Cyber Ethos

Facebook Linkedin Instagram Youtube
logo
Penetration Testing Australia: What It Is, Cost, Types & How to Get Started (2026) | Cyber Ethos
Penetration Testing Guide · Australia 2026

What Is Penetration Testing — and Does Your Business Actually Need It?

A plain-English guide for Australian business owners, IT managers, and boards. No jargon. Just what penetration testing is, what it costs, what you get from it, and how to tell a good provider from a bad one.

KK
Dr. Kiran Kewalramani · PhD · CISSP · CISA · GAICD
Founder, Cyber Ethos · 20+ years in cybersecurity · Queensland, Australia
$97K
Average cost of a cyberattack on a mid-size Australian business
6 min
How often a cybercrime is reported to the ASD in Australia
75%
Of email fraud cases in 2025 bypassed standard two-factor login
$15–40K
Typical cost of a comprehensive penetration test

What Is Penetration Testing? (Plain English)

A penetration test — often called a "pentest" — is when you hire a security expert to try to break into your own systems before a real criminal does.

Think of it like hiring a locksmith to try to pick the locks on your house and then tell you which ones are weak. Except instead of your front door, it's your computer systems, your website, your staff email accounts, and your internal network.

The one-paragraph answer

A penetration test is an authorised, simulated cyberattack carried out by a qualified security professional. They use the same techniques real hackers use — with your permission — to find weaknesses in your systems. At the end, they give you a clear report explaining what they found, how serious each issue is, and exactly what you need to do to fix it.

The result: you find the holes before criminals do, and you fix them before they're exploited.

The word "penetration" refers to gaining access — can an attacker penetrate your defences? A skilled tester doesn't just flag that a door is unlocked; they walk through it, show you what room they reached, and explain what a real attacker would have done next.

This is what makes a penetration test different from every other security check. It doesn't just tell you a problem might exist — it shows you proof that the problem is real and demonstrates the actual consequences.

Vulnerability Assessment & Penetration Testing Penetration Test Cloud Security Testing

How Does a Penetration Test Work? Step by Step

A penetration test is a structured process — not someone sitting at a keyboard randomly trying things. Here is what happens from start to finish, in plain English.

  1. You agree on what's being tested
    Before anything starts, you and the tester agree on exactly which systems, websites, or offices are included. This is called the "scope." You also agree on rules — for example, whether to test during business hours or after hours, and what to do if they find something really serious mid-test. Nothing is tested without your written permission.
  2. The tester researches your organisation
    Just like a real criminal would, the tester searches for publicly available information about your business — your website, staff names on LinkedIn, any email addresses or old passwords that may have leaked online. This phase is completely passive — they're not touching your systems yet, just gathering information from public sources.
  3. They map out your systems and look for weaknesses
    Using specialist tools, they probe your systems to see what's there — which servers are running, which software versions are in use, and which might have known security flaws. Think of this as the tester drawing a map of your digital environment.
  4. They try to get in — for real
    This is the core of the test. The tester attempts to actually exploit the weaknesses they found. They might try logging in using a leaked password, tricking staff with a fake email, or taking advantage of an out-of-date piece of software. If they get access, they show how far they can go — can they reach your customer data? Your finance systems? Your backup files?
  5. They document everything and clean up
    Everything the tester does is documented with screenshots and notes as evidence. No actual data is taken. Any test files or accounts created during the test are removed. Your systems are left exactly as they were before — just with the knowledge of where the gaps are.
  6. You receive a clear report and a debrief
    The tester delivers a written report covering every issue found, how serious each one is, and exactly what to do to fix it — in plain language for management, and in technical detail for your IT team. A good provider will also walk you through the findings in person or on a call, answer questions, and then re-test the key issues once you've fixed them to confirm the fixes worked.
What you control

You decide what gets tested, when, and how. A penetration test is always done with your full knowledge and permission. Nothing happens without your sign-off. If you ever feel uncomfortable with anything during the process, testing stops. It's your security review — on your terms.

The 8 Types of Penetration Testing Explained Simply

Penetration testing isn't one-size-fits-all. Different types of tests focus on different parts of your business. Here's what each one means in plain English — and who it's most useful for.

🌐
Network Penetration Testing
Tests the security of your internet connection and internal computer network. The tester tries to break in from outside (like a hacker on the internet) and also from inside (like a rogue employee or a device already on your network).
Good starting point for most businesses
🖥️
Web Application Penetration Testing
Tests your websites, online portals, and web-based tools. The tester looks for ways to access customer data, bypass login pages, or manipulate the application to do things it shouldn't. Think online booking systems, customer portals, staff intranets.
Any business with a customer-facing website or web app
☁️
Cloud Security Testing
Tests your cloud environments — Microsoft 365, SharePoint, OneDrive, Azure, or AWS. The tester looks for misconfigured settings, files that are accidentally public, and gaps in who can access what. Many businesses don't realise how exposed their cloud can be.
Any business using Microsoft 365 or cloud storage
🎣
Social Engineering / Phishing Testing
Tests your people, not just your technology. The tester sends realistic fake phishing emails to your staff to see who clicks, who gives away their password, and whether your team knows what to do when they receive a suspicious message.
Any business that wants to know if staff training is working
📱
Mobile App Penetration Testing
Tests your iOS or Android business app for security weaknesses. The tester looks at how the app stores data on the phone, how it communicates with your servers, and whether someone could log in as another user or access data they shouldn't.
Healthcare, fintech, retail with a customer app
🚪
Physical Penetration Testing
Tests whether someone could physically walk into your office, server room, or facility and gain access to systems or sensitive information. The tester may try to follow staff through a secure door, pretend to be a delivery person, or access an unlocked terminal.
Businesses with secure facilities, data centres, or sensitive on-site systems
⚙️
OT / Industrial Systems Testing
Tests the computerised systems that run physical equipment — such as machinery controls, building management systems, water or power infrastructure. Requires specialist skills to test without disrupting real operations.
Energy, utilities, manufacturing, water, critical infrastructure
🔴
Red Team Exercise
A full-scale simulation of a real targeted attack. An expert team uses every available technique — hacking, phishing, physical access — to try to achieve a specific goal, like accessing your finance system or your CEO's email. Unlike a standard pentest, the focus is also on whether your team detects and responds to the attack.
Mature organisations that want to test their full defence capability
Where to start

Not sure which type you need? For most small and medium Australian businesses, starting with a network penetration test and a web application test covers the two most common ways attackers get in. Cyber Ethos can recommend the right starting point based on your business type and budget — no obligation.

Who Actually Needs a Penetration Test?

The short answer: any Australian organisation that stores customer data, processes payments, uses online systems, or would be seriously harmed by a cyberattack. Here are the most common situations where penetration testing is strongly recommended — or legally required.

🏥
Healthcare providers
Patient records are among the most targeted data in Australia. Hospitals, clinics, pathology labs, and allied health practices all carry significant obligation under Australian privacy law.
🏦
Financial services
Banks, financial advisers, insurance, superannuation, and accounting firms face specific security testing requirements under APRA and PCI DSS for card payments.
🏛️
Government agencies
Federal agencies must comply with the Essential Eight framework. Annual penetration testing is required at Maturity Level 2 — and most state agencies follow the same standard.
🛒
eCommerce and retail
Any business taking card payments online is in scope for PCI DSS, which mandates annual penetration testing. Customer data held in your eCommerce platform is also a prime target.
Critical infrastructure
Energy, water, transport, communications, and other sectors under the SOCI Act must demonstrate that their security controls work — penetration testing is the primary way to do this.
🏗️
Government contractors
If you supply services to government departments, you will increasingly be asked to demonstrate your security posture — often through a penetration test — as a contract condition.
🎓
Education providers
Universities and schools hold large volumes of student personal data and are frequent ransomware targets. Federal and state funding requirements increasingly include security obligations.
🤝
NFPs and community organisations
Charities and not-for-profits hold sensitive client data and are often targeted because they're perceived as less protected. Grant requirements increasingly include basic security standards.

If your business uses the internet, holds customer information, or depends on technology to operate — a penetration test will almost certainly find something worth knowing about. The only real question is whether you find it before an attacker does.

Penetration Test vs Vulnerability Scan: What's the Difference?

This is one of the most common points of confusion — and it matters, because some providers sell a vulnerability scan as if it were a penetration test. They are not the same thing.

🔍 Vulnerability Scan
Run by software automatically — fast and relatively cheap
Checks your systems against a list of known issues
Good for regular monitoring and keeping on top of patches
Cannot tell you if the issues it finds are actually exploitable
Cannot show you what an attacker would do after getting in
Often flags things that look scary but aren't a real risk
Cannot test people, processes, or physical access
Not accepted by most regulators as evidence of security testing
⚔️ Penetration Test
Carried out by a qualified human tester using expert judgment
Actually tries to exploit weaknesses — proves they're real
Shows what an attacker could reach and do inside your systems
Tests people, processes, and technology together
Accepted as evidence by regulators, insurers, and government
Gives you a prioritised fix list based on real risk, not theory
⚠️Takes more time and costs more than a scan
⚠️Should be done at least annually, not weekly

The right approach is to use both — automated scans running regularly to catch known issues quickly, and a proper penetration test at least once a year to find the things that scans can't. Think of scans as your smoke alarm and pentests as your annual fire safety inspection.

Black Box, Grey Box, White Box — What Do These Terms Mean?

These terms describe how much information you give the tester before they start. None is automatically better — each suits different situations.

Type What the tester knows going in What it simulates Best for
Black Box
(no prior knowledge)		 Only your company name or website address — nothing else A complete stranger on the internet trying to hack you — no inside knowledge Testing how exposed you are to opportunistic external attackers
Grey Box
(some knowledge)		 A standard staff login, basic network information, or a role description An attacker who has already found a way partly in — like someone who stole a staff password Most organisations — the best balance of realism and thoroughness. Recommended as the default.
White Box
(full knowledge)		 Full system documentation, admin access, source code, network diagrams A trusted insider — or a very thorough code-level review Software companies wanting to check their code, or when maximum test coverage is the goal
KK
Practitioner's advice
"Most Australian businesses should start with a grey box test. The reason is simple — in the real world, most successful attacks don't start from zero. They start with a stolen password, a phishing email that worked, or an old account that was never deleted. Grey box testing reflects that reality and gives you the most useful results for your money."
— Dr. Kiran Kewalramani, PhD, CISSP · Founder, Cyber Ethos

What Does a Penetration Test Report Include?

A penetration test is only as useful as the report it produces. Here is what a good report includes — and what each part is for.

📋
Executive Summary
A short, plain-English overview of what was tested, the overall security rating, the most serious issues found, and what needs to happen first. Written for business owners, CEOs, and boards — no technical background required.
For: Board, CEO, senior leadership
🔍
What Was Tested and How
A clear record of exactly which systems, websites, or offices were included in the test, the dates testing took place, and the methods used. This section is important for your records and for showing regulators or insurers what was covered.
For: Your records, auditors, insurers
⚠️
Findings — Each Issue Explained
Every problem found is explained in clear language: what the issue is, how serious it is (Critical / High / Medium / Low), proof that the tester actually exploited it (screenshots, evidence), and the real-world consequence if a criminal found it first. No vague descriptions — specific, evidenced findings only.
For: IT team, your tech provider
🗺️
Attack Story — How Far Could They Go?
For the most serious findings, the report tells the story of the attack path: "We started with a phishing email, got a staff password, used that to access the internal network, and from there reached the finance system within two hours." This is often the most eye-opening part for business leaders — it makes the risk tangible.
For: Board, CEO, risk committee
🛠️
Fix List — Prioritised and Practical
A clear, prioritised action list telling you exactly what to fix, in what order, and why. Critical issues come first. Each fix recommendation is specific — not generic advice like "improve your security." Your IT team should be able to start working through the list the next day.
For: IT team, your managed service provider
Retest Confirmation
Once you've fixed the critical and high issues, your provider should come back and check that the fixes actually worked — and that the fixes didn't accidentally create new problems. This closes the loop. A provider who delivers the report and disappears is not giving you full value.
For: Your peace of mind
Watch out for this

Some providers deliver a report that is simply an automated scanner printout with a cover page. This is not a penetration test report. A genuine report contains screenshots of what the tester actually accessed, a written description of how they got there, and remediation advice specific to your environment — not generic CVE descriptions copied from a database.

How Much Does Penetration Testing Cost in Australia?

Cost varies depending on what's being tested, how big your environment is, and how deep the testing goes. Here is a realistic guide to what Australian businesses typically pay.

Small business / focused test
$5,000–$15,000
External network or single web application. Suitable for small businesses with limited systems wanting their first penetration test.
Mid-size / comprehensive test
$15,000–$40,000
External and internal network plus web application. Covers the most common attack paths for most Australian businesses.
Enterprise / red team
$40,000+
Full-scope testing across multiple systems, cloud, physical, and social engineering. Red team exercises for mature security programs.
A word of caution on cheap quotes

If you receive a quote for a "comprehensive penetration test" at $1,500–$3,000, it is almost certainly an automated vulnerability scan being sold as a pentest. A real penetration test requires days of skilled human effort. The market rate exists for a reason. Paying too little for a scan-as-pentest means you get a false sense of security — which is worse than knowing your gaps.

Compare this to the average $97,000 cost of a cyberattack on an Australian mid-size business — or the potential $50 million penalty for serious privacy breaches under the updated Australian Privacy Act. A penetration test is one of the most cost-effective investments in cybersecurity available.

How Often Should You Do a Penetration Test?

The standard recommendation across Australian regulators and the Australian Signals Directorate is at least once a year for most businesses. But there are specific situations where you should do one sooner.

Situation What we recommend
You've never had a penetration test before Do one as soon as possible. You can't know your risk level without one.
Annual review (standard practice) Test once a year at minimum. Your technology changes; so do attack methods.
You've just launched a new website or app Test before launch, or immediately after — don't wait for the annual cycle.
You've moved to a new cloud platform or major software Test the new environment before fully switching over or shortly after go-live.
You've just had a cyberattack or security incident After fixing the immediate problem, test to confirm everything is clean and secure.
You're renewing your cyber insurance A recent penetration test report strengthens your position with underwriters and may reduce your premium.
You're bidding on a government contract Many government tenders now require evidence of recent security testing as part of the application.
PCI DSS (card payments) Annual penetration testing is mandatory. No exceptions.

Australian Compliance Requirements for Penetration Testing

For many Australian businesses, penetration testing is not just good practice — it's a legal or regulatory requirement. Here is a clear breakdown of which rules apply to which types of organisations.

Required by law / regulation
PCI DSS (card payments)
If you accept credit cards, you must conduct annual internal and external penetration testing under PCI DSS v4.0. No exceptions regardless of business size.
Required by law / regulation
Essential Eight ML2 (federal government)
Federal government agencies must undergo annual penetration testing to achieve Maturity Level 2 under the ASD's Essential Eight framework. Government contractors are increasingly expected to follow suit.
Strongly expected
APRA CPS 234 (financial services)
Banks, insurance companies, and superannuation funds regulated by APRA must systematically test their security controls. APRA has taken enforcement action against organisations that did not conduct adequate testing.
Strongly expected
SOCI Act (critical infrastructure)
Operators of critical infrastructure — energy, water, healthcare, transport, communications and others — must demonstrate their security controls work. Penetration testing is the primary way to do this.
Accepted as evidence
Australian Privacy Act
The Privacy Act requires "reasonable steps" to protect personal information. A penetration test is the clearest evidence you can show a regulator that you took those steps seriously.
Increasingly required
Cyber insurance
Most major cyber insurers now ask for a recent penetration test report as part of the application or renewal process. It can also reduce your premium.
Not sure which rules apply to you?

Cyber Ethos can review your industry, the type of data you hold, and your contracts to tell you exactly which compliance requirements affect your organisation — and what type of penetration testing will satisfy them. Contact us for a no-obligation conversation.

How to Choose a Penetration Testing Provider in Australia

The difference between a good penetration test and a bad one is significant — and a bad one can actually make things worse by giving you false confidence. Here are the red flags to watch for and the green lights that tell you a provider is genuine.

🚩
They can't tell you who will actually do the testing
Some firms sell you on their brand name, then hand the work to a junior contractor you've never heard of. You have a right to know who will be inside your systems.
✅ Ask for the CV and certifications of the specific person testing your environment. A good provider will share this without hesitation.
🚩
The price is suspiciously low
A real penetration test requires multiple days of skilled human effort. If you're quoted $1,500–$3,000 for a "full pentest," you're almost certainly getting an automated scan with a cover page.
✅ Ask how many tester days are included and request a sample report before you commit. A legitimate provider won't be offended by this.
🚩
They won't show you a sample report
The report is the main thing you're paying for. Any provider who won't show you an anonymised sample has something to hide — usually the fact that their "reports" are automated scanner exports.
✅ Request a sample report and look for: manual exploitation evidence, attack path narratives, and specific remediation steps written for your environment — not generic CVE descriptions.
🚩
There's no retest included
Finding a problem and then not checking that the fix worked is like a doctor diagnosing an illness and never following up to see if the treatment worked.
✅ Ask upfront whether retesting critical and high findings is included. It should be — or at minimum clearly costed so you can plan for it.
🚩
They don't understand Australian regulations
A provider unfamiliar with PCI DSS, the Essential Eight, APRA CPS 234, or the SOCI Act may give you a technically competent test that fails to meet your specific compliance obligations — meaning you'll need to do it all again.
✅ Ask specifically about your compliance requirement before signing. Cyber Ethos operates across all major Australian regulatory frameworks.

How Cyber Ethos Delivers Penetration Testing

Cyber Ethos is led by Dr. Kiran Kewalramani — a PhD-qualified cybersecurity specialist with CISSP, CISA, and GAICD credentials and over 20 years of hands-on security experience. We are based in Queensland and serve clients across Australia.

When you engage Cyber Ethos for a penetration test, here is what you get:

  • A senior tester on your engagement. Dr. Kewalramani personally oversees every test. You're not passed to a junior analyst after the first meeting.
  • Reports your whole team can use. Plain-English executive summary for leadership. Detailed technical findings for your IT team. Both in the same report.
  • Specific, actionable findings. Every issue comes with evidence it was actually exploited, the real-world business risk it represents, and a concrete fix — not a vague recommendation.
  • Compliance alignment. Whether your obligation is PCI DSS, the Essential Eight, APRA, the SOCI Act, or Privacy Act evidence, we structure the engagement to satisfy it.
  • A retest included. We come back to confirm that your critical and high issues are fixed. Every time.
  • No overselling. We scope the test to your actual risk — not to generate the longest findings list. If a small-scope test is right for your situation, that's what we'll recommend.

We deliver penetration tests remotely and on-site across Queensland and nationally, covering network, web application, cloud, social engineering, physical, mobile, OT/ICS, and red team engagements.

Ready to find out where your gaps are?

Talk to Dr. Kiran Kewalramani directly. We'll scope the right test for your business, explain what it will cover, and give you an honest quote — no pressure, no jargon.

Book a free 30-minute consultation →
📞 1800 CETHOS (1800-238-467) · cyberethos.com.au

Common Questions About Penetration Testing

What is a penetration test in simple terms? +
A penetration test — or pentest — is when you hire a qualified security expert to try to hack your own systems before a real criminal does. They use the same tools and methods as real attackers, but with your full permission and within an agreed set of boundaries. At the end, they give you a clear report explaining what they found, how serious each issue is, and exactly what to fix. The goal is simple: find the holes before someone else does.
How is a penetration test different from a vulnerability scan? +
A vulnerability scan is run by software — it's fast and automated, and it checks your systems against a database of known issues. A penetration test is carried out by a skilled human tester who actually tries to exploit those issues, chain them together, and show what they could do if they were a real attacker. A scan tells you a door is unlocked. A penetration test opens the door, walks through it, and shows you what's on the other side. Both are useful, but they answer different questions.
How much does a penetration test cost in Australia? +
For a small business getting a focused external test, expect to pay $5,000–$15,000. For a comprehensive test covering your network and web applications, the typical range is $15,000–$40,000. Enterprise-level testing and red team exercises cost more depending on scope. Be cautious of very cheap quotes — anything under $3,000–$4,000 for a "full penetration test" is almost always an automated scanner export, not a real test. Contact Cyber Ethos for a scope-specific quote.
Will a penetration test disrupt my business? +
A properly managed penetration test should cause no disruption to your day-to-day operations. Before testing starts, you and the tester agree on exactly what will be tested, when, and what rules apply. Destructive techniques — like deliberately crashing systems — are excluded unless you specifically request them. Most testing is done during business hours so your team can monitor for anything unexpected. If anything unusual does happen, the tester will notify you immediately.
How long does a penetration test take? +
The testing itself typically takes 3 to 10 business days depending on scope. A focused external test might take 3–4 days. A comprehensive test covering network, internal systems, and web applications typically takes 7–12 days. Writing and reviewing the report usually takes another 3–5 days. From first conversation to receiving your final report, allow 4–6 weeks in your planning. If you have a compliance deadline or a contract to fulfil, mention it early so we can plan accordingly.
Is penetration testing required by Australian law? +
It depends on your industry. If you take card payments, PCI DSS requires annual penetration testing — no exceptions. If you're a federal government agency, the Essential Eight framework requires annual penetration testing at Maturity Level 2. APRA-regulated financial organisations must systematically test their security controls. Critical infrastructure operators under the SOCI Act must demonstrate that their security works — penetration testing is the primary way to do this. For all other businesses, it's not legally mandated but is strongly expected by regulators, insurers, and increasingly by large customers.
What certifications should a penetration tester have? +
The most respected penetration testing certifications are OSCP (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), GPEN (GIAC Penetration Tester), and GWAPT (GIAC Web Application Penetration Tester). For Australian government work, look for IRAP-authorised assessors. Always ask for the specific certifications held by the individual who will conduct your test — not just the company's general qualifications. At Cyber Ethos, Dr. Kiran Kewalramani holds CISSP and CISA credentials and personally oversees every engagement.
What happens after the penetration test report is delivered? +
Your IT team or managed service provider works through the fix list, starting with Critical and High priority issues. Your penetration testing provider should be available to answer questions as they fix things. Once the main issues are resolved, your provider should retest the critical and high findings to confirm the fixes worked and didn't create new problems. The final report — including the retest results — then becomes your evidence for compliance, insurance, and board reporting purposes. Cyber Ethos includes this retest as part of every engagement.
What's the difference between a penetration test and a red team exercise? +
A penetration test has a defined scope — specific systems, a set timeframe, and a goal of finding and confirming as many vulnerabilities as possible. A red team exercise is more like a real attack simulation — a small team tries to achieve a specific goal (such as reaching your finance system or accessing senior executive email) using any method available, with no restriction on attack path. It also tests whether your security team detects and responds to the attack. Red team exercises are best suited to organisations that already have a solid security baseline and want to test their defences under realistic pressure.
How do I get started with Cyber Ethos? +
Call us on 1800 CETHOS (1800-238-467) or visit cyberethos.com.au/contact to book a free 30-minute consultation with Dr. Kiran Kewalramani. We'll ask about your systems, your business, and any compliance requirements you're working toward — then recommend the right test type and give you a clear quote. There's no obligation, no sales pressure, and no jargon. If a penetration test isn't the right next step for your business, we'll tell you that too.