we uncover hidden security risks for any business

Penetration Testing

Advanced techniques to expose an attack before it happens.

Penetration testing is a technical assessment used to identify vulnerabilities within your environment or application and assess your defensive capabilities against an attack.


Identifying vulnerabilities within a web application and its underlying infrastructure.


From the perspective of an external hacker we will identify vulnerabilities in external-facing services.

web services/api

A technical assessment of a web service or API to identify any potential security vulnerabilities.

mobile application

Identifying vulnerabilities within a mobile application on both iOS and Android operating systems.

social engineering assessment

Identifying staff vulnerabilities by targeting them with sophisticated phishing and vishing attacks.

wireless security

Identifying vulnerabilities within a wireless network to ensure it meets industry standards.

physical security

An evaluation of the physical security of a site to identify potential vulnerabilities that could be exploited for a physical intrusion.

internal network

Testing your internal network segments to identify vulnerabilities that could be utilised for lateral movement or privilege escalation.

Red Teaming

We TARGET multiple layers of your organisation to test defensive capability.

While a typical penetration test is limited to a specific service or environment, a Red team assessment will target multiple layers of your organization to test their defensive capability against an attack from an APT (Advanced Persistent Threat).

Technology, people & physical

We will target your technology, people and physical security to identify the risk posed by an APT against agreed objectives.

WE Identify vulnerabilities

We assist your team in defending against successful attacks to mature your defensive capabilities.

risk prioritised report

All report findings and recommended remediation actions allow you to mature the defensive capability of your environment.

Physical Assessment

identifying specific physical security vulnerabilities

A physical assessment is aimed at identifying physical security vulnerabilities at specific sites. We will evaluate each site to identify potential vulnerabilities to attempt a physical intrusion.

Gray Box Physical Assessment

An escorted physical assessment of a site to identify potential physical vulnerabilities.

Black Box Physical Assessment

We will try to gain physical access to your environment from the perspective of an external attacker.


A physical assessment can tests your users awareness in identifying unauthorised individuals.


Detailed reporting that explains how particular vulnerabilities at each site were exploited, as well as mitigation strategies.

case studies

The Problem


The vast majority of corporate environments do not have regular security assessments or vulnerability scanning. General security tools and technologies such as anti-virus and firewalls are typically in place but the effectiveness of these controls and processes is mostly unknown.
The Solution


Alchemy design an assessment that would provide maximum value by identifying vulnerabilities and risks across multiple layers of the environment. This helps to establish both a current state or baseline, as well as a road map to a more secure future state.

The Impact


By utilising our extensive reporting skills we are able to align identified vulnerabilities with actual business risks. This allows customers to not only mitigate vulnerabilities through existing controls, but also secure additional funding to purchase additional technology to fill gaps in their defensive capabilities.

The Testimonial


We have utilised Alchemy Security Consulting for numerous penetration testing engagements. Their strong technical capabilities combined with a customer-focused approach have delivered both quality and successful outcomes on each occasion

How It Works

Our Unique Process We Developed Over 10 years.

Alchemy Security Consulting Pty Ltd provides a broad range of security assessment services to assist our customers in identifying vulnerabilities and maturing their defensive capabilities.


The scope will define the objectives, constraints, scheduling and reporting requirements for the assessment.

assessment execution

We will execute the assessment in line with the agreed scope.


All findings will be documented in a risk prioritised report detailing all findings and recommended actions.

remediation testing

A retest of key findings is performed to validate that remediation actions by the customer have successfully mitigated identified vulnerabilities without introducing further vulnerabilities or risks.

The Benefits

List all the benefits

Penetration testing, red teaming and physical assessments allow you to proactively identify and remediate vulnerabilities within your environment from the perspective of a highly skilled attacker.


Identify vulnerabilities within your environment before an attacker does.


Reduce risk by identifying appropriate monitoring and detection strategies.


By emulating an advanced threat actor we can test your defensive capabilities and resilience against advanced attacks.


By performing advanced phishing campaigns, we test the user awareness of your users.

Frequently Asked Questions

Still got questions? Contact us
contact us
What is penetration testing?
Penetration testing is a technical assessment used to identify vulnerabilities within your environment or application and assess your defensive capabilities against an attack.
Is penetration testing a legal requirement?
There are no legal requirements to perform regular penetration testing. However, there are numerous regulatory and compliance frameworks that do require regular testing such as PCI compliance.
How often should I get a penetration test?
Generally we suggest that testing is performed against a web application or environment on an annual basis. However, when introducing large changes to a web application or environment it would be worth performing a penetration test to ensure no additional risk has been introduced to the environment.
How long does it take to do the test?
This largely depends on the scope of the assessment. Generally a basic assessment will start at five days, and for larger environments or more complex applications this moves up to 10 days or more.

It’s free to chat

Send us a message and we will be in touch as soon as possible. And it’s free to chat

Recent Post

Detecting and defending against advanced persistent threats utilizing the latest in industry-leading tools and techniques to strengthen and mature the security posture.

Conti Group - Tooling, Leaks and Russian FSB Ties

The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly…
Read More

Yes, Local Administrators ARE a Risk

Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those…
Read More

OSINT for Penetration Testers

Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely…
Read More

CONTI Group - The not so advanced APT

Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group…
Read More

Hidden Cobra - Uncovering the North Korean APT

Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as…
Read More

Please Sign Here - Why NTLM Relaying Is Still a Risk in 2021

The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check:  The Hosts file; then Your system’s DNS (Domain Name System) resolver  That’s it right? If you don’t…
Read More

The benefits of Red Teaming

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll…
Read More

Stealing Password Reset Tokens for Fun and Profit

When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due…
Read More

MITRE ATT&CK Framework Primer

The MITRE ATT&CK framework is a fairly familiar term within the Cyber Security industry. It has quickly evolved from a niche framework, to the core of many security operation centers.…
Read More