phew

19/05/2026

Many buyers commission a pe*******on test without a clear way to evaluate or understand the quality of what they've signed up for.

Price and delivery timing provide signals that are easiest to read, but these metrics alone are also fairly unhelpful in terms of being a predictor of quality. The difference between a test that builds genuine confidence and assurance, and one that just produces findings, often comes down to buyers asking questions upfront which most aren't sure how to ask. So we wrote a guide to help with that.

It covers what separates good providers from the rest, what the scoping conversation should actually feel like and include, why source code access matters more than most buyers realise, and what confidence in your security posture looks like when it's backed by proper evidence rather than assumption.

If you're a technical leader evaluating your options for the first time, or searching for a useful framework to help you shortlist providers, we'd love you to take a look.

📖 Read in full on our blog:

22/04/2026

Most teams commission their first web application pen test without really knowing what's about to happen.

The process can feel like a black box, which is ironic, given that black-box testing isn't where you should be heading. We wrote this guide because we believe an informed buyer makes better decisions and gets more from the experience.

In it, we walk through the full lifecycle of a web application pen test in plain English: from scoping conversations and methodology selection, through the testing itself, to the initial report, remediation, re-testing, and the final assurance output your board and auditors can actually use.

We cover what source code-supported testing unlocks, why your test environment matters more than most people realise, how findings are rated and why honest ratings matter, and what separates a one-off compliance exercise from a genuine step forward in your security posture.

No jargon. No fear-mongering. Just a clear picture of what good looks like.

Full article ⏩

It’s not uncommon for teams to commission a pen test (particularly their first one) without really knowing what’s about to […]

01/04/2026

Since phew was founded, our focus has been on building a business grounded in quality. That meant investing heavily in how we work, developing rigorous methodologies, and holding ourselves (and our pen testing) to high standards. By delivering work we could genuinely stand behind, we prioritised substance over presentation, and outcomes over optics.

Along the way, we didn’t really pause to spend time fully articulating who we are, what we stand for, and why it matters, but recently we decided it was time to address that. By undertaking a brand story exercise with the team at Flux B2B, we've been able to articulate and define our identity more clearly, whilst building a consistent way to communicate it.

At phew's core is a simple idea - that confidence in security should be backed by evidence, not assumption. Too often, tech teams are asked to accept results they can’t fully interrogate, delivered through processes that feel unclear or inaccessible. That has become the norm across the industry, but it’s not something we’re comfortable with.

We believe that trust should be earned through clarity. That means showing the reasoning behind outcomes, not just presenting them. It means helping customers understand not only what we’ve found, but why it matters and how to act on it. And in particular, by grounding our pe*******on testing in industry recognised standards, not just using a rule of thumb or unclear testing methodologies.

This thinking shapes how we frame our story at phew. We recognise that consumers are sometimes forced to make decisions based on limited signals (perhaps comparing providers on time, price, or surface-level outputs, without a clear way to judge depth or quality) and as a result, meaningful differences in approach often go unnoticed.

Our response has been to lean further into what we already value: clear communication, appropriately scoped engagements, and outputs grounded in real evidence. Because we combine structured testing with experienced judgment, we place a strong emphasis on helping our customers build their own understanding (not just handing over a report). For us, this is about more than just delivering a service, it’s about contributing to a higher standard.

Alongside this process with Flux, we revisited how we present ourselves through our branding by working with the fabulous team at Smith & Peach. Our refreshed visual identity (most notably our proposals and reporting) is designed to reflect the same principles that underpin our work: clarity, consistency, and focus. Every detail is intended to make information easier to absorb and navigate, while maintaining a professional and composed tone.

In an industry that often feels loud or overly complex, we’ve deliberately taken a different approach. We aim to be clear without being simplistic, and professional without being distant. The goal is to make our work (and its implications) easier to engage with, because ultimately, that’s what matters.

Our feeling is that when our customers have a clear understanding of their security posture, supported by evidence they can rely on, they’re better equipped to make decisions and have meaningful conversations. They can approach challenges with confidence, rather than uncertainty. That’s the outcome we’re working towards.

This process has been heaps of fun, but also marks an important step for us. Not because it changes what we do, but because it helps us express it more effectively. Having spent years building the foundations, we’re ready to communicate them clearly.

This article first appeared on phew's blog at:

Since phew was founded, our focus has been on building a business grounded in quality. That meant investing heavily in […]

01/03/2026

We’ve got the keys, and our name is over the door!

phew has officially moved into its new office space in downtown Auckland.

Whilst we're growing, we remain firmly boutique and quality-focussed, committed to doing cybersecurity properly for our customers across NZ and Australia.

Thank you to our team, clients and industry partners for their support. We’re excited for what’s ahead.

If you’re nearby, come and say hello, the coffee is good ☕

08/08/2025

Exciting news for the weekend as we launch our fresh new website.

Pe*******on testing engagements are changing to meet the needs and tech stacks of modern businesses, and we are pleased to be moving with that change.

But our core values of uncompromising quality and a traditional, people-first approach to service remain our focus; the same values that have guided every engagement since 2017.

Take a look, and let us know how we can help you.

Better security starts here Find out more This site uses cookies. OK Quality and experience At phew, we believe that […]

24/12/2024

Wishing all our customers, our team, and the wider community a Merry Christmas, happy new year and a safe and relaxing summer break. Thank you for the ongoing support this year, and here’s to a healthy and successful 2025! ☀️

26/08/2024

Did you spend 0% of your website’s budget on security?

What about your new web application, new API, or even your new e-commerce store?

We’re talking about independent security testing, auditing and verification, rather than the things your developers did (or apparently did) in terms of security.

Be honest. You wouldn’t be alone.

We work with a lot of developers, development shops, and founders, and we understand how things are. The competing pressures that are placed on budget and time, that come from a variety of places. We understand how busy web app developers typically are, and how many ventures are already stretching their project budgets well beyond what was originally planned. So there’s no judgement here - just experience and some suggestions.

Because we also see first-hand the pain, stress and ultimately the cost associated with security incidents, even for a marketing website that contains no customer information or other private or secret information.

We’re not keen to FUD* you - we’re just quite familiar with what shooting the gap on proper security verification can look like. And allocating 0% of your web development project to security verification is very much shooting the gap.

What we see that works well is when founders, product owners, or even developers put their hand up early in the project planning lifecycle and argue for independent verification as a key and intentionally scheduled part of the project. When everyone is racing for the line to meet all the other project demands, it is too easy to delay (often indefinitely) the verification piece.

All web sites and applications have vulnerabilities, of one sort or another (we’ve literally never, ever tested one that doesn’t). New ones that are under product launch deadlines typically have many, and the worst ones. That’s why independent security testing by experienced pe*******on testers is an essential part of a successful, low risk product release.

If this key step is a fundamental part of the project, is budgeted, and is scheduled for just the right time before product launch, that relatively small, non-0% part of the project budget will pay off not just through reduced stress and risk at launch time, but ongoing confidence in the security and stability of your cool new product.

* that’s fear, uncertainly and doubt for those lucky enough to have avoided it so far

16/05/2024

Where are your hackers located?

Interestingly it doesn’t really matter. The thing to know is that they’re not located anywhere in particular. Or rather, wherever they are based geographically doesn’t matter, because they can appear to come from anywhere on the internet.

And because that’s true for the attackers, it is also true for your pen testers.

Although we’re based in New Zealand, more than half of our pen testing is for organisations and targets further afield. In the same way that attackers can target any website, webstore, web portal, web application, API or IP address on the internet, we can pen test any target on the internet too.

And not just that – we can also perform private corporate network pen testing remotely. We even test Wi-Fi networks from afar.

We think this allows our customers to get something a little different. They get the best of Aotearoa New Zealand’s hospitality – our quality, comprehensiveness, care and attention to detail – wherever they are in the world. And all for better value than from alternatives located in Australia, the US, UK, or Europe for example.

And sometimes they like to come down under to meet us, and we take them for a look around our little corner of world where we work and play.

25/04/2024

Igor had a great chat with our director Paul, who discussed his career journey from finance through to technology and then into cyber security 🌟

11/03/2024

When I started phew, I had very clear intentions about building a solid reputation for caring.

“Caring” might seem like a strange word to use when you think of tech. But when you pair it with “security”, it suddenly makes a lot of sense, and even more when you think about the integrity of a professional consultancy.

I believe very strongly that that’s what sets us apart in the cyber security field.
That, and our very specific approach to pe*******on testing.

You could say our pen testing aligns more closely with the methodical strategy of auditing than with the “hacker swagger” style of testing.

We don't need to hire mavericks to see if they can break through your defences. Our structured style of standards-based auditing means we can spot holes more reliably, optimising our pe*******on testing capability, and providing a better outcome for our clients.

We communicate and engage clearly with our clients, removing complexities to provide easy to understand, actionable insights that truly secure your systems.
I think it comes from our educational and industry backgrounds in law and finance. It’s made us fanatical about accuracy, precision, and being 100% focused and thorough.

While pen testing absolutely centres on finding vulnerabilities, our auditing approach means we go further and deeper, providing independent advice on aspects like domain controls, hardening recommendations, and development best practice.

This approach ensures that we identify and understand each vulnerability, allowing us to provide our clients with not just a list of weaknesses but a strategic plan for strengthening their defences.

If you need independent proof of the security of your web services and networks, feel free to touch base with me anytime.