Penetration Testing Services

Know your exposure
before your adversary does.

Ascendant delivers hands-on offensive security engagements led by operators with real-world breach experience. Our services, standards, and assessment methodology are outlined below, including the expertise behind each engagement.

Get Started →
What We Test

Your attack surface,
covered end to end.

Tell us what you've built and we'll tell you where it breaks. Our specialists work the asset type they know best. There are no generalists filling gaps on your engagement.

Web Applications

Logic flaws, broken access controls, injection chains, and the business-critical vulnerabilities automated scanners consistently miss. We test your application the way an attacker uses it.

Mobile Applications

Static and dynamic analysis across iOS and Android. We assess local data storage, network traffic, authentication flows, and the API surface your app depends on.

Cloud Environments

Misconfigured IAM, exposed storage, over-privileged service accounts, and lateral movement paths across AWS, Azure, and GCP. We map what an attacker can reach from a foothold.

Infrastructure

External perimeter assessment through to internal network compromise. We simulate what happens after an attacker gets past the edge and test how far they can move.

Red Team Engagements

Multi-week covert operations designed to pressure-test your detection and response, not just your defences. We operate like the threat actors on your actual threat model.

Social Engineering

Your people are an attack surface. We run targeted phishing, vishing, and pretext campaigns built on open-source intelligence specific to your organisation.

What Makes Us Different

Why clients stop
looking after the first engagement.

Most pentests only produce a PDF. Ours produce confirmed findings your team can act on, an operator available to answer questions throughout, and a retest that verifies the fix actually landed.

Manual Testing

We don't run a scanner and call it a pentest. Every engagement is driven by operators who reason through your environment the way an adversary would. Automation handles the repetitive work; operators handle everything that requires judgement.

Native Integrations

Findings push directly into Jira, Linear, GitHub Issues, or ServiceNow with severity, evidence, and fix guidance already attached. No PDF to triage, no spreadsheet to maintain.

Tailored Scope

Your environment is not a template, and your engagement scope should not be either. Depth, adversary model, and testing focus are defined around your actual threat profile in the scoping call.

Operator Credentials

The certifications that
take years to earn.

Every engagement lead holds a minimum of two advanced offensive certifications. The operators who assess your environment have already proven they can find vulnerabilities under controlled examination conditions.

OSCP
CISSP
GPEN
CAPE
CARTP
AWS
Burp Suite
CCNA
About Ascendant

Started in consulting.
Stayed for the craft.

Ascendant was founded by a group of like-minded penetration testers who met whilst consulting for Australia's largest institutions. Before we ran a single client engagement, our founding team had spent years finding critical vulnerabilities in those same environments.

We wanted to bring that experience to as many organisations as possible. The instincts developed across years of testing some of the most complex environments in the country are the same ones our operators bring to every client engagement today.

2012
Year the founding team began testing professionally
$XX,000+
In bug-bounty rewards earned by the founding team
ASX200
Critical vulnerabilities found in ASX200 environments
How an Engagement Works

Six stages. Fixed price.
No surprises.

From the first scoping call to the retest that closes the final finding, every stage is documented, timeboxed, and priced before we touch your environment.

01

Scope and Plan

We map your environment, agree the rules of engagement, and produce a testing plan specific to your architecture. Not copied from the previous client scope.

02

Reconnaissance

Open-source intelligence gathering and active enumeration across your perimeter. We identify the same entry points an attacker would find before choosing where to apply pressure.

03

Vulnerability Discovery

Systematic coverage of the agreed scope using a combination of tooling and manual techniques. Every candidate finding is queued for operator review before it becomes a confirmed vulnerability.

04

Exploitation

Confirmed vulnerabilities are exploited, chained where possible, and assessed for real business impact. We demonstrate what an attacker could access, not just what they could theoretically attempt.

05

Reporting

Detailed findings with reproduction steps, root-cause analysis, and prioritised remediation guidance. Delivered to your dashboard, not a shared drive link with a seven-day expiry.

06

Retest and Close

Once patches are in, we retest every confirmed finding at no additional charge. Engagements do not close until vulnerabilities are confirmed remediated, not just marked fixed in a tracker.

Engagement Modes

Three approaches.
We'll tell you which fits.

The right engagement mode depends on the question you're actually trying to answer. We'll make a recommendation during scoping. Most clients land on gray-box.

Black-Box

Zero Knowledge

We start with nothing but a target. No credentials, no documentation, no insider context. The closest simulation to an unsophisticated external attacker: maximum realism, longer timeline, narrower coverage. Best when you need to know what a motivated adversary finds from a cold start.

  • No credentials or documentation shared
  • Maximum realism, narrower coverage
Best for external perimeter validation

Gray-Box

Partial Knowledge

We receive limited credentials, API references, or environment context. Operators skip the reconnaissance phase and spend the engagement finding vulnerabilities rather than mapping your architecture. Best return on investment for the majority of organisations.

  • Low-privilege access or documentation provided
  • Balanced depth and coverage
Recommended for most engagements

White-Box

Full Knowledge

We receive source code, architecture diagrams, and elevated credentials. Maximum possible coverage at the cost of longer timelines and higher engagement cost. Best when you need confidence that every code path and configuration has been reviewed.

  • Full source code and documentation access
  • Deepest coverage available
Best for pre-launch or post-breach assurance
Tooling and Process

AI for coverage.
Humans for everything that matters.

We use AI to move faster through reconnaissance, payload generation, and report drafting. Every finding that reaches your desk has been verified by an experienced operator. We do not ship machine-generated uncertainty.

AI-Enhanced Speed

AI compresses the repetitive work: surface enumeration, pattern-matching, payload testing, first-draft reporting. Operators use the time saved to go deeper on findings that actually matter to your business.

Human Verification

Every candidate finding is reproduced and assessed by a human before it becomes a vulnerability in your report. False positives waste your engineers's time. They do not leave our platform.

Common Questions

Straight answers
to real questions.

Still have a question we haven't covered? Our operators take scoping calls directly. No gatekeepers, no sales qualification layer between you and the person running your engagement.

A controlled attack against your own environment, run by operators who think and move like real adversaries. The goal is to find and demonstrate vulnerabilities, with proof of exploitability, before someone with less friendly intentions does the same.

Accepting Engagements

Ready to begin?

Request a scoping call or a tailored technical proposal. An experienced operator responds within 48 hours.

Book a Call →