Can a test start within a sprint window?

Yes. Standard SLA is 5 business days from PO. Urgent CPS 234 ¶23 material-change tests can start within 48 hours when scope is locked.

Do reports land before the next CAB?

Yes. Draft report inside 3 business days of test close. Final with retest evidence inside 10 business days, before the typical fortnightly CAB.

How are findings billed when scope changes mid-test?

Fixed-cap engagement letter holds. Out-of-scope discoveries are logged for a follow-up SOW with AUD line items and GST.

Will retests close the CPS 234 ¶23 loop?

Yes. One free retest per finding inside 30 days. Retest evidence carries the auditor-ready closure note for the CPS 234 register.

On-Demand Penetration TestingPentest at sprint pace, right-sized to your scope.

3-day, 7-day, or 15-day shapes, for a single web app, an app plus supporting API, or a multi-app stack. Same manual depth as a discipline-specific engagement, scoped on a 30-minute call, delivered with a working proof-of-exploit, the patch path, and a verified re-test.

See the three engagement shapes

Three engagement shapes drawn on a sprint timeline. A short 3-day Sprint bar, a highlighted 7-day Standard bar in orange with a travelling delivery dot, and a long 15-day Deep bar, all aligned to a 0-15-day scale.

Right-sized

3-day Sprint, 7-day Standard, or 15-day Deep, pick the shape that fits the target, not the calendar.

Manual depth

Scanner output filtered to the exploitable. Manual chained-exploits surfaced. Working proof-of-exploit on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why on-demand

Engineering ships every sprint. Your pentest doesn't.

An annual pentest is one snapshot of an application that has already changed by the time the report lands. The 51 weeks in between go unreviewed. On-demand closes the gap: each release cycle gets a right-sized engagement, small enough to fit your sprint, deep enough to surface what scanners won't. The same CREST-accredited pentesters, the same manual depth, sized to the work you're shipping this quarter.

Two horizontal year-spines stacked. Top: ANNUAL with a single fat orange marker on a long hairline year line, tagged 1 SCAN. Bottom: ON-DEMAND with the same year line and twelve smaller orange markers distributed across, tagged 12 SPRINTS. Visualises the gap on-demand pentest closes.

THREE ENGAGEMENT SHAPES.

Same depth. Scoped to scale.

Pick the shape that fits the target. Asset volume drives the man-days; the methodology and the accreditation stay the same at every tier.

Sprint

Single web app, single API, or a focused regression. OWASP Top 10 and SANS Top 25 mapped, working proof-of-exploit, fixes in your sprint cycle.

Standard

App plus supporting API plus business-logic edge cases. Auth flows, role-based access, integration surfaces. Longer-tail vulns the scanner misses.

Deep

15D

Multi-app stack: auth, RBAC, payment, third-party integrations, mobile-API surface. Exhaustive depth for an annual security-posture review.

What we test on-demand

One engagement model. Every target you ship.

Web, mobile, API, network, internal, brought under one delivery model. You don’t have to pick a discipline before you scope; we right-size the team and the depth to your target.

Web applications

Single SPA, multi-tenant, e-commerce, internal portal. Auth flows, RBAC, business logic, payment-stage integrity, manually walked, not scanner-rubber-stamped.

REST + GraphQL APIs

OWASP API Top 10 mapped. BOLA, mass assignment, broken object-level authZ, rate-limit bypass, schema introspection abuse, refresh-token rotation gaps.

Mobile apps (iOS · Android)

Native, hybrid, and cross-platform builds. Static + runtime instrumentation under Frida, deeplink hijack, Keychain / Keystore mishandling, addJavascriptInterface RCE.

Network IPs (internal + external)

Service enumeration, exposed admin panels, weak auth chains, default-credential pivots, RCE chains into the application stack, walked by hand, not just nmap output.

Internal apps + admin portals

VPN-gated, SSO-fronted, role-segmented apps. Same auth depth as external surfaces, mapped to your insider threat model and least-privilege contract.

Cloud + container surfaces

AWS, Azure, GCP, Kubernetes, IAM mishandling, managed-identity over-scope, IMDSv1 SSRF, pod-to-host RBAC bypass under your real workload identity model.

ON-DEMAND METHODOLOGY.

Six phases. Closed-loop at every shape.

Compressed for a 3-day Sprint, expanded for a 15-day Deep. The methodology, the manual coverage, and the sign-off contract stay the same.

01
Brief
30-minute scoping call. Your target, timeline, build pipeline, and risk model walked through with the engagement lead. No 2-week SOW process.
02
Scope
Right-sized to a 3-, 7-, or 15-day shape. Asset list, deliverables, success criteria, and re-test contract written in one document.
03
Recon
Dependency graph, attack-surface map, exposed endpoints, and authentication paths inventoried before the manual phase begins.
04
Exploit
Manual chained-exploits surfaced. Scanner output triaged to the exploitable. Each finding paired with a working proof-of-exploit on a real environment.
05
Report
Working PoC, severity scored against business impact, the patch path written for engineering. Executive summary and CVSS evidence for the audit trail.
06
Re-test
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed before the engagement is signed off.

Insights

On-demand testing Resources.

Notes from short-cycle engagements: regression retests, single-feature pentests, and ad-hoc reviews that ship in days, not weeks.

Automated versus manual penetration testing

Where scanners help, where they fail, and how on-demand human testers fill the gap during a fast release cycle.

Choosing a web app pentest partner

Questions buyers should ask before signing the SOW: tester CVs, sample reports, retest policy, and CVE track record.

What to expect in your first pentest

A week-by-week walkthrough of a scoped engagement: kickoff, recon, exploit chain, debrief, and retest.

Meet your engagement lead

One named lead, on demand.

John Dill

vCISO at SecureLayer7

3 · 7 · 15

Engagement shapes (days)

Manual

Methodology at every shape

Included

Re-test on every engagement

John runs on-demand scoping from kick-off to re-test. He translates your target, timeline, build pipeline, and risk model into a 3-, 7-, or 15-day shape, then owns status checkpoints and sign-off so the pod stays heads-down on the engagement.

Right-sizes engagements against your sprint cycle, asset volume, and risk model, not a fixed-tier menu.
Owns kick-off, mid-engagement walkthroughs, and live review of every finding before it lands in the report.
Drives remediation review and re-test until every finding is closed and proven on your environment.

SL7 Lab. Published CVE research.

Ready to scope an on-demand engagement? Book 30 minutes with John to walk through your target, timeline, and which shape fits.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Startups

Single-sprint engagements that ship before your next SOC 2 audit.

See Startups pentest

Tech SaaS

Release-train-aligned re-tests on the surfaces that changed since last engagement.

See Tech SaaS pentest

FinTech

Pre-launch product pentests for new features hitting regulated environments.

See FinTech pentest

Built for Australia engagements

What changes when we deliver here.

Compliance scoping
CPS 234 ¶23 material-change trigger workflow
Regulatory framework
AEST / AEDT change-board aligned delivery
Local engagements
Neo-bank — 27 on-demand tests in 12 months
Local pricing
AUD credit pool, drawn per finding, GST itemised
Compliance scoping
30-day retest free for every finding

Questions Australian product teams ask first.

Can a test start within a sprint window?
Yes. Standard SLA is 5 business days from PO. Urgent CPS 234 ¶23 material-change tests can start within 48 hours when scope is locked.
Do reports land before the next CAB?
Yes. Draft report inside 3 business days of test close. Final with retest evidence inside 10 business days, before the typical fortnightly CAB.
How are findings billed when scope changes mid-test?
Fixed-cap engagement letter holds. Out-of-scope discoveries are logged for a follow-up SOW with AUD line items and GST.
Will retests close the CPS 234 ¶23 loop?
Yes. One free retest per finding inside 30 days. Retest evidence carries the auditor-ready closure note for the CPS 234 register.

Delivery in Australia

CPS 234 ¶23 change-driven. AEST scheduled.

Tests fire on material change as CPS 234 ¶23 requires. AEST / AEDT delivery windows match Sydney and Melbourne change-board calendars.

Direct line: +61-2-0000-0000
Office: Sydney, Australia

Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.

Sample on-demand pentest report, chain · evidence · patch path · re-test

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working proof-of-exploit, the patch path, and the re-test confirmation. Sent on request after a 5-minute scoping call.