Vamos Labs
OWASP-aligned • PTES methodology • CVSS v3.1 scored

AI Penetration
Testing, Done Right.

OWASP- and PTES-aligned testing for your web apps, APIs, and infrastructure. Manually validated. CVSS-scored. Based in Melbourne.

OWASP Top 10
Full coverage
PTES
Methodology aligned
CVSS v3.1
Every finding scored
100%
Manually validated
Methodology

A Six-Phase, Standards-Aligned Methodology

Every engagement follows the Penetration Testing Execution Standard (PTES) and the OWASP Web Security Testing Guide. AI orchestration accelerates discovery; human testers validate and exploit.

01

Scope & Authorisation

Written authorisation, defined rules of engagement, in-scope asset inventory, and allowed techniques — signed before a single packet is sent.

02

Passive Reconnaissance

WHOIS, DNS, certificate transparency, subdomain enumeration (subfinder, amass), and OSINT gathered without touching your infrastructure.

03

Active Recon & Enumeration

Port and service discovery with nmap, HTTP probing via httpx, technology fingerprinting, and per-service deep-dives to map the live attack surface.

04

Vulnerability Identification

Templated scanning with nuclei, CVE correlation, TLS auditing (sslscan), and content discovery (ffuf) — orchestrated by AI agents, triaged in parallel.

05

Manual Validation

Every candidate finding is confirmed by hand. Demonstration-only proofs of concept. Zero destructive testing. Zero false positives in your report.

06

Reporting

A signed External Penetration Test Report: CVSS v3.1 scored findings, executive summary, reproduction steps, business-impact analysis, and a prioritised remediation roadmap.

Read the full methodology →
Coverage

What We Test

External attack surface, internal applications, and everything modern teams ship in between — scoped to OWASP Top 10, ASVS, and MITRE ATT&CK.

Web Applications

Injection, broken access control, authentication flaws, SSRF, business logic — full OWASP Top 10 and WSTG coverage.

XSSSQLiIDORSSRFCSRFAuth bypass

REST & GraphQL APIs

OWASP API Security Top 10 coverage: broken object-level authorisation, excessive data exposure, mass assignment, rate limiting.

BOLABFLAMass assignmentIntrospection

LLM & AI Applications

OWASP LLM Top 10 coverage: prompt injection, training data exposure, insecure output handling, model denial of service, and agent abuse.

Prompt injectionJailbreaksRAG leakageTool abuse

Authentication & Sessions

OAuth 2.0 / OIDC flows, JWT misuse, session fixation, MFA bypass, password reset abuse, and account takeover chains.

OAuthJWTSessionMFASSO

Cloud & Infrastructure

External perimeter testing, exposed services, misconfigured storage buckets, TLS/SSL hardening, and CDN/origin unmasking.

AWSGCPAzureTLSDNS

Network Perimeter

Port and service discovery, version-based CVE matching, exposed admin interfaces, and validation of segmentation controls.

nmapCVE triageFirewallVPN
Why Vamos Labs

AI-Accelerated vs. Traditional

We pair autonomous AI agents with experienced human testers to give you the best of both — without the false positives of pure scanners or the wait times of pure consultancies.

Traditional consultancy
2 – 6 weeks
  • Long lead times before kick-off
  • High fixed engagement cost
  • Limited continuous coverage
  • Quality varies by tester
Vamos Labs
Hours, not weeks
  • AI orchestration runs the toolchain in parallel
  • Every finding manually validated by a human
  • CVSS v3.1 scored, signed report
  • Re-test on demand after remediation
Automated scanners
Minutes, but noisy
  • Heavy false-positive load
  • No exploitation or impact analysis
  • Generic remediation suggestions
  • Not accepted for compliance
Deliverable

External Penetration Test Report

Every engagement concludes with a formal External Penetration Test Report — written for engineers, summarised for the board.

finding-F-001.md
HIGHCVSS 7.4F-001

Reflected XSS in /search via `q` parameter

Affected
https://example.com/search?q=
Reproduction
GET /search?q=<svg/onload=alert(1)> HTTP/1.1
Host: example.com
Business impact
Attacker-controlled JavaScript executes in the victim's browser in the application's origin, enabling session theft and account takeover against any authenticated user who follows a crafted link.
Remediation
Apply context-aware HTML entity encoding to the `q` parameter before render, and enforce a strict Content-Security-Policy that disallows inline scripts.
Report contents
  1. 01Executive Summary
  2. 02Scope & Rules of Engagement
  3. 03Methodology (PTES-aligned)
  4. 04Findings Summary
  5. 05Detailed Findings (CVSS v3.1)
  6. 06Attack Narrative
  7. 07Remediation Roadmap
  8. 08Evidence Index
Severity breakdown
Critical
High
Medium
Low
View full sample report →
Pricing

Transparent, Scope-Based Pricing

Three engagement sizes. No hidden costs. Re-tests included.

Essential
From AUD $2,500

Single web app or API, OWASP Top 10 coverage, signed report.

  • 1 application in scope
  • OWASP Top 10
  • CVSS-scored findings
  • 1 free re-test
Professional
From AUD $6,000

Multi-app or API + auth surface, deep manual validation, attack narrative.

  • Up to 3 applications
  • OWASP Top 10 + API Top 10
  • Auth & session deep-dive
  • 2 free re-tests
Enterprise
Custom

Cloud, network, LLM, and continuous coverage scoped to your stack.

  • Unlimited scope
  • LLM & cloud coverage
  • Quarterly re-tests
  • Dedicated tester
Questions

Frequently Asked

How is this different from a vulnerability scanner?+
Scanners produce candidate findings — we manually exploit and validate every one before it reaches your report. You get zero false positives and proof-of-concept evidence.
Will the report be accepted by our auditors and customers?+
Yes. Reports follow the structure expected for SOC 2, ISO 27001, and customer security questionnaires: scope, methodology, CVSS-scored findings, and a remediation roadmap.
Do you do destructive testing?+
No. Engagements are demonstration-only. We prove impact with the smallest possible proof of concept and never disrupt production data, users, or services.
How do you scope an engagement?+
A 15-minute scoping call covers in-scope assets, allowed techniques, testing window, and emergency contacts. We send a written authorisation document for sign-off before testing begins.
Can you re-test after we fix the findings?+
Yes. Every engagement includes free re-tests of remediated findings within 90 days.
Are you based in Australia?+
Yes — Vamos Labs is based in Melbourne, Australia, and operates under Australian privacy law. We work with clients globally.
Read all FAQs →

Ship with confidence.

Scope your engagement in a 15-minute call. Authorise testing. Receive a CVSS-scored report. Then fix what actually matters.