Penetration testing and white-labelled security reports that MSPs hand to their clients. You send me a domain, I send you back a branded PDF. No setup, no subscription, no learning curve.
12 checks across 6 categories. Each scan produces a branded PDF with an A-F grade, executive summary, detailed findings, and remediation roadmap. Your branding, your client relationship — I'm invisible.
Your client's domain and your branding config — logo, colours, contact details. One-time setup per MSP partner, reused for every scan.
Professional report with your branding. A-F grade, executive summary, detailed findings, ISM mapping, remediation roadmap. Under 40 seconds.
Your client sees a report from their MSP. You look like you have in-house security assessment capability. I stay invisible.
Automated tools catch the obvious. Manual testing catches the dangerous — the logic flaws, the privilege escalation paths, the access control gaps that only surface when a human is thinking like an attacker.
Can a low-privilege user read admin data? Can one user access another's records? I test vertical and horizontal privilege escalation using multiple accounts at different permission levels, comparing what each role can see and do.
Password policies, account lockout, session timeout, logout invalidation, concurrent session handling, MFA bypass attempts. I test whether your authentication layer holds under pressure, not just whether the login page works.
Cross-site scripting (XSS), SQL injection, server-side template injection, command injection. I test every input the application accepts — search fields, form submissions, URL parameters, API endpoints.
CSRF verification, mass assignment, IDOR, rate limiting, error handling. The kind of flaws that live in the logic layer — where the application does exactly what the code says, but the code says the wrong thing.
We define the target, agree on what's in and out of scope, and sign an engagement letter. I'll ask about your architecture so I can focus testing where it matters.
Passive information gathering — DNS records, technology fingerprinting, subdomain enumeration, public exposure analysis. Understanding the target before touching it.
Automated scanning followed by manual testing. I work through the OWASP Web Security Testing Guide systematically — every finding is verified by hand, not just flagged by a tool.
Professional report with every finding rated by severity, mapped to OWASP Top 10 and ISM controls, with evidence and prioritised remediation. Executive summary for leadership, technical detail for developers.
After you've remediated, I re-test the affected areas to verify the fixes hold. The report gets updated to reflect the current state.
Real businesses — law firms, medical clinics, construction companies, financial planners. The results were consistent.
I'm Jiae Black, the person behind Mockingjay Studio. My background is in offensive security — understanding how attackers think, how credential theft and social engineering work in practice, and how to surface the gaps that most businesses don't know they have.
I apply that perspective defensively — building tools and delivering assessments that make the invisible visible. Recent work includes a grey-box penetration test of an Australian ISM compliance platform and published research across 46 Australian SMB domains.
I work with MSPs because that's where the leverage is. Most Australian SMBs will never hire a security consultant directly. But they trust their IT provider. If that provider can hand them a professional security report with concrete findings and a remediation plan, the conversation changes.
Whether you're an MSP looking for security assessment capability or a business that wants to understand its external exposure — reach out.
jiae@mockingjay-studio.com