Guide to Penetration Testing Services in Australia
A practical guide to procuring penetration testing services in Australia, from scope and compliance to selecting the right provider.
What is Penetration Testing?
Penetration testing is designed to identify, exploit, validate vulnerabilities within your systems, applications, networks, cloud infrastructure, and business processes.
It primarily answers - what can an attacker practically exploit today.
Why Does it Matter?
Your customers expect it.
Security has become a standard part of vendor due diligence. Your customers will increasingly expect proof that they can trust you with their data. A penetration test report from a reputable provider can be one way you can provide this assurance.
Meet Compliance and Regulatory requirements.
Depending on your industry, the types of data you handle, and the organisations you work with, penetration testing may be required to satisfy regulatory obligations, industry standards, customer requirements, or cyber insurance policies.
More on this in a bit.
You're not too small to be a target.
Cybercriminals do not exclusively target large enterprises. Small and medium-sized businesses are frequently targeted because they often have fewer security resources.
Risk can also be highly asymmetric. The value of the data you hold is often far more important than the size of your organisation.
Validate your controls actually work.
Many Australian businesses place responsibility for cybersecurity on staff who are already busy with other operational and IT duties. As a result, security controls are often implemented but rarely tested beyond basic checks.
What Standard might require an Australian organisation to conduct Penetration Testing?
Listed below are some of the most common requirements we see.
| Standard | Who it applies to | Pen-testing relevance |
|---|---|---|
| Privacy Act / APPs | Businesses over $3M turnover, plus health providers and some smaller entities handling sensitive data | Pen testing is best-practice evidence of the "reasonable steps" required to secure personal data |
| CPS 234 | Service providers to APRA-regulated banks, insurers, super funds | "Systematic testing" in practice means annual pen testing; your regulated customer will ask for a report |
| Essential Eight | Commonwealth suppliers; common private-sector benchmark | Validates that the eight controls actually work; recommended at Maturity Level 2+ |
| ST4S | SaaS EdTech selling into AU/NZ schools | Expected as part of ongoing monitoring, especially after auth or major feature changes |
| My Health Record / ADHA | Clinical software vendors connecting to My Health Record | Independent pen/vulnerability testing is a named requirement; CREST-accredited provider expected |
| RFFR | Workforce Australia providers and contractors | Requires regular pen testing, evidenced through annual and three-yearly audits |
| VPDSS | Victorian public sector suppliers | Inherited via embedded ISM/Essential Eight/ISO 27001 controls |
| NSW Cyber Security Policy | NSW Government suppliers | Inherited via Essential Eight and vulnerability-management requirements |
| ISM | Government/Defence contractors touching OFFICIAL/PROTECTED data | Explicitly requires regular vulnerability assessments and penetration testing, with retesting |
| PCI DSS | Any business taking card payments | Explicitly required: internal and external pen testing at least annually (Req 11.4). Note: lower merchant tiers (smaller transaction volumes) may only need a self-assessment questionnaire rather than a full external audit |
| ISO 27001 | Common in Australia; pursued to satisfy enterprise or government customers | Standard evidence for technical vulnerability management (A.8.8) and secure development (A.8.29) |
| SOC 2 Type 2 | SaaS/service SMEs selling to enterprise customers who demand it | Expected as evidence for the security criteria; recurring, since Type 2 tests effectiveness over 6–12 months |
Defining the Scope
Scope defines exactly what will be tested, including specific systems, applications, networks, IP ranges, cloud environments, and any exclusions.
A well-defined scope helps ensure the assessment focuses on the areas that matter most to your business. It can help keep costs under control, provide coverage of the risks you're concerned about, and ensure any customer, contractual, or compliance requirements are met.
What does the Process Look Like?
Our average project is 2 weeks in duration end to end.
1. Approval
Once the proposal is accepted, we'll work with you to finalise the timelines.
2. Setup
We'll gather the information needed to perform the assessment. For web applications this might involve account setup, or for internal network penetration tests this might involve getting our test PC set up.
3. Testing & Reporting
Our consultants perform the assessment and document any findings, including risk ratings, technical details, and remediation recommendations.
Throughout the engagement, you'll have access to our portal where you can track findings as they are identified rather than waiting until the final report is delivered.
4. Debrief
We'll walk you through the results, answer any questions, and help prioritise remediation activities based on risk and business impact.
Selecting a Penetration Testing Provider
Consider 3 main factors.
CREST Accreditation
CREST accreditation provides assurance that a penetration testing provider has undergone independent assessment of its processes, quality management, and technical capability.
A list of CREST international member companies in Australia can be found here.
This is not to be confused with CREST ANZ.
Please note that the formal relationship between CREST International and CREST ANZ ended at the end of April 2019 and for the avoidance of doubt, CREST ANZ have no rights to the CREST International suite of company accreditations or individual certifications. CREST ANZ has not adopted our Accreditation Standards and therefore CREST ANZ membership alone is not recognised by CREST International as being equivalent.
Find a Provider that Performs Security Research
Penetration testers are hired to find vulnerabilities. While providers can't share what they find during customer engagements, they should be able to demonstrate their capability through publicly verifiable security research, vulnerability disclosures, CVEs, conference presentations, or open-source tooling.
Firms that perform a significant amount of security research will often become CVE Numbering Authorities (CNAs), allowing them to assign CVE identifiers directly to vulnerabilities they discover and disclose.
Search "Australia" here and look for Researcher CNAs: https://www.cve.org/PartnerInformation/ListofPartners
Tester Qualifications
Lastly, consider the qualifications and experience of the consultant who will actually be performing the assessment.
About Project Black
Project Black is an Australian CREST accredited cybersecurity consultancy and CVE CNA that regularly discovers and discloses zero days. We are 1 of 4 active researcher CNAs in Australia and offer penetration testing services.
All our consultants remain at the forefront of emerging attack techniques and maintain a minimum certification standard of either CPTS, CWES, or OSCP.