How long does a penetration test take?

A focused web app test takes 5–10 days. A full network or red team engagement takes 2–4 weeks, depending on scope.

Will the penetration test take our systems offline?

No. We agree on rules of engagement before testing to avoid disruption, and we coordinate testing windows with your team.

Get Appointment

Penetration Testing — Find Your Vulnerabilities Before Attackers Do

Smahh's certified ethical hackers simulate real-world attacks against your web applications, networks, cloud environments, and APIs to uncover and fix critical vulnerabilities before they can be exploited.

Get A Free Consultation View All Services

Most organisations do not know they have been compromised

Most organisations believe their security controls are effective until a breach proves otherwise. Firewalls, endpoint protection, and secure coding guidelines all reduce risk, but they cannot eliminate it. The real question is: have you tested whether your defences actually hold up when a skilled attacker targets them directly?

Attackers do not follow documented procedures. They probe for logic flaws in your authentication, chain together minor misconfigurations to escalate privileges, and exploit forgotten legacy endpoints that your team didn't even know were exposed. Standard vulnerability scanners only find known CVEs. They cannot replicate the creativity and persistence of a real-world attacker.

Regulatory frameworks including ISO 27001, PCI-DSS, SOC 2, and the New Zealand Information Security Manual (NZISM) increasingly mandate regular penetration testing as part of a mature security programme. Beyond compliance, a penetration test gives your board and executive team concrete evidence of your security posture rather than theoretical assumptions.

Smahh delivers penetration tests that go beyond automated scanning. Our certified testers combine manual expertise with professional tooling to identify vulnerabilities that automated tools consistently miss, providing you with a prioritised, actionable remediation roadmap.

What our penetration testing covers

Web application penetration testing

We test your web applications against the full OWASP Top 10 and beyond. Our testers manually probe authentication flows, session management, input validation, access controls, and business logic for vulnerabilities that automated scanners routinely miss. Every endpoint, every parameter, every user role is tested.

Network penetration testing

We simulate an attacker who has gained a foothold on your network — either internally or from the internet perimeter. We map your network, identify exposed services, test firewall rule sets, exploit misconfigured services, and attempt lateral movement and privilege escalation to demonstrate real-world impact.

API security testing

Modern applications are held together by APIs, and APIs are a primary attack surface. We test REST, GraphQL, and SOAP APIs for broken object-level authorisation, broken function-level authorisation, mass assignment, injection vulnerabilities, and rate limiting weaknesses, following the OWASP API Security Top 10.

Cloud penetration testing

We test your AWS, Azure, and GCP environments for exploitable misconfigurations. This includes IAM privilege escalation paths, overly permissive storage bucket policies, insecure serverless function configurations, exposed metadata endpoints, and inter-service trust abuse to demonstrate cloud-specific attack chains.

Social engineering & phishing simulation

The human element remains the most targeted attack vector. We design and execute realistic phishing simulations, pretexting scenarios, and vishing campaigns to measure how effectively your staff recognise and respond to social engineering attacks, providing actionable training recommendations based on results.

Red team operations

A red team engagement is the gold standard of security testing. Rather than a scoped technical test, our red team operators simulate a persistent, advanced threat actor attempting to achieve a specific objective — such as accessing sensitive financial data or gaining domain admin privileges — using any available technique.

Why work with Smahh

Certified testers, real expertise

Our penetration testers hold OSCP, CEH, and CREST certifications. Certifications matter, but the quality of our manual testing matters more. We employ testers with genuine offensive security backgrounds who understand how attackers think and operate.

Clear, business-readable reports

Every finding is documented with its technical detail, confirmed proof-of-concept evidence, a CVSS risk rating, and a plain-English explanation of business impact. We also provide an executive summary that communicates risk without technical jargon.

Remediation support included

We don't just hand over a report and disappear. Our testers are available to your development and security teams to clarify findings, validate proposed fixes, and conduct a free retest of all critical and high vulnerabilities within 90 days.

How we work

Step 01

Scoping and rules of engagement

We define the target scope, testing window, authorised methods, and out-of-scope systems to ensure a safe and legally compliant engagement.

Step 02

Reconnaissance

We gather open-source intelligence on your organisation, map your external attack surface, and identify all in-scope assets before active testing begins.

Step 03

Active exploitation

Our testers attempt to exploit discovered vulnerabilities to determine real-world impact and chain findings together to demonstrate attack paths.

Step 04

Reporting and debrief

We deliver a comprehensive technical report plus an executive summary, followed by a live debrief session to walk your team through every finding.

Step 05

Retest and sign-off

After your team remediates findings, we retest all critical and high vulnerabilities to confirm they are fully resolved and provide written sign-off.

Results we've delivered

100%of critical findings remediated and retested within 90 days

3.2xaverage number of high-risk findings in first-time engagements

CRESTcertified methodology, aligned with NZ and AU standards

* Results vary by starting point and engagement scope.

Frequently asked questions

A vulnerability scan is an automated process that identifies known software vulnerabilities (CVEs) by comparing your systems against a database of known flaws. A penetration test is a manual, adversarial process where a certified tester attempts to actually exploit vulnerabilities, chain them together, and demonstrate real-world business impact. Scans produce a list of potential issues; pen tests prove which ones are genuinely exploitable.

Duration depends on the scope. A focused web application test for a medium-sized application typically takes 5–10 days. A comprehensive network penetration test or red team engagement can take 2–4 weeks. We provide a detailed scope estimate after an initial discovery call.

We design all tests to avoid causing service disruption. Before testing, we agree on a set of rules of engagement that define testing windows and prohibited techniques (such as denial-of-service testing) to ensure business continuity throughout the engagement.

We recommend annual penetration testing as a minimum, with additional tests triggered by significant changes such as major new features, infrastructure migrations, or new regulatory requirements. High-risk environments (fintech, healthcare, government) should consider bi-annual or quarterly testing cycles.

Yes, we can test in production environments with appropriate safeguards in place. Many real-world vulnerabilities only manifest in production due to differences in configuration, data, and integrations. We coordinate testing windows and safeguards with your team to minimise risk.

Ready to find your vulnerabilities before attackers do?

Book a scoping call with our certified penetration testing team to design an engagement that meets your security and compliance requirements.

Talk to our team