We build e-commerce stores. We also break into them — with permission. As our penetration testing practice has grown alongside our Magento development work, we decided it was time to formalise it. We're currently working towards CompTIA Security+ and CREST CPSA certifications.
Why Certify?
We've been doing security work for a while — auditing Magento configurations, testing payment integrations, reviewing server setups. But there's a difference between knowing how to find vulnerabilities and being formally recognised for it. Certifications give clients confidence that the person testing their infrastructure has been independently validated.
It also matters for the work itself. Structured security methodologies — the kind you learn preparing for these exams — make assessments more thorough and more repeatable. You stop relying on instinct and start following frameworks.
CompTIA Security+
Security+ is the industry baseline for security professionals. It covers a broad surface area: network security, threat analysis, risk management, cryptography, identity management, and incident response. It's vendor-neutral, which means the knowledge applies whether you're testing a Magento store on AWS or a Next.js app on Vercel.
The exam is rigorous — scenario-based questions that test whether you can apply security concepts to real situations, not just memorise definitions. That aligns with how we work. We don't run a scanner and hand over a PDF. We think through attack paths specific to each client's setup.
CREST CPSA
CREST is the professional body for the penetration testing industry in the UK. The Certified Practitioner Security Analyst (CPSA) qualification validates that you can conduct security assessments to a professional standard. It's the entry point to the CREST certification pathway and a prerequisite for more advanced qualifications.
CREST certification carries weight with enterprise clients and regulated industries. If you're handling payment data, customer PII, or operating in a compliance-heavy environment, working with CREST-certified testers gives you an audit trail that matters.
What This Means for Our Clients
For the stores we build, it means security is baked in from the start — not bolted on as an afterthought. We write the Magento modules, build the Hyvä themes, configure the servers, and then test the whole thing from an attacker's perspective. Same team, full context.
What we test
OWASP Top 10 vulnerabilities across the application layer
Payment flow security — PCI DSS considerations, tokenisation, CSP headers
Server and infrastructure configuration — SSH hardening, firewall rules, TLS setup
Admin panel security — brute force protection, 2FA, session management
Third-party extension audit — checking vendor code for known vulnerabilities
API security — GraphQL and REST endpoint authentication and authorisation
The Bigger Picture
E-commerce security is not optional. Magento stores handle credit cards, personal addresses, order histories. A breach doesn't just cost money — it destroys trust. Having the same team that builds the store also test its security means fewer gaps, faster fixes, and a single point of accountability.
We'll share more as we progress through the certification process. If you're running a Magento store and haven't had a security assessment done, get in touch — certified or not, we know where to look.