Mockingjay Studio — Adelaide, Australia

Web application penetration testing for Australian businesses

Manual, OWASP-aligned testing. Fixed price. Within two weeks. Reports your auditor, insurer, or customer's security team will accept. From $2,500.

See a sample report Get in touch

Two ways to engage

Pentests for direct buyers and white-label for agencies

Same technical work, two different commercial models depending on who you are and what you need.

Direct engagement

I need a pentest for my business

You're a SaaS founder, CTO, or operations lead facing a vendor security questionnaire, an insurance renewal, an audit, or a pre-launch sign-off. You need a credible, defensible pentest report — without the $15,000 quote from a Big-4-adjacent firm.

Get in touch →

Partnership

I'm an agency or MSP

You build web applications for clients and they're starting to ask for security testing. You don't want to staff a pentester in-house and you don't want to broker a $12k engagement and lose the margin. White-label our testing under your brand.

Learn about white-label →

What's included

What you receive in every engagement

Manual OWASP WSTG testing Hands-on assessment by a human, not a scanner. Tools support the work but don't replace it.
Comprehensive PDF report Findings prioritised by severity, with technical detail, business impact, and remediation guidance.
External attack-surface scan Included as Appendix A. Email security, headers, breach exposure, network posture — at no extra cost.
Within two weeks From kick-off to final report, depending on scope. Critical findings reported as identified.
One retest included After your team implements fixes, we verify and update the report at no additional cost.
Fixed price, no surprises Engagement letter signed before work begins. The number quoted is the number invoiced.

See exactly what you'd receive

A sample report — same structure, same depth, same level of detail as a real engagement. Redacted from a fictitious client.

Download sample report (PDF)

I built the tools I use

The external attack-surface scanner bundled with every engagement isn't a third-party product — I wrote it. Twelve checks across email authentication, web security headers, SSL/TLS, CVE detection, breach exposure, and network exposure. The same scanner produced the research published below. If you want to see your domain's external posture before committing to a paid engagement, get in touch — free scan, no signup.

Latest research · May 2026

Of 144 Australian SMBs scanned, zero scored an A. 70% rated CRITICAL risk.

A study of regional Australian businesses across seven sectors — legal, medical, construction, accounting, real estate, manufacturing, and professional services. Six domains had Windows file sharing (SMB) exposed directly to the internet. Seven had stolen credentials sitting on infostealer marketplaces.

Scored Grade A

70%

Critical risk rating

44%

No DMARC enforcement

71%

No HTTP security headers

Domains with active credential exposure

Read the full study →

Behind the work

Adelaide-based. Offensive security background.

I'm Jiae Black. Mockingjay Studio is an independent penetration testing practice based in Adelaide, focused entirely on web application security for Australian businesses. My background is in offensive security — I understand how attackers think because I've spent years studying exactly how they operate. Every engagement is delivered by me personally, end to end.

Ready to talk

Get in touch

Send a message describing your application, what's driving the need (questionnaire, insurance, audit, pre-launch), and the timeframe you're working with. I respond within one business day.

jiae@mockingjay-studio.com