APRA-aware. PCI-ready. Manually tested.
Penetration testing for Australian FinTech
Cyber Node is a member of FinTech Australia and works with FinTech operators across Sydney, Melbourne, Perth and regional Australia. Every engagement is manually led, scoped against your actual compliance drivers, and reported in a form your auditor, your engineers, and your board can all use.
Compliance drivers
Frameworks we scope engagements to
- ✓
APRA CPS 234
Information security standard for APRA-regulated entities and their material service providers. Pen testing as evidence of control effectiveness.
- ✓
PCI DSS v4.0.1
Annual manual penetration testing of the CDE, with reports suitable for QSA evidence.
- ✓
SOC 2 Type II
Penetration testing evidence for the security trust services criteria.
- ✓
ISO 27001
Annex A.12.6.1 and A.18.2.3 control validation as part of certification maintenance.
- ✓
Consumer Data Right (Open Banking)
Security testing for accredited data recipients and data holders.
- ✓
ASD Essential 8
Maturity assessments for FinTechs pursuing government or enterprise contracts.
Why us
What FinTech buyers actually want in a pen test
FinTech security teams have usually read more pen test reports than the vendors writing them. They know what scanner output looks like. They know what a chained-exploit business logic finding looks like. They know the difference.
Cyber Node engagements produce the second kind. Our FinTech case study (see manual penetration testing case studies) describes a BOLA issue on a production transaction history endpoint that had passed three compliance audits before we found it. That is the kind of finding that justifies the investment.
FinTech FAQ
Questions we get from FinTech buyers
A penetration test is one of several forms of evidence that support CPS 234 compliance, specifically the requirement to maintain information security capability and to test control effectiveness. Cyber Node engagements are scoped and reported with CPS 234 evidence in mind.
Annually as a baseline, with an additional test following any significant architectural change or major release. PCI DSS in-scope environments require testing at least annually and after any significant change.
Yes. Engagements for accredited data recipients and data holders are scoped against the specific CDR security obligations and the data exchange architecture.
Yes. Reports are regularly used as evidence for SOC 2 Type II attestations. We coordinate directly with your auditor where helpful.
Engagements are fixed-price. A targeted application test typically starts from AUD 12,000. A full-scope FinTech product assessment covering web, API, cloud, and identity typically falls in the AUD 30,000 to 60,000 range. Confirmed after scoping.