CREST Approved Penetration Testing
CREST-accredited penetration testing across mobile, web, API, network, wireless, Active Directory, and thick-client environments, tailored to your technical environment and compliance needs.
Penetration testing is ethical hacking under legal authorisation: simulating realistic attacks against systems before adversaries find their way in. Vantage Point delivers that capability at enterprise scale across Southeast Asia, with 50+ CREST-registered consultants, over a decade of regional experience, and the Velocity platform underpinning every engagement.
CREST accreditation is the global benchmark for penetration testing quality. It validates not just consultant credentials, but the methodologies, evidence handling, and reporting standards behind the work. Every engagement we deliver under this service line meets those requirements.
Where traditional penetration testing varies tester-to-tester, Velocity gives our consultants a structured, test-case-driven path through each engagement. Findings are reproduced, scored, and traced back to specific regulatory or technical requirements, so the report you receive is built for audit defensibility, not just remediation backlog.
Why penetration testing is non-negotiable for regulated organisations.
Regulators expect it, and increasingly specify how
CSA Singapore, OJK Indonesia, and Bank of Thailand all reference penetration testing as a control expectation for financial services and critical infrastructure. Tests must be appropriate, scoped to the environment, and executed by competent providers.
Vulnerability scanners only see what they have signatures for
Most real-world breaches start with business-logic flaws, chained misconfigurations, and identity-driven attack paths, exactly the category of issues automated tools cannot reliably find.
Boards are asking the questions auditors used to
Quantified risk, traceable evidence, and remediation timelines now show up in board packs. Penetration testing that produces audit-defensible evidence, not just a PDF, is what lands at that level.
What we test.
Vantage Point covers the full breadth of modern penetration testing. Engagements are usually combined: a mobile app rarely sits alone, there is a backend API, a cloud account, and an identity layer all in scope at once.
Application layer
Where most attack surface lives today, and where our roots as the original authors of OWASP MASTG and MASVS are most directly relevant.
- Mobile applications (iOS, Android)
- Web applications
- REST and SOAP APIs
- Thick-client desktop applications
- Browser extensions and embedded SDKs
Infrastructure Layer
External-facing infrastructure, internal lateral-movement paths, wireless rollouts, and the Active Directory environments most regional enterprises still run on.
- External and internal network testing
- Wireless and Wi-Fi networks
- Active Directory and identity environments
- Network segmentation validation
- Cloud-hosted infrastructure (where in scope)
Hardware
IoT and embedded devices tested in our regional hardware lab, covering hardware interfaces, firmware, communications, and the supporting cloud / mobile ecosystem.
- Hardware interfaces, UART, JTAG, SWD, SPI, I²C, eMMC, NAND
- Debug pads, USB, serial consoles, boot-mode access
- Firmware extraction, unpacking, binary and filesystem analysis
- Bootloader, kernel, and embedded Linux / RTOS review
- Hardcoded secrets, certificates, and update-package analysis
- Secure boot, signing, and rollback protection
- Wireless and radio, Wi-Fi, BLE, Zigbee, Z-Wave, LoRa, cellular
- Device-to-cloud and device-to-mobile flows
- Tamper resistance and physical attack surface
What we typically surface across penetration testing engagements.
Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.
Authentication & authorisation gaps
Broken access control between user roles, insecure password reset flows, JWT signature weaknesses, and IDOR exposing other tenants' data.
Business logic abuse
Bypassing payment flows, race conditions in account creation, replay-attack tolerance, and workflow shortcuts the application was never designed to permit.
Sensitive data exposure
PII or financial data in error messages, in debug endpoints, in client-side JavaScript, or in mobile application bundles.
Identity & privilege escalation
Domain user to domain admin in a few hops via Kerberoasting, ACL abuse, or service-account password reuse.
Configuration weaknesses
Default credentials still present, deprecated TLS, exposed management interfaces, weak segmentation between production and corporate networks.
Third-party and integration risk
Vulnerable libraries with known CVEs, insecure SSO integrations, leaked API keys, supply-chain dependencies running with excessive permissions.
A structured, intelligence-led path through every engagement.
Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.
Scoping
Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.
Execution
Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.
Validation
Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.
Reporting
Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.
Debrief & Retest
Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.
Reports built for audit, engineering, and executive review.
Every engagement produces verifiable, traceable, regulator-ready artefacts, generated by Velocity and signed cryptographically.
PDF · JSON · XML · CSV · Multi-Language Reporting Supported · CVSS 3.0 / 3.1 / 4.0
- Cryptographically signed final report
- Findings mapped to Velocity test cases
- CVSS 3.0, 3.1, and 4.0 scoring
- Reproduction steps, payloads, screenshots
- Remediation guidance and configuration examples
- Executive and technical reporting
- Standards / regulator coverage matrix
Common buyer questions.
How long does a typical engagement take? +
Before engaging with a client we hold a scoping session to better understand your application and environment. Most penetration testing engagements take 2–3 weeks from start to completion.
What is the difference between a vulnerability assessment and a penetration test? +
A vulnerability assessment identifies known weaknesses, usually with automated tools. A penetration test goes further: exploiting weaknesses (where safe), chaining them together, and demonstrating real business impact. Penetration testing typically combines both approaches.
Do you test in production, or in a non-production environment? +
Wherever possible we prefer to test in non-production environments, UAT, staging, dedicated test platforms, or representative pre-production builds. That removes the risk of customer-facing impact and lets us run deeper, more aggressive techniques than a live system would safely tolerate. When non-production isn't feasible, which is common for external network testing, cloud control-plane work, identity testing, and red-team scopes, we test production under written Rules of Engagement: agreed change windows, abort criteria, throttled scan intensity, and your incident-response team briefed in advance so detection signals can be correlated with our activity rather than triaged as a live incident.
Do you provide retesting after we fix findings? +
Yes. A retest cycle on remediated findings is included in every engagement so that fixes are verified, not just claimed, before the report is closed.
How does your reporting support regulatory audit? +
Each engagement produces a complete compliance report that records, per test case and per standard, what was executed, what passed, what failed, and the evidence captured, so auditors can map our work directly to their control matrix rather than relying on a generic "we did a penetration test" summary.
Test your defences the way attackers actually test them.
Speak to a CREST-accredited consultant about scoping your next penetration testing engagement.