Amethyst Cyber Group

Penetration Testing

Technical assurance across applications, infrastructure, cloud, networks, and physical sites.

Amethyst Cyber Group provides scoped penetration testing that combines manual attack techniques, tool-assisted coverage, clear evidence, and pragmatic remediation advice.

Submit enquiry Download prerequisites

Testing types

Choose the right assessment for the environment

Web application testing

Authentication, authorisation, session handling, input validation, business logic, file handling, and API-backed workflows.

API testing

REST, GraphQL, and integration APIs tested for object-level access control, token handling, schema misuse, injection, and abuse paths.

Mobile application testing

iOS and Android applications tested for insecure storage, transport security, authentication, API misuse, reverse engineering risk, and platform control weaknesses.

External infrastructure

Internet-facing hosts, exposed services, remote access, TLS posture, attack surface, and exploitable configuration weaknesses.

Internal infrastructure

Active Directory, lateral movement paths, privilege escalation, segmentation, insecure services, and credential exposure risks.

Cloud testing

Azure, Microsoft 365, AWS, Google Cloud, Oracle Cloud, and cloud-hosted services tested for identity, permissions, storage exposure, logging, and attack paths.

Wireless testing

Wireless authentication, encryption, guest separation, rogue access point risks, and network placement validation.

Physical penetration testing

Authorised assessment of physical access controls, visitor processes, tailgating risks, security awareness, and routes to sensitive areas or assets.

What it is

Penetration testing is a controlled security assessment that attempts to identify and safely validate exploitable weaknesses before they can be abused. The work combines manual testing, tool-assisted coverage, evidence gathering, and practical remediation advice.

Who it is for

Suitable for organisations launching new systems, meeting supplier assurance requirements, validating remediation, preparing for audits, or needing independent evidence of technical security risk.

How it helps

  • Confirms whether vulnerabilities are exploitable
  • Prioritises findings by business impact
  • Gives technical teams clear remediation steps
  • Supports risk acceptance and supplier assurance

Prerequisites

Prepare a clean scope before testing starts

The prerequisite pack lists the information normally needed before testing begins, including asset lists, test accounts, IP allow-listing, emergency contacts, and evidence-handling expectations.

Penetration testing prerequisite pack

PDF checklist for scoping, access, accounts, safe testing windows, and client responsibilities.

Download PDF

FAQ

Penetration testing questions

What types of penetration testing can be scoped?

Typical scopes include web applications, APIs, mobile applications, external infrastructure, internal networks, cloud platforms, wireless networks, and authorised physical testing.

Do you need authenticated access?

Authenticated access is recommended where possible because it gives better coverage of role-based functionality, internal application paths, configuration issues, and privilege boundaries.

Will testing disrupt production systems?

Testing is planned around agreed safe windows, exclusions, and emergency contacts. Destructive activity is avoided unless explicitly authorised and controlled.

What is included in the final report?

The report normally includes an executive summary, technical findings, evidence, affected assets, severity ratings, business impact, and practical remediation guidance.

Can remediation be retested?

Yes. Retesting can be scoped after fixes are applied to confirm whether reported issues have been remediated effectively.