0%
Engagements that produced findings
54 of 54, no clean sheets
Case studies
Manual penetration testing, and what we actually find
Automated scanners are the cheapest part of any security assessment. The expensive part, and the part that finds the vulnerabilities that actually matter, is the human tester running hypotheses against your application and chasing down what doesn’t add up. This page describes how Cyber Node runs manual engagements and three anonymised case studies drawn from real work with Australian clients.
Three years on the frontline · May 2024 to December 2025
What Cyber Node actually found inside Australian businesses
Across 54 manual engagements in 5 sectors, every single one produced findings. Not one organisation came out clean.
0
Manual engagements delivered
Across 5 sectors
0
Distinct vulnerabilities logged
8.8 average per engagement
0%
Had Critical or High-risk findings
21 of 54 carried serious exposure
0
Distinct sectors tested
Banking to aged care, EdTech to utilities
6
Critical
63
High
147
Medium
198
Low
63
Informational
The shape of risk
Highs are concentrated. Mediums and Lows compound.
The severity distribution looks reassuring at first glance, 2 Criticals and 21 Highs against 49 Mediums, 66 Lows and 21 Informationals. That picture is misleading in two ways.
Highs and Criticals are concentrated. The 23 most serious findings landed in just 7 engagements. When they hit, they hit hard. The worst single engagement on this dataset logged unauthenticated cross-tenant data access, SSRF, 2FA bypass, and an unauthenticated sensitive API endpoint, all in one product.
Mediums and Lows compound. A 2025 FinTech engagement had zero Highs on paper, and seven net-new findings that stacked into a High cumulative overall risk rating. Individually low-impact issues become a real attack path when chained. Prior tests don’t immunise future releases.
Patterns we see everywhere
Six vulnerability classes recur across every sector
Across all 54 engagements, the same vulnerability classes keep surfacing, independent of sector, company size, or technology stack. Knowing these is the difference between a clean report and a real one.
-
01
Authentication and session management gaps
JWTs that survive logout. Password updates that don’t invalidate sessions. Brute-forceable login flows. Forgot-password endpoints leaking user existence. 2FA bypasses. OWASP Top 10 basics, present in nearly every engagement.
-
02
Broken access control and IDOR
Unauthenticated cross-tenant data access. Authorisation bypass via direct HTTP requests. Deleted records still retrievable. Unauthenticated user delete and update endpoints. The single Critical in this dataset belongs to this class.
-
03
Legacy crypto and protocols
TLS 1.0 and 1.1. SMBv1. SMB signing disabled. CBC ciphers vulnerable to Lucky13 and SWEET32. SNMP public communities. Standards retired years ago, still running in production.
-
04
Outdated software and missing patches
Vulnerable Umbraco. Vulnerable WordPress core and Avada theme. Outdated Lighttpd on a medical device. Outdated ESXi, OpenSSH and Dropbear inside a government facility. Debian 11 hardening gaps on an industrial ERP.
-
05
Exposed administrative and management surfaces
Public WordPress admin pages. Exposed Umbraco admin login. VPN web portals on the open internet. Telephony servers on plain HTTP. Telnet still listening on a production IoT device.
-
06
File upload and input handling
Unrestricted file upload chained to stored XSS. HTML injection in transactional email. Reflected input in error pages. The kind of issue that slips past a scanner because it only matters in the application’s own logic.
Five engagements that show what’s at stake
The stories the numbers tell
Anonymised. Every detail below is drawn from a real Cyber Node engagement delivered between 2024 and 2025.
Medical Device · MedTech
A management portal on HTTP port 80 with no authentication at all
Any user on the network could record video from the device. Patient data, one unauthenticated HTTP request away. Telnet was also listening on the same device, and Lighttpd was several years out of date.
State-owned Utility · Critical Infrastructure
Two High-risk issues in a customer-facing portal
A grey-box web application test surfaced sensitive information exposure to unauthenticated actors, and an authorisation bypass via direct HTTP requests. Critical infrastructure category, real exposure, remediated within days of the draft report.
Government Facility · Internal Network
Chained hardening gaps to domain admin
Internal engagement: PrinterBug and PetitPotam coercion paths, default HPE switch credentials, outdated VMware ESXi and OpenSSH, anonymous FTP, SMB signing disabled, SNMP public community. Individually, hardening gaps. Chained, domain admin in under two hours.
Real Estate · Web Application
18 findings, six High-risk, one crafted request from the client database
A 3CX telephony server exposed over plain HTTP. Unauthenticated user delete and update endpoints. Outdated Umbraco. Exposed admin login. The client database (buyers, sellers, property records) sat behind configuration that had never been reviewed.
AI FinTech · SaaS
One Critical, four Highs, a reportable breach the moment it’s exploited
Unauthenticated cross-tenant data access. Unrestricted file upload chained to stored XSS. Server-side request forgery. 2FA bypass. An unauthenticated sensitive API endpoint. In a regulated finance context, this is an NDB-reportable incident the moment an attacker finds it first.
Why this matters
Two things are simultaneously true about Australian cyber security
The regulated core (banks, insurers, large utilities, listed critical infrastructure, Commonwealth agencies) is being dragged toward continuous testing by APRA, the SOCI Act, the Essential Eight, and the TGA. They already know they need pen tests. Most are getting them.
Outside that core, the vast majority of Australian businesses have never had a manual penetration test performed against their systems. The reasons are always the same: we’ve got antivirus and a firewall, we’re too small to be a target, we’ll do it next financial year, our developers are careful.
What this dataset says, clearly and repeatedly across every sector: none of those assumptions survive first contact with a skilled human attacker. 100% of the environments we look at have findings. 39% have findings serious enough to hurt the business. The question is not whether the vulnerabilities exist in your systems. The question is whether you find them first, or an attacker does.
Methodology
How an engagement actually runs
-
1
Scoping
A short call to understand what you run, what you care about, and what drives the engagement. Compliance framing, real attack concerns, or both.
-
2
Reconnaissance
Mapping the attack surface before any active testing. DNS, subdomains, technology fingerprinting, authentication flows, public data leakage.
-
3
Manual exploitation
Hypothesis-driven testing of authentication, authorisation, input handling, business logic and server configuration. Scanners run in support, not as the main activity.
-
4
Reporting
Findings rated by real-world impact with written remediation guidance. Executive summary for the board. Technical detail for the engineer who will fix it.
-
5
Retest
A free retest on all findings within 60 days of the final report to confirm remediation has worked.
Inside the methodology
What manual exploitation actually looks like
Step three of the engagement flow above is where the value lives. Below is a sample of the techniques a Cyber Node tester runs by hand, where automated platforms either fall back to scanner output or cannot operate at all. We name the techniques because the methodology section of a report is the single most diagnostic indicator of whether the engagement was real.
// Technique 01
BloodHound enumeration
Active Directory privilege graph analysis. The tester maps who can reach who, where the lateral movement paths run, and which ostensibly low-privilege accounts have been over-provisioned through years of incremental access grants. Scanners cannot reason about graph relationships; they flag misconfigured permissions one row at a time, missing the chains that actually compromise the domain.
// Technique 02
Burp manual fuzzing
Targeted parameter and payload manipulation driven by hypotheses about what the application is doing internally. Where a scanner sends a generic XSS list against every parameter, the manual approach reads the application's own logic, builds payloads the application is likely to accept, and chases the divergence between expected and actual response. Reading server behaviour is what produces the finding, not blind injection.
// Technique 03
Custom payload chaining
Combining individually low-severity findings into a chained exploit that produces critical impact. A small SSRF plus a metadata service reachable from the compromised host plus an over-privileged IAM role becomes full account takeover. Each step alone rates as Medium; the chain is Critical. Scanners do not chain.
// Technique 04
IEC 62443-aligned OT pivoting
OT engagements move between zones (enterprise, supervisory, control, field) according to the IEC 62443 reference architecture. Manual testing identifies where the conduit between zones is weaker than the policy claims, where supervisory systems can reach control-layer assets they should not, and where physical-process safety interlocks are protected only by network segmentation. Scanners do not understand zones.
// A diagnostic for any vendor quote
If a competitor's methodology page lists tools but not techniques, ask why.
A vendor that names "Nessus, Qualys, Acunetix" and stops there is selling scanner output. A vendor that names techniques (graph enumeration, manual fuzzing, payload chaining, zone pivoting) is selling an engagement. The methodology section is the most diagnostic part of any penetration test report. How to read it.
Case study 01
Australian SaaS platform: chained IDOR to full tenant takeover
A mid-market SaaS product had been tested twice before by other firms. Both prior reports were scanner output with a cover page. The client asked us to look again with fresh eyes.
Critical
Tenant isolation bypass
A low-severity IDOR on a reporting endpoint, combined with a session fixation issue on account switching, allowed a malicious tenant admin to read data belonging to other tenants sharing the same cluster. Neither finding alone scored above medium. Chained, they broke the product’s core security promise.
High
Weak password reset token entropy
Password reset tokens were derived from timestamp plus user ID. Predictable within a small window. Exploitable without authentication.
Outcome: Both issues remediated within 72 hours. Retest confirmed the fix. The client now runs a Cyber Node engagement every major release cycle.
Case study 02
FinTech API: authorisation bypass in a compliance-tested product
A licensed FinTech operator preparing for APRA CPS 234 evidence collection. Product had passed three compliance audits. The scope was the customer-facing REST API.
Critical
BOLA on transaction history endpoint
Authenticated users could retrieve transaction history belonging to any other customer by modifying a single path parameter. No additional authorisation check beyond authentication. A finding invisible to automated scanners that don’t model the business.
High
JWT signature verification disabled in staging path
A code path intended for local testing had been promoted to production by a shared configuration file. An unsigned JWT was accepted as valid on one rarely-called endpoint.
Outcome: Emergency patch shipped the same day. Code review of the surrounding logic. CPS 234 evidence submission delayed by two weeks and rebuilt around the revised control.
Case study 03
Professional services firm: internal network compromise via forgotten print server
An internal network penetration test for a Perth professional services firm with about 200 staff. Grey-box engagement with VPN access as a standard user.
Critical
Domain admin via print server
An unpatched print server running end-of-life firmware had been forgotten on the network. Exploitation chained through local privilege escalation, credential dumping, and a cached domain admin token. Full domain compromise in under two hours.
Outcome: Decommission of legacy print infrastructure. Credential rotation across privileged accounts. LAPS rollout for local admin management. Annual internal test now standard.
Questions we get
FAQ
Scoping, reconnaissance, manual exploitation attempts against identified vulnerabilities, a written report with findings rated by real-world impact, and a free retest on all findings within 60 days.
Most engagements run between one and three weeks of active testing plus reporting. A typical web application test takes two weeks from kickoff to draft report.
Yes. We recommend grey box for most engagements because it delivers the most useful findings per dollar. Black box is appropriate for external surface only. White box is best when the goal is a thorough code-informed assessment.
Yes, and the retest is free within 60 days of the final report. Additional retests beyond that window are quoted separately.
Reports have been used as evidence for PCI DSS, SOC 2, ISO 27001, APRA CPS 234 and ASD Essential Eight maturity assessments. We can align scope and reporting to the specific framework driving your engagement.