & Penetration Testing · Australia & USA

We find what
scanners miss —
before attackers do.

Automated scanners catch 30% of vulnerabilities. KiwiQA's certified ethical hackers find the rest — through manual penetration testing, AI-specific threat modelling and API security deep-dives aligned with OWASP Top 10, ISO 27001, GDPR and the Australian Privacy Act.

OWASP Top 10ISO 27001PCI DSSGDPRPrivacy ActAI Threat ModellingCREST AlignedZero Trust
Security Testing Coverage
OWASP
Top 10 fully covered
ISO 27001
Certified practice
100%
Critical vuln closure
AI Act
Ready assessment
GDPR
Compliance testing
PCI DSS
Payment security
What We Test
Web & API Penetration TestingManual + Automated
AI & LLM Security TestingPrompt Injection · Poisoning
Network & InfrastructureInternal · External · Cloud
Compliance & Audit ReadinessISO · GDPR · PCI DSS
Security Testing AustraliaPenetration TestingOWASP Top 10AI Security Testing USAAPI SecurityEthical HackingISO 27001Vulnerability AssessmentPCI DSS Testing
The Problem

Cyber threats are evolving faster
than most security teams.

The average cost of a data breach in Australia is $3.35M. Yet most organisations rely on annual compliance audits and automated scanners — while attackers innovate constantly. Traditional security testing is no longer sufficient, especially in the AI era.

Pain Points We Solve
Point-in-time audits miss real threats
Annual pentests provide a snapshot — but attackers don't wait 12 months. Continuous shift-left security testing is now essential.
AI introduces a new attack surface
Prompt injection, model extraction and data poisoning are invisible to traditional DAST/SAST tools and standard manual pentesters.
Compliance ≠ security
Passing ISO 27001, PCI DSS or SOC 2 doesn't mean you're secure. Compliance frameworks lag real-world attacker techniques by years.
API security is underestimated
APIs are the #1 attack surface for modern apps. REST, GraphQL and WebSocket endpoints are systematically overlooked in standard pentests.
Third-party and supply chain risk
78% of breaches involve a third-party component. Supply chain attacks via open-source dependencies are now a leading enterprise threat vector.
Teams lack dedicated security expertise
Development and DevOps teams can't maintain deep security expertise simultaneously — specialised security QA is essential for high-assurance systems.
SYSTEMUnder TestPromptInjectionAPIAttackSupplyChainDataPoisoningPentestCloudExploit
Security Risk Profile
Every attack surface.
Covered before launch.
Active AI & injection attack vectors
Supply chain & API exposure
KiwiQA tests all of the above
Industry Reality
$3.35M
Average cost of a data breach in Australia (IBM 2024)
78%
Of AI apps vulnerable to prompt injection (KiwiQA 2024)
287 days
Average time to identify and contain a breach
2026
EU AI Act high-risk AI compliance deadline
The KiwiQA Solution

8 security testing dimensions.
One specialist engagement.

Certified ethical hackers combining AI-specific threat modelling with a structured 4-phase methodology — delivering findings your team can immediately action, not just lengthy reports.

01
Penetration Testing
Certified ethical hackers simulate real-world attacks — not just automated scans — to identify and prove exploitable vulnerabilities before attackers do.
Real exploits proven
02
AI Prompt Injection
Specialist AI threat testing covering prompt manipulation, jailbreaking, indirect injection via tool outputs, model extraction and multi-turn attack sequences.
200+ attack templates
03
API Security Testing
Deep inspection of authentication, authorisation, data exposure, injection flaws and access control across all API surfaces and protocols.
REST · GraphQL · WebSocket
04
Vulnerability Assessment
Systematic scanning using Burp Suite, OWASP ZAP, Nessus and Fortify combined with manual expert review to cover all known vulnerability classes.
OWASP Top 10 mapped
05
Compliance Auditing
Gap analysis and audit readiness for GDPR, ISO 27001, HIPAA, Australian Privacy Act, PCI DSS, OWASP Top 10, NIST and EU AI Act requirements.
GDPR · ISO 27001 · PCI DSS
06
Data Encryption Testing
Evaluating effectiveness of encryption, access controls, data masking and tokenisation protecting sensitive user and business data at rest and in transit.
At-rest & in-transit
07
Cloud Security Testing
Security validation for cloud environments covering IAM configuration, storage exposure, network security groups, API gateways and serverless functions.
AWS · Azure · GCP
08
Mobile Security Testing
Comprehensive mobile app security testing covering OWASP Mobile Top 10, certificate pinning, local storage inspection and reverse engineering resilience.
iOS & Android · OWASP Mobile
200+
Adversarial prompt templates
100%
Critical vulnerability closure
OWASP
Top 10 full coverage
ISO 27001
Certified practice
8
Security testing disciplines
2026
EU AI Act readiness
Security Testing Methodology

Plan. Assess. Exploit.
Report. Remediate.

A structured 4-phase security testing cycle that moves beyond automated scanning to deliver proven, exploitable findings your team can act on immediately.

01
Plan
Test Plan & Threat Modelling
Comprehensive threat model defining attack surfaces, threat actors and risk scenarios specific to your application, infrastructure and industry context.
Threat ModelScope DefinitionAttack Surface Mapping
02
Assess
Vulnerability Assessment
Systematic scanning using Burp Suite, OWASP ZAP, Nessus and Fortify combined with manual expert review covering OWASP Top 10 and custom threat vectors.
Automated ScanningManual ReviewCVSS Scoring
03
Exploit
Exploiting & Validation
Controlled exploitation of identified vulnerabilities to confirm impact severity and validate proof-of-concept. Separates genuine risks from theoretical findings.
Proof of ExploitImpact ValidationRisk Prioritisation
04
Report
Reporting & Remediation
Detailed security report with vulnerabilities by CVSS severity, penetration results, technical and business impact analysis, and prioritised remediation roadmap.
CVSS ReportRemediation PlanExecutive Summary
Our Deliverables
Security Testing Plan
Scope, threat model, acceptance criteria
Security Test Execution Report
Step-by-step findings with evidence
Vulnerabilities by CVSS Severity
Critical → High → Medium → Low
Penetration Test Results
Proof-of-exploit with screenshots
Technical & Business Impact Analysis
Risk translated to business consequence
Prioritised Remediation Recommendations
Actionable, effort-weighted roadmap
Recommended Mitigations
Code-level and architecture fixes
Executive Summary Report
Board-ready risk overview
AI-Specific Security Threats
Prompt Injection & Jailbreaking
200+ adversarial templates, multi-turn chains
Model Extraction Attacks
API query patterns that reconstruct model IP
Data Poisoning Detection
Training pipeline integrity validation
Membership Inference Testing
PII leakage from model outputs
Adversarial Robustness
Perturbation testing for misclassification
Guardrail Bypass Validation
Content filter & safety control testing
Compliance Standards
OWASP Top 10SANS Top 25NISTISO 27001HIPAAGDPRAustralian Privacy ActPCI DSSEU AI ActSOC 2CIS Controls
Tools
Burp Suite
OWASP ZAP
Nessus
Fortify
Metasploit
Kali Linux
Wireshark
AppScan
Client Testimonials

What clients say about
KiwiQA Security Testing.

It was a pleasure to work with Niranjan and his team of dedicated and comprehensive testers. A great experience full of support and passion to deliver a great service.

R
Rebecca VanZutphen
Project Lead, UK

Our experience with KiwiQA has been very positive. The QA contractor demonstrated strong technical capability, reliability, and a proactive approach to quality assurance.

A
Amit Kubovsky
ReadiNow AI, Australia

Niranjan & the KiwiQA team have been excellent. They have demonstrated great ownership, hustle and maintained a high quality bar akin to top tech companies like Flipkart.

N
Nikhil Goenka
Director, Technology

KiwiQA provide high quality support at a very reasonable price. Their penetration testing on our platform was very thorough and provided us confidence in the cyber security.

F
Founder, AirSmile
Avenue Dental Kawana, AU
Security Insights

Expert guides on
security testing.

Why Security Testing is the Last Line of Defence — And Why Most Teams Get It Wrong
Security Testing
Why Security Testing is the Last Line of Defence — And Why Most Teams Get It Wrong
Security testing is often treated as a checkbox at the end of a project. Here's why that approach is dangerously outdated and what a mature practice looks like.
21 Nov 20248 min read →
AI Prompt Injection Testing: Understanding and Defending Against the New Attack Surface
AI Security
AI Prompt Injection Testing: Understanding and Defending Against the New Attack Surface
Prompt injection is now one of the highest-priority vulnerabilities in AI systems. Here's how it works, why it matters, and how to test your defences.
22 Jul 20248 min read →
API Security Testing: Protecting Your Backend from Modern Threats
Security Testing
API Security Testing: Protecting Your Backend from Modern Threats
APIs are now the primary attack surface for modern applications — and the most commonly undertested. A comprehensive API security testing strategy covers authentication, authorisation, injection, rate limiting and business logic vulnerabilities.
25 Jan 20259 min read →
FAQ

Frequently asked questions

Everything you need to know — answered.

What is penetration testing?
+

Penetration testing (pen testing) is an authorised, simulated cyberattack against a software system, network or application, designed to identify exploitable vulnerabilities before real attackers do. KiwiQA's certified ethical hackers use the same tools, techniques and methodologies as malicious actors — including OWASP ZAP, Burp Suite, Metasploit and custom exploit scripts — but operate under a defined scope, rules of engagement and legal authorisation. Every engagement concludes with a risk-rated findings report containing proof-of-concept evidence, CVSS severity scores, business impact analysis and a prioritised remediation roadmap. Pen testing is distinct from automated scanning — it catches logic flaws, business workflow vulnerabilities and chained attack vectors that scanners miss.

What is OWASP and why does it matter for security testing?
+

OWASP (Open Worldwide Application Security Project) is a non-profit foundation that publishes the OWASP Top 10 — the globally recognised list of the most critical web application security risks, updated every 3–4 years based on real-world vulnerability data. The 2021 edition includes injection, broken access control, cryptographic failures, insecure design and security misconfigurations. KiwiQA uses the OWASP Testing Guide as the foundation for all web and API security assessments, ensuring comprehensive coverage of known vulnerability classes. OWASP compliance is referenced in ISO 27001, SOC 2, PCI DSS and the Australian Government Information Security Manual — making it the baseline standard for any defensible security posture.

What security testing services does KiwiQA offer?
+

KiwiQA offers a comprehensive suite of security testing services including web application penetration testing, mobile app penetration testing (iOS and Android), API security testing against the OWASP API Security Top 10, network and infrastructure penetration testing, cloud security review (AWS, Azure, GCP), vulnerability assessment and management, OWASP Top 10 testing, threat modelling and architecture review, GDPR/Privacy Act compliance auditing, PCI DSS testing, ISO 27001 gap assessment, AI-specific security testing including prompt injection and model extraction, and secure code review. All services are delivered by OSCP, CEH or GPEN certified engineers with industry-specific experience.

How does KiwiQA approach API security testing?
+

KiwiQA tests APIs against the OWASP API Security Top 10, covering broken object-level authorisation (BOLA), authentication and authorisation weaknesses, excessive data exposure, rate limiting gaps, mass assignment vulnerabilities, security misconfigurations, injection flaws and improper asset management. We test both REST and GraphQL APIs, examining every endpoint for authentication bypass, privilege escalation, data exfiltration and business logic flaws. Tools include Burp Suite Pro, OWASP ZAP, Postman and custom Python scripts for chained attack scenarios. Every finding includes a request/response proof-of-concept, CVSS score, business impact statement and specific remediation guidance — not just a scanner export.

What compliance standards does KiwiQA test against?
+

KiwiQA tests against ISO 27001, SOC 2 Type I and II, PCI DSS Levels 1–4, HIPAA (healthcare data), GDPR (EU personal data), the Australian Privacy Act 1988, NIST Cybersecurity Framework, the Australian Government Information Security Manual (ISM), OWASP Top 10, SANS Top 25 and the EU AI Act for AI system security. We deliver compliance evidence packages — including test reports, vulnerability evidence, remediation records and executive summaries — that are suitable for submission to external auditors, regulators and certifying bodies. Our reports are accepted by Big Four audit firms and government procurement panels.

How long does a penetration test take?
+

Engagement timelines vary by scope and application complexity. A web application penetration test typically takes 5–10 business days for execution and 2–3 days for reporting. Mobile app pen tests take 3–7 days. Network and infrastructure assessments range from 3 days for small environments to several weeks for complex enterprise networks. API-only assessments typically take 3–5 days. KiwiQA provides a detailed scope of work and timeline estimate in every proposal, based on the number of endpoints, user roles, business functions and integration points involved. Urgent engagements with compressed timelines can be accommodated with additional resource allocation.

Is your system truly secure?

Get a comprehensive security assessment from KiwiQA's certified ethical hackers. Available across Australia and the US.

ISO 9001 · ISO 27001 certified · OWASP aligned