We helped Scriibi meet their ST4S pen test requirement with a well-documented, OWASP-compliant assessment including retest. Hands-on testing by certified ethical hackers - not automated scanners.
What is the ST4S pen test requirement (EV10)? EV10 is a Critical-importance evidence requirement in the ST4S (Safer Technologies 4 Schools) Full Assessment. Every EdTech supplier selling to Australian schools must submit a qualified external penetration test performed by a certified ethical hacker using OWASP methodology. Automated scanners, AI-powered testing, and vulnerability scanners are explicitly rejected. The report must include detailed findings with reproduction steps, risk ratings, and remediation guidance. Critical and high findings must be remediated and retested before submission.
ST4S (Safer Technologies 4 Schools) requires every EdTech supplier selling to Australian schools to submit a qualified external penetration test. This is EV10 - rated Critical. Getting it wrong means you can't sell to schools.
ST4S does not accept automated scans, AI-powered pen testing, or vulnerability scanners. The test must be a hands-on exercise by a certified ethical hacker.
Testing must cover the OWASP Top 10 with a documented methodology description, detailed findings, and screenshots or logs for each test.
The pen tester must be fully independent from your development team and hold recognised certifications - OSCP, CEH, GPEN, CREST, CompTIA PenTest+, or eCPPT.
A report alone isn't enough. ST4S requires critical and high findings to be fixed, and fixes must be verified through a retest cycle.
An ST4S-compliant pen test includes OWASP Top 10 coverage, detailed findings with reproduction steps, risk ratings, remediation guidance, and a retest cycle - all delivered by certified testers independent from your team. Every deliverable is mapped directly to what ST4S assessors look for.
Full OWASP Top 10 coverage as required by ST4S. Manual testing across injection, broken authentication, access control, security misconfiguration, and more.
Every finding includes detailed descriptions, screenshots, reproduction steps, and logs. Written so ST4S assessors - and your dev team - can understand exactly what was found and how.
Findings rated by severity with practical remediation guidance your developers can action immediately. No vague recommendations - clear steps to fix each issue.
After you remediate critical and high findings, we retest to confirm fixes are effective. The retest report becomes part of your ST4S evidence pack. Included in the engagement - no extra cost.
All testing performed by certified ethical hackers holding OSCP, CEH, CREST, and GPEN credentials. ST4S accepts all of these certifications.
ST4S requires the pen tester to be independent from your development team. Logic Weave has no relationship with your codebase or infrastructure - complete separation of duties.
Scriibi, an Australian EdTech company, engaged Logic Weave for their ST4S pen test. Here's what their CEO said about the experience.
"Engaged Logic Weave for a penetration test. They delivered well-documented findings with clear reproduction steps and practical remediation guidance. The retest cycle was delivered on time, and the lead tester was open and constructive in discussions. Professional, thorough, and fair throughout. Highly recommended."
The ST4S pen test process typically takes 2–4 weeks from scoping call to signed-off retest report. Here are the five steps.
The pen test gets you through ST4S. After passing, many EdTech companies strengthen their security posture with ongoing assessments, ISO 27001 certification, or fractional CISO services as they scale into new markets.
Regular assessments as your product evolves. New features mean new attack surface - stay ahead of it with scheduled testing rather than one-off engagements.
Learn more →Some school departments and state education bodies prefer ISO-certified suppliers. We deliver full ISO 27001 readiness in 16 weeks - even from scratch.
Learn more →Security leadership without a full-time hire. Ideal for EdTech companies scaling into enterprise education, government, or international markets where security governance is expected.
Learn more →AWS environment secured in 4 weeks. IAM policies, encryption, logging, and monitoring configured to meet both ST4S expectations and broader compliance frameworks.
Learn more →Book a free scoping call. We'll walk you through what ST4S requires for EV10 and scope an engagement that gets you through it.
Book a Pen Test Scoping Call →No obligation · Melbourne-based · Australia-wide