SQEP-led, independent cyber resilience for Singapore CII and enterprise across APAC
SQEP-led, independent cyber resilience for Singapore CII and enterprise across APAC
Security testing by CREST-certified operators across web, mobile, network, cloud, IoT, wireless — and AI & LLM systems. Infracom is a CREST Pathway+ Organisation, with operators holding elite CREST and Offensive Security certifications, serving Singapore and Australia.
VAPT (Vulnerability Assessment & Penetration Testing) combines automated scanning with manual exploitation by certified testers — covering web, mobile, network, cloud, IoT, wireless, and AI/LLM systems. Used to satisfy PDPA, MAS TRM, PCI DSS, Essential Eight, IRAP, and ISO 27001 evidence requirements. Without CREST-certified testing, audits return 'inadequate evidence' — Infracom is a CREST Pathway+ Organisation with operators holding CCT INF, CCT APP, OSCP, and OSCE³ credentials.
VAPT identifies and remediates vulnerabilities across your entire attack surface — from traditional infrastructure to modern AI and LLM deployments.
Uncover weaknesses across networks, applications, cloud, IoT, and AI systems before attackers exploit them.
Satisfy PDPA, GDPR, ISO 27001, PCI DSS, MAS TRM, Essential Eight, and IRAP with CREST-accredited reporting.
Demonstrate security due diligence to regulators, board, customers, and government procurement panels.
Many firms claim "penetration testing" capability — few hold a recognised independent credential. Infracom is a CREST Pathway+ Organisation; testing is performed by CREST-certified operators. For Australian engagements requiring CREST Accredited firm status, we partner with CREST Accredited firms — testing is performed by our CREST-certified operators under joint engagement.
Verify this credential at credly.com · Listed at www.crest-approved.org
Every engagement is tailored to your needs — applied consistently across traditional infrastructure and AI systems.
For context on how VAPT fits our independent assurance methodology, our three-tier model pairs technical testing with SQEP advisory and GRC governance signoff.
Define scope, rules of engagement, and boundaries.
Information gathering on the target environment.
Attack surface mapping and infrastructure profiling.
Identify, classify, and prioritise all vulnerabilities.
Controlled exploitation to determine business impact.
Lateral movement to assess full depth of compromise.
Executive summary, findings, and remediation roadmap.
Comprehensive coverage across your full attack surface — tailored to your systems and compliance requirements.
OWASP Top 10, authentication flaws, injection attacks, session management, and business logic weaknesses beyond automated scanning.
Request a web app pen-test scoping call →iOS and Android — uncovering flaws leading to unauthorised access, data breaches, or sensitive data exposure through mobile or backend APIs.
Request a mobile app pen-test scoping call →External and internal network assessment — identifying vulnerabilities, lateral movement paths, and remediation priorities.
Request a network pen-test scoping call →Full IoT attack surface — hardware, firmware, applications, networks, and encryption across domestic, industrial, and automotive environments.
Request an IoT security pen-test scoping call →All internet-facing systems, APIs, and services — reducing exposure to data breaches and reputational damage from external threats.
Request an external infrastructure pen-test scoping call →On-site testing of wireless infrastructure across WPA2, WPA3, and 802.1X networks including rogue access point detection.
Request a wireless pen-test scoping call →IaaS, PaaS, and SaaS — misconfigurations, data exposure, and privilege escalation across AWS, Azure, and hybrid cloud.
Request a cloud pen-test scoping call →Testing aligned to PDPA, MAS TRM, PCI DSS, Essential Eight, IRAP, and GDPR — satisfying auditors in Singapore and Australia.
Request a regulatory compliance pen-test scoping call →As AI systems move into production, the attack surface expands beyond traditional infrastructure. Our specialists test LLM applications against the OWASP Top 10 for LLM Applications 2025.
Direct, indirect, and multimodal prompt injection — testing whether your LLM can be manipulated to bypass guardrails.
Systematic testing of safety filters using adversarial prompts and multi-turn manipulation techniques.
Assess whether your LLM inadvertently discloses PII, training data, or system prompts.
RAG pipeline security — vector database injection, embedding manipulation, and context window exploitation.
AI API penetration testing — authentication, rate limiting, input validation, and privilege escalation.
Assess AI systems against SG AI Governance Framework, AU AI Ethics Principles, and GDPR Art.22.
When AI agents can browse, execute code, and call APIs autonomously, the blast radius of a single vulnerability expands dramatically. Our agentic AI red teaming assesses these unique risks in your production deployments.
← Swipe to compare →
| Capability | CREST Pathway+ Organisation Infracom | CREST Member (full Accreditation) |
|---|---|---|
| Stage in CREST framework | Stage 2 — self-assessed against CREST organisational and discipline standards | Stage 3 — independently audited firm-level membership |
| Verified at | crest-approved.org Pathway+ listing | crest-approved.org Members listing |
| Operator certifications carried by team | CCT INF · CCT APP · CRT (individual CREST certs) + OSCP · OSCE³ | CCT INF · CCT APP · CRT (individual CREST certs) |
| Independent firm-level CREST audit completed | In progress (within 2-year advancement window) | Completed |
| Singapore CSRO licence held | Yes — provider-level licence under SG Cybersecurity Act | Verify per firm |
| AU IRAP / UK NCSC CHECK schemes where firm-level CREST sign-off is specified in the tender | Partner with a CREST Accredited firm; testing performed by Infracom CREST-certified operators under partner umbrella | Direct |
Definitions and stage descriptions sourced from crest-approved.org. Specific regulator and tender acceptance criteria vary — confirm with the issuing Authority or procurement team before relying on the comparison above.
Every Infracom penetration test is conducted by operators who hold elite CREST and Offensive Security certifications. Infracom is a CREST Pathway+ Organisation — listed on the CREST Pathway+ register. Where CREST Pathway+ Organisation sign-off is required (e.g. for certain government tenders), Infracom partners with a CREST Accredited firm, with testing and reporting performed by our own certified operators.
CREST's recognised professional certification — required for Singapore government engagements and cross-recognised by CREST Australia New Zealand via OSCP equivalency.
Six-hour practical exam against live systems. Deep expertise in network penetration testing, Active Directory exploitation, and advanced lateral movement.
CREST's highest-level application security certification — web apps, APIs, databases, cloud, and containers. Finds vulnerabilities that automated scanners cannot detect.
Global benchmark for hands-on penetration testing — compromising multiple live systems under real exam conditions. Formally recognised by CREST as CRT equivalent.
Advanced white-box application security — source code review and manual exploit chain development. OSWE operators' expertise directly underpins our AI/LLM security testing.
The pinnacle of Offensive Security certification — awarded upon completing all three advanced expert qualifications. Relevant to advanced red team and APT simulation engagements.
Our reports meet the specific evidence requirements of each framework — satisfying auditors across Singapore, Australia, and globally.
VAPT for financial institutions — internet-facing systems, internal networks, and critical applications aligned to MAS TRM guidelines.
Supporting PDPA compliance and Singapore government ICT&SS security assessment requirements for public sector projects.
VAPT as part of E8 Maturity Level assessment — identifying gaps across all 8 controls for ML1 to ML3 uplift.
Technical security testing supporting IRAP assessments for Australian government system accreditation.
Testing to demonstrate appropriate technical measures under GDPR Article 32 and ISO 27001 Annex A controls.
AI penetration testing aligned to OWASP Top 10 for LLM Applications 2025 and Agentic AI Top 10.
With the Singapore–Australia Cybersecurity MOU renewed in February 2026, Infracom delivers VAPT by CREST-certified operators and AI security testing to Australian organisations.
CREST Pathway+ penetration testing in Singapore — what we test, how we report, and what to expect.
Tell us about your testing scope — our CREST-certified penetration testers will respond within 1 business day with a tailored proposal across web, mobile, network, cloud, IoT, and AI/LLM testing.