Question 1

What does a website security audit actually test?

Accepted Answer

We test your entire web application for the OWASP Top 10 vulnerability categories plus additional checks — totalling over 2,800 individual tests. This covers SQL injection, cross-site scripting (XSS), broken authentication, sensitive data exposure, security misconfigurations, outdated components, business logic flaws, and access control weaknesses. We test both the front-end (what users see) and back-end (APIs, server configuration, database interactions).

Question 2

How much does a website security audit cost?

Accepted Answer

Our standard Website Security Audit is $500 AUD. This includes the full OWASP Top 10 assessment, a detailed technical report with remediation guidance, an executive summary, a findings walkthrough call, and free re-testing of critical and high findings after your team applies fixes. For sites with more than 50 unique pages or complex API integrations, we provide a custom quote after scoping.

Question 3

Will the audit slow down or break our website?

Accepted Answer

No. We throttle our scanning to avoid performance impact — typically using the same request volume as a moderately busy period of normal traffic. We never perform denial-of-service testing or destructive exploitation. For e-commerce sites, we can schedule intensive scanning during off-peak hours. In years of testing, we have never caused a client outage.

Question 4

What is the OWASP Top 10?

Accepted Answer

The OWASP Top 10 is an internationally recognised list of the ten most critical web application security risks, maintained by the Open Web Application Security Project. The current (2021) list includes broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, identification and authentication failures, software and data integrity failures, logging and monitoring failures, and server-side request forgery. Our audit covers all ten categories plus additional checks beyond the standard list.

Question 5

Do you test WordPress / Shopify / custom-built sites?

Accepted Answer

Yes to all three. For WordPress sites, we include plugin-specific vulnerability scanning, xmlrpc.php abuse testing, and user enumeration checks. For Shopify, we focus on custom theme code, third-party app integrations, and checkout flow security. For custom-built applications (React, Vue, Laravel, Django, Node.js, etc.), we tailor our testing to the specific framework and technology stack.

Question 6

What kind of report do we receive?

Accepted Answer

You receive two documents: a technical report and an executive summary. The technical report lists every finding with its CVSS severity score, detailed description, exploitation evidence (screenshots and request/response logs), affected URLs, and step-by-step remediation instructions your developer can follow. The executive summary provides a high-level security posture overview suitable for management or board reporting.

Question 7

How often should we get a website security audit?

Accepted Answer

We recommend a full audit annually at minimum, plus re-testing after any major code release, platform migration, or technology change. For businesses handling sensitive data (healthcare, finance, e-commerce), quarterly testing is advisable. Our ongoing monitoring package at $200/quarter provides automated scanning between annual assessments to catch new vulnerabilities as they emerge.

Question 8

What is the difference between a vulnerability scan and a penetration test?

Accepted Answer

A vulnerability scan is automated — it checks for known vulnerabilities against a database of signatures. A penetration test includes manual exploitation, business logic testing, and chained attacks that scanners cannot perform. Our Website Security Audit includes both: the automated scan (2,800+ checks) identifies potential issues, and our testers manually validate, exploit, and assess the real-world impact of each finding.

Question 9

Can you test sites that require a login?

Accepted Answer

Yes. We perform both unauthenticated testing (as an external attacker would see your site) and authenticated testing (as a logged-in user). For authenticated testing, you provide us with test credentials for each user role — we then test for privilege escalation, where a low-privilege user attempts to access admin functions. This is critical for detecting broken access control, the most common web vulnerability.

Question 10

What if we cannot fix a vulnerability immediately?

Accepted Answer

Our report includes both permanent fixes and temporary mitigations. For example, if a SQL injection exists in a legacy feature that requires significant redevelopment, we will suggest a web application firewall (WAF) rule as an immediate mitigation while the permanent fix is developed. We prioritise findings by risk, so your team knows which issues need urgent attention and which can be scheduled into normal development sprints.

Question 11

Is this suitable for small business websites or only enterprise?

Accepted Answer

Our $500 Website Security Audit is specifically designed for small and medium businesses. You do not need an internal IT team — our report includes plain-English explanations alongside technical details that any web developer can follow. Small businesses are increasingly targeted because attackers know they often lack security resources. A professional audit is one of the most cost-effective security investments an SMB can make.

Question 12

Do you provide a certificate after the audit?

Accepted Answer

Yes. Upon completion and after your team has addressed critical findings, we issue a Website Security Assessment Certificate that you can share with clients, partners, or regulators as evidence of proactive security testing. The certificate is valid for 12 months and includes the scope of testing and date of assessment.

Website Security Audit

Why Your Website Needs a Security Audit

Of Sites Vulnerable

Avg Breach Cost

Checks Per Audit

Report Turnaround

What We Test — OWASP Top 10 and Beyond

SQL Injection & Injection Flaws (A03:2021)

Cross-Site Scripting (A07:2021)

Authentication & Session Management (A07:2021)

Sensitive Data Exposure (A02:2021)

Security Misconfiguration (A05:2021)

Business Logic & Access Control (A01:2021)

See How AI Can Transform Your Operations

Our 5-Phase Testing Methodology

Reconnaissance & Discovery

Scanning & Exploitation

Reporting & Remediation Support

Website Security Audit FAQs

Find Out What Attackers Already Know About Your Website