How do I book a penetration test or get a quote?

Complete the form on this page and our team will be in touch within one business day to discuss your requirements and provide a scoped proposal.

Penetration Testing Checklist: Your Blueprint for Security Excellence in New Zealand

Q: How long does a penetration test take?

Placeholder - client to confirm typical engagement timelines e.g. scoping to delivery.

Test your defences with NZ's most experienced pen testing team. CREST-certified. 400+ clients.

Download The Checklist

Every penetration test tells a story about your organisation. The question is whether you're getting the full picture.

Penetration testing shouldn't be a compliance checkbox. Done well, it's one of the most valuable investments an organisation can make surfacing the risks that actually matter, giving your teams clearpriorities, and building genuine confidence in your security posture.

The challenge is that not all pen tests are created equal. The difference between a test that generates a report filled with generic findings and one that drives meaningful security improvement comes downto how it's scoped, who's doing the work, and whether the approach is tailored to your organisation's actual risk profile.

We built this checklist to help you get more from your next penetration test whether you're running one for the first time or refining anexisting program.

Our team works across industries and threat environments every day. That hands-on experience has given us a clear view of what separates a penetration test that sits in a drawer from one that shapes security strategy and delivers measurable return.The Bastion Security Group Penetration Testing Checklist covers:

Testing Criteria

What should actually be in scope, and how to avoid the gaps that leave organisations exposed to the risks they assumed were covered.

Recommended Approaches

How to match testing methodology to your environment, architecture, and business objectives rather than applying a one-size-fits-all framework.

AI Exposure Testing

A rapidly evolving attack surface that most testing programs haven't caught up with, and what your organisation should be asking about it now.

Industry Guidelines

Navigating New Zealand regulatory and insurer expectations without letting compliance alone dictate your security strategy.

Tips to get the most value

Practical guidance on preparation, communication, and follow-through that turns findings into outcomes.We help prioritise issues and provide practical guidance so your teams can fix and verify them.

Download The Checklist

Complete the form to access our Checklist.

Why partner with Bastion?

Bastion brings together the expertise of Quantum Security, ZX Security, Helix Security, Cassini and Cythera, giving you depth across offensive security and broader cyber services when you need it.

Trusted by 400+ clients across New Zealand and internationally

Certified specialists including CISM, ISO27001, OSCP, SABSA, CISA, CISSPand PCI-QSA

CREST-certified member companyand an approved supplier on theDIA Marketplace

Audit Logging

Managed Detection & Response

Our Cyber Threat Intelligence Software as a Service enhances your organisation's

Your organisation isn't generic.
Your penetration test shouldn't be either.

Book a Scoping Session

Frequently Asked Questions

Frequently asked questions

From risk assessment to rapid response - we’re with you every step of the way.

Do you offer independent or CREST-certified testing?

Yes. Bastion is a CREST-certified penetration testing provider, meaning our testing meets globally recognised standards for quality, ethics and technical rigour.

How often should we run a penetration test?

Most organisations benefit from annual testing as a baseline, with additional tests following significant changes to systems, applications or infrastructure - or when required for compliance.

Can a penetration test help us meet compliance or audit requirements?

Yes. Many organisations require penetration testing to meet compliance frameworks including ISO 27001, PCI DSS, Essential Eight and sector-specific standards. We can scope the engagement to align with your specific compliance obligations and provide documentation to support your audit.

Do you test cloud environments, web applications and APIs?

Yes. We cover external and internal networks, web and mobile applications, cloud environments, APIs, SaaS platforms and specialist areas including OT/SCADA, wireless and hardware.

What's the difference between a vulnerability scan and a penetration test?

A vulnerability scan uses automated tools to identify known weaknesses. A penetration test goes further - our testers simulate real attacker behaviour to validate those risks and uncover more complex issues that tools alone miss.

How long does a penetration test take?

A penetration test typically takes around 5 days, although the exact duration depends heavily on the agreed scope and the specific objectives of the engagement. Penetration testing is tailored to your environment, risk profile and goals, so timelines can vary accordingly.