Theos built the engagement around the threat actors targeting our sector in Hong Kong. The findings were structured for HKMA submission and the gaps have since been closed.
Penetration Testing Services: Find the gaps before your adversary does
overview
What is Vulnerability Assessment and Penetration Testing?
A vulnerability assessment identifies and prioritises known weaknesses in your systems, applications, and infrastructure. A penetration test goes further: it simulates how an adversary would exploit those weaknesses to gain access, move laterally, and cause damage.
Used together, VAPT gives you a complete picture of your attack surface and a confirmed view of what is exploitable right now.
What VAPT Includes:
-
Vulnerability assessment: systematic identification and severity scoring of security weaknesses
-
Penetration testing: adversary simulation to confirm exploitability and demonstrate real-world impact
-
Scope definition: network, application, cloud, API, or full-stack coverage
-
Findings report: risk-rated, evidence-backed, written for practitioners and boards alike
-
Remediation guidance: specific, prioritised steps your team can act on immediately
Business Outcome:
You know exactly where you are exposed. You know which gaps an adversary would use first. You have documented evidence of your security posture for regulators, insurers, and the board.
THE PROBLEM
A vulnerability scan identifies what exists. Penetration testing services confirm what is exploitable.
Most organisations in APAC run periodic scans and receive a list of CVEs. That list identifies what exists. Penetration testing services go further, confirming what is exploitable, what an adversary would use first, and what the real business impact would be.
Regulators and insurers across APAC are asking for evidence of actual testing. MAS TRM, HKMA iCAST, BNM RMiT, and BSP frameworks all carry expectations around independent security testing. The evidence they require is what a penetration test produces.
Common gaps in security testing programmes:
Scan results presented as penetration test findings
Findings reports that reach neither the board nor the practitioner effectively
Remediation tracked by assumption rather than confirmed closure
Scope defined by what is easy to test rather than what adversaries would target
Testing cadence aligned to the compliance calendar rather than the risk profile
THEOS APPROACH
Adversary thinking. Practitioner delivery. Outcomes your team can act on.
Theos approaches every VAPT engagement the way an adversary would approach your organisation. We test what matters, with intent, context, and practitioner judgment.
Scope That Reflects Real Risk
Every engagement begins with a scoping conversation that maps your critical assets, your regulatory obligations, and the most likely attack paths specific to your industry and market. We test what your adversaries would target.
Expert-Led Testing
Theos penetration testers are CREST-certified practitioners. They carry experience across financial services, gaming, logistics, maritime, and technology clients across APAC. They know how regulated environments are attacked in this region, and they test accordingly.
Findings That Drive Action
Our findings reports are risk-rated by exploitability and business impact. Each finding includes a clear remediation path. Theos produces two outputs from every engagement: a technical report for your security team and an executive summary your board and regulator can read directly.
Remediation Validation
Theos offers remediation retesting as a standard component of every engagement, confirming that vulnerabilities identified have been closed before the report is finalised.
BENEFITS
What Theos VAPT delivers for your organisation.
Confirmed exploitability
know which vulnerabilities can actually be used against you
Risk-prioritised remediation
fix what matters first, in the right order
Board-ready reporting
evidence of your security posture in plain language
Regulatory compliance
testing aligned to MAS TRM, BNM RMiT, HKMA, PDPA, and BSP requirements
Insurer confidence
documented test evidence increasingly required for cyber insurance underwriting
HOW IT WORKS
How a Theos VAPT engagement works.
1
Scope and Define
We work with your team to define the engagement scope, confirm critical assets, and align on rules of engagement. Regulatory requirements and compliance timelines are factored in from the start.
2
Assess
Systematic vulnerability identification across the agreed scope. Every finding is assessed for severity using a risk-based scoring framework, applied in context rather than CVSS scores alone.
3
Penetrate
Our practitioners simulate adversary behaviour to confirm exploitability. We chain vulnerabilities, escalate privileges, and demonstrate real-world attack paths with evidence.
4
Report
Every engagement produces a full technical findings report and a separate executive summary. Findings are rated by exploitability and business impact. Remediation steps are specific and ordered by priority.
5
Remediate and Retest
Your team addresses the findings. Theos retests to confirm closure. The engagement closes when vulnerabilities have been remediated or formally accepted as residual risk.
CAPABILITIES
Penetration testing capabilities.
-
Network penetration testing: internal and external infrastructure
-
Web application penetration testing: OWASP Top 10 and beyond
-
Mobile application penetration testing: iOS and Android
-
API security testing: REST, GraphQL, and SOAP
-
Cloud configuration review: AWS, Azure, GCP
-
Social engineering and phishing simulation
-
Wireless network testing
-
OT/ICS penetration testing for industrial environments
SCOPE COVERAGE
What Theos VAPT covers.
-
External attack surface
internet-facing systems, applications, and APIs
-
Internal network
lateral movement paths, privilege escalation, segmentation
-
Web and mobile applications
full-stack assessment against current threat frameworks
-
Cloud environments
configuration, access control, and data exposure
-
OT/ICS
operational technology for manufacturing, energy, maritime, and logistics clients
-
Supply chain
third-party access paths and vendor integrations
PROOF
What the work produces.
200+
Penetration Tests Per Year
Crest
Accredited, Every Engagement
8.9
Client Satisfaction Score
4+
Average Years, Key Client Relationships
Hear it from our clients
What outcome accountability
looks like in practice.
THEOS operates across Singapore, Hong Kong, Malaysia, and the Philippines, serving regulated enterprises where the cost of a breach is highest. What our clients describe is not a vendor relationship. It is a security partnership.
“
“
The engagement identified gaps our existing programme had not surfaced. The findings went directly into our regulatory submission and the gaps have since been remediated.
“
Theos engaged credibly at board level and at SOC level in the same programme. The ability to do both simultaneously, and produce documentation that holds up to BNM examination, is what made the difference.
“
We called Theos during an active ransomware incident. Two weeks later the threat was contained. We have not used another security provider since.
TECHNOLOGY & METHODOLOGY
How Theos approaches testing methodology.
Theos VAPT engagements are methodology-led, not tool-led. Our practitioners use industry-standard frameworks as a baseline and apply adversary-specific tradecraft on top of them.
Frameworks and Standards:
OWASP Testing Guide
web and API application security
PTES (Penetration Testing Execution Standard)
structured engagement methodology
MITRE ATT&CK
adversary tactics, techniques, and procedures mapped to real threat actors
CVSS and DREAD
vulnerability scoring frameworks, applied in context
CREST methodology
accreditation standard applied across every engagement
Additional Integrations:
Tooling
Theos practitioners use a combination of commercial and open-source tooling calibrated to the engagement scope. Tools are selected to reflect how adversaries operating in this region actually work, calibrated to the engagement scope.
VAPT vs ALTERNATIVES
VAPT, vulnerability scanning, and red teaming: what is the difference?
Capability
Adversary simulation
Exploitability confirmed
Business impact mapped
Board-ready output
Remediation retesting
APAC regulatory alignment
CREST accreditation
Theos VAPT
Yes, practitioner-led
Yes, with evidence
Yes, per finding
Yes, executive summary included
Yes, standard inclusion
Yes, MAS, BNM, HKMA, BSP
Yes, every engagement
Automated Scanning / Generic Provider
No
No, theoretical only
Rarely
Rarely
Not typically offered
Generic frameworks
Varies by provider
USE CASES
Who Theos VAPT is built for.
Regulated enterprises with compliance requirements
MAS TRM, BNM RMiT, HKMA iCAST, and BSP-regulated frameworks in the Philippines all include penetration testing as a required or strongly recommended security control. Theos delivers pen testing in Singapore, Hong Kong, Malaysia, and the Philippines, structured to meet the requirements of each market’s regulatory framework.
Organisations preparing for cyber insurance
Insurers are tightening underwriting requirements across APAC. Documented evidence of periodic penetration testing is increasingly a condition of coverage. Theos produces the evidence your broker needs.
Development teams releasing new applications
Pre-production and pre-release penetration testing finds exploitable vulnerabilities before your adversaries do. Theos application penetration testing covers web, mobile, and API layers in a single engagement.
Organisations that have never tested their environment
An independent penetration test gives your team a confirmed view of your attack surface. For organisations without a recent test, it replaces assumptions with evidence.
Security teams validating remediation
Theos retesting confirms that fixes are effective and the attack path is closed.
WHEN DO YOU NEED A PENETRATION TEST
When does your organisation need a penetration test?
Penetration testing delivers the most value when it runs on a defined cadence aligned to your risk profile and regulatory obligations. Most regulatory frameworks governing APAC enterprises require or strongly recommend periodic independent testing. MAS TRM in Singapore, HKMA iCAST in Hong Kong, BNM RMiT in Malaysia, and BSP-regulated frameworks in the Philippines all carry explicit expectations around security testing that holds up to regulatory scrutiny.
Beyond the annual requirement, a penetration test is warranted when:
- Releasing a new application, API, or major product update before it reaches production
- Making substantial changes to infrastructure, including cloud migrations and environment consolidations
- Undergoing a merger, acquisition, or corporate restructuring where inherited environments carry unknown exposure
- Preparing for regulatory review, with findings documented to the standard regulators and auditors require.
- Applying for or renewing cyber insurance, where evidence of independent testing is increasingly a condition of coverage
- Onboarding third-party vendors with access to your systems or data
- Following a security incident or near-miss where the full scope was never confirmed
WHAT OUR PENETRATION TESTS FIND
What Theos Cyber penetration tests find.
Security misconfiguration
A frequent finding class across our APAC engagements. We examine cloud infrastructure, application servers, network devices, and access controls for hardening gaps, default credentials, and configuration drift that creates exploitable exposure.
Access control failures
Across our 2025 APAC engagements, access control failures carried a high concentration of critical and high severity findings. We test at the object and function level, not just the role level, validating whether individual records, transactions, and functions are correctly restricted to authorised users.
Authentication weaknesses
We assess credential management, session handling, multi-factor authentication implementation, and token security across applications and identity infrastructure.
Business logic vulnerabilities
These vulnerabilities require practitioner judgment to surface. We test how the application is intended to behave and probe for conditions where that logic can be manipulated in ways the original design did not account for: transaction flows, parameter handling, and process sequences that become attack vectors under adversary scrutiny.
Injection vulnerabilities
Still present across legacy environments. We test for SQL, command, and API injection across every layer of the agreed scope.
WHY THEOS
Why Theos penetration testing services.
Findings that drive outcomes, not reports
Every finding is tied to a real attack path, a real business impact, and a specific remediation action. Clients leave each engagement knowing what to fix, in what order, and why. We deliver outcomes.
CREST-accredited, every time
CREST accreditation is an independent verification of our testing methodology, practitioner competence, and engagement standards. Every Theos VAPT engagement is delivered to CREST standards.
Practitioners who know this region
Theos penetration testers deliver cybersecurity services across Singapore, Hong Kong, Malaysia, and the Philippines, working with financial services, gaming, maritime, logistics, and technology clients. They understand how adversaries operate in each market, what regulators expect from testing evidence, and how to frame findings for board and leadership review.
Connected to your broader security programme
Theos VAPT findings feed directly into our MDR detection tuning, our red team planning, and your incident response posture. Clients who work with Theos across multiple service lines benefit from intelligence that compounds across every engagement. A vulnerability found in a VAPT feeds into detection logic. A detection gap found in MDR informs the next VAPT scope.
Continuity across every engagement
Theos clients work with the same senior practitioners across every engagement. For organisations running annual or biannual testing programmes, that means testers who already know your environment, your changes, and your risk profile.
FAQ
Frequently Asked Questions
The questions regulated enterprises in APAC ask most often before commissioning a penetration test.
What is VAPT and how is it different from red teaming?
Vulnerability Assessment and Penetration Testing, commonly referred to as VAPT or pen testing, is a structured evaluation that identifies, assesses, and safely exploits vulnerabilities across your systems, applications, and infrastructure. The goal is to uncover exploitable weaknesses and provide clear findings and remediation guidance before an adversary finds them.
The distinction from red teaming lies in scope and objective. VAPT is structured and time-bound, focused on identifying and validating vulnerabilities across a defined scope. Red teaming is goal-based and extended, designed to test whether a specific objective can be achieved by replicating the behaviour of a skilled and persistent adversary over weeks or months.
Red teaming is where you test whether your defences hold against a real adversary.
The distinction from red teaming lies in scope and objective. VAPT is structured and time-bound, focused on identifying and validating vulnerabilities across a defined scope. Red teaming is goal-based and extended, designed to test whether a specific objective can be achieved by replicating the behaviour of a skilled and persistent adversary over weeks or months.
Red teaming is where you test whether your defences hold against a real adversary.
Is Theos CREST accredited?
Yes. Theos holds CREST accreditation, a globally recognised standard in offensive security that validates the competence and rigour of our testing practice at a firm level. For regulated industries and enterprise buyers, CREST accreditation is a recognised indicator that testing is conducted to a professional and consistent standard across every engagement.
For clients operating under MAS TRM, HKMA iCAST, or BNM RMiT, CREST accreditation is frequently a procurement requirement. Theos holds it as a baseline requirement across every engagement.
For clients operating under MAS TRM, HKMA iCAST, or BNM RMiT, CREST accreditation is frequently a procurement requirement. Theos holds it as a baseline requirement across every engagement.
What does Theos test during a VAPT engagement?
Theos tests across every layer of your environment, scoped to where your exposure is highest.
Web applications: SQL injection, cross-site scripting, application logic flaws, and session management weaknesses
Mobile applications: in-depth assessments across iOS and Android platforms based on current development frameworks and testing methodologies
APIs: authentication weaknesses, authorisation flaws, and data exposure risks across internal and third-party API connections
Network and infrastructure: firewall configurations, internal segmentation, exposed services, and lateral movement paths from an external or internal attacker position
Active Directory: privilege escalation paths and misconfigurations that give an attacker control of your network
Cloud environments: vulnerabilities specific to your cloud configuration across AWS, Azure, and Google Cloud Platform
Web applications: SQL injection, cross-site scripting, application logic flaws, and session management weaknesses
Mobile applications: in-depth assessments across iOS and Android platforms based on current development frameworks and testing methodologies
APIs: authentication weaknesses, authorisation flaws, and data exposure risks across internal and third-party API connections
Network and infrastructure: firewall configurations, internal segmentation, exposed services, and lateral movement paths from an external or internal attacker position
Active Directory: privilege escalation paths and misconfigurations that give an attacker control of your network
Cloud environments: vulnerabilities specific to your cloud configuration across AWS, Azure, and Google Cloud Platform
What is the difference between black box, grey box, and white box testing?
Theos offers three testing approaches, each suited to different objectives and levels of prior knowledge.
Black box: The tester approaches your environment with no prior knowledge, replicating exactly how a real attacker would begin.
Grey box: The tester has partial knowledge of the environment, such as user-level access or limited system information. This approach allows the team to focus on higher-risk areas and uncover significant vulnerabilities within a defined timeframe
White box: The tester has full access to documentation, source code, and system architecture. A thorough approach covering every layer.
Theos recommends the approach that best fits your objectives and the maturity of your security programme, agreed at scoping before testing begins.
Black box: The tester approaches your environment with no prior knowledge, replicating exactly how a real attacker would begin.
Grey box: The tester has partial knowledge of the environment, such as user-level access or limited system information. This approach allows the team to focus on higher-risk areas and uncover significant vulnerabilities within a defined timeframe
White box: The tester has full access to documentation, source code, and system architecture. A thorough approach covering every layer.
Theos recommends the approach that best fits your objectives and the maturity of your security programme, agreed at scoping before testing begins.
How long does a VAPT engagement typically take?
VAPT engagement timelines depend on scope, the testing approach selected, and the complexity of the environment being assessed. A focused web application test typically completes within a few days. Broader engagements covering network infrastructure, Active Directory, and cloud environments run longer, with timelines defined and agreed before testing begins.
Testing is conducted in defined phases with start and stop notifications throughout. High and critical findings are escalated immediately, giving your team visibility into significant risks as the engagement progresses.
Testing is conducted in defined phases with start and stop notifications throughout. High and critical findings are escalated immediately, giving your team visibility into significant risks as the engagement progresses.
Do you test cloud environments?
Yes. Theos tests across AWS, Azure, and GCP, assessing misconfigurations, identity and access management weaknesses, exposed storage, insecure service configurations, and privilege escalation paths specific to your cloud architecture. Each assessment is designed around your environment. Findings are mapped to your specific configuration, grounded in how your environment is actually built.
Can VAPT help us meet regulatory or compliance requirements?
Yes. Regulatory frameworks across our markets recognise VAPT as a core component of a cybersecurity programme. Theos structures engagements to meet the specific testing requirements of the frameworks governing your organisation, with findings documented to the standard required for regulatory purposes. The same findings give your team clear remediation priorities that strengthen your security posture in practice.
What is included in a penetration testing report?
Theos delivers a structured report covering all findings from the engagement. The report includes an executive summary for board and leadership review, and a detailed technical section with each vulnerability identified, how it was exploited, the risk it presents, and recommended remediation actions. Findings are prioritised by severity so your team knows where to act first.
A draft report is submitted for review and Q&A before the final version is issued, giving your team the opportunity to align on findings before remediation begins.
A draft report is submitted for review and Q&A before the final version is issued, giving your team the opportunity to align on findings before remediation begins.
Do you offer retesting after remediation?
Yes. Theos offers retesting following remediation to validate that identified vulnerabilities have been successfully addressed. Retesting covers previous findings, giving your team confidence that fixes are effective before the final report is issued.
What information do you need to start a penetration test?
Theos begins every engagement with an alignment session to understand your environment, objectives, and priorities. From there, we define the testing approach, scope, and rules of engagement.
Target information: the systems, applications, APIs, or infrastructure to be tested
Testing approach: whether black box, grey box, or white box testing best fits your objectives
Environment details: relevant information about your infrastructure, existing security controls, and any testing constraints
Regulatory requirements: any specific frameworks or compliance standards the engagement needs to align to
A clear timeline and engagement plan are agreed before testing begins.
Target information: the systems, applications, APIs, or infrastructure to be tested
Testing approach: whether black box, grey box, or white box testing best fits your objectives
Environment details: relevant information about your infrastructure, existing security controls, and any testing constraints
Regulatory requirements: any specific frameworks or compliance standards the engagement needs to align to
A clear timeline and engagement plan are agreed before testing begins.
GET PROTECTED TODAY
Security is not a product you buy. It is an outcome you earn.
An independent penetration test tells you exactly where you stand.
We deliver outcomes.
