Manual penetration testing
54 engagements
Human-led penetration tests delivered between May 2024 and December 2025 across web applications, APIs, internal networks, cloud infrastructure, and OT environments.
Research and findings
Cyber Node research and findings
Cyber Node is an Australian cybersecurity consultancy. The numbers below are what 54 manual penetration tests, 1,000+ Cyber Exposure Snapshot scans, and hundreds of cybersecurity and AI consultancy engagements have surfaced about how Australian organisations actually get exposed, and what real attackers actually find.
The dataset at a glance
Three sources, one operating picture
Every number on this page comes from work Cyber Node has personally delivered, scanned, or advised on. Nothing is sourced from third-party threat intelligence, surveys, or aggregated vendor reports.
Cyber Exposure Snapshot
1,000+ scans
Non-intrusive external attack surface scans run against Australian organisations since the product launched. Each scan looks for the same six exposure classes attackers actually exploit first.
Consultancy and advisory
Hundreds of engagements
vCISO retainers, AI security reviews, cloud architecture advisory, OT cybersecurity consulting, and incident readiness work alongside the testing practice. Patterns observed across the consultancy work inform how the testing is scoped.
Manual penetration testing
What 54 engagements actually surfaced
The headline number is uncomfortable: every single engagement produced findings worth fixing. There is no version of the testing methodology that produces clean sheets, and there is no organisation tested so far whose security posture has held up perfectly under sustained manual probing.
Sectors tested
15 distinct industries
FinTech, banking, EdTech and SaaS, MedTech, energy utilities, industrial IoT and mining technology, aged care, real estate, government, professional services (architecture, finance consulting), industrial ERP, civil engineering and construction, AI SaaS, and WordPress-based professional services. The breadth matters because the same vulnerability classes appear across all of them.
Read the case studies →What we do not find
Zero clean engagements
Across every engagement delivered to date, manual testing has surfaced at least one issue worth remediating. A meaningful fraction of those engagements carried at least one Critical or High severity finding by the time the report was written. Automated scanners on the same scope, run by the same client beforehand, missed material issues in every case where we were told the comparison.
How we scope a test →Recurring technical patterns
The same six classes of weakness, again and again
If you tested 54 randomly selected web applications and infrastructure stacks across 15 sectors, you would expect the findings to look chaotic. They do not. Across the dataset, the issues cluster into six durable categories. The technologies underneath change; the patterns do not.
1. Authentication and session
JWT, session, and 2FA gaps
Token validation skipped server-side. Session fixation. 2FA implemented inconsistently or bypassable through password reset. Refresh tokens with no rotation. The pattern is universal across modern web stacks.
2. Access control
Broken authorisation and IDOR
Authenticated users can access objects they should not. Role checks present at the UI layer but absent at the API layer. Insecure Direct Object References surface in roughly every engagement that touches a SaaS application of any size.
3. Legacy cryptography
TLS 1.0/1.1, SMBv1, weak ciphers
Lucky13 and SWEET32 still observed on internal services. SMBv1 still enabled in environments that should know better. TLS configurations from 2014 still serving production traffic in 2026.
4. Outdated software
EOL platforms in production
Umbraco, WordPress, Lighttpd, and VMware ESXi running versions with public exploit code available. The patching gap is not a developer problem; it is an operations problem that compounds quietly until something is exploited.
5. Exposed admin surfaces
CMS, VPN, telephony admin panels
CMS admin login pages reachable from the internet. VPN management interfaces on default ports. Hosted PBX admin panels with default credentials. Each is a single weak password away from total compromise.
6. Input handling
File upload and untrusted input
File upload features that accept content types they should not. Server-side template injection through user-controlled fields. The traditional input-validation issues remain the most common path to remote code execution in the dataset.
Cyber Exposure Snapshot research
What 1,000+ Australian SMB domains look like under attacker scrutiny
Cyber Node has run the Cyber Exposure Snapshot against 1,000+ Australian SMB domains since launch. Every scan uses the same non-intrusive external methodology, the same drive-by view an opportunistic attacker already has. The domains span industries, regions, and revenue bands; the patterns below hold across all of them.
78%
Of scanned domains were rated HIGH or CRITICAL on the Cyber Node exposure scoring (780+ of 1,000+). A HIGH or CRITICAL rating means the domain has at least one exposure that an opportunistic attacker would prioritise within hours of discovery.
99%
Of scanned domains carried at least one high-severity exposure (990+ of 1,000+). The 1% that did not were generally domains with very small public attack surface, not domains with strong security postures.
5,100+
Total findings surfaced across the 1,000+ domains. Roughly five findings per scan on average. 1,560+ of those were rated high-severity. Only ~30 domains came back clean.
Six recurring themes
What CES finds first, and why it matters
Across the 5,100+ findings, six themes account for the majority of high-severity exposures. Every one of them is fixable in days, not quarters. None of them require new tooling investment. All of them are routinely missed by automated vulnerability management products that focus on patched-versus-unpatched software.
Theme 1
Missing or weak email authentication
SPF, DKIM, and DMARC misconfigured, partially deployed, or absent. The direct consequence is email impersonation: attackers send invoices, contract amendments, or HR requests that look like they came from inside the organisation. The 2024 ASD ACSC threat report ranks email-based fraud as the highest-cost attack category for Australian SMBs.
Theme 2
Staff credentials in breach corpora
Email addresses and password hashes from prior third-party breaches that match domain users. Credential stuffing is the number-one initial access vector observed in Australian incident response data; this is the supply.
Theme 3
Exposed login and admin portals
VPN portals, RDP gateways, CMS admin pages, and cloud console redirects reachable from anywhere on the internet without IP allowlisting or MFA enforcement. Every one of these is a credential-stuffing target.
Theme 4
End-of-life software on the perimeter
Web servers, mail servers, and load balancers running versions past vendor support. Public exploit code typically available within weeks of a CVE. The patch gap on perimeter software is the single most reliable predictor of compromise in the dataset.
Theme 5
Hosting and control panels reachable globally
cPanel, Plesk, hosting provider control panels, and database admin interfaces left open to the public internet. Once an attacker is in one of these, they have effectively root on the hosting account.
Theme 6
Forgotten subdomains and staging
Old marketing subdomains, deprecated APIs, and staging environments still resolving and still serving content. They run older code, weaker configurations, and often share authentication state with production. Subdomain takeover is the rare exposure class that gets worse as an organisation scales.
What this means
Four takeaways for Australian organisations
Manual testing finds material issues that automated scanners miss. Across 54 engagements, every single one produced findings. Where clients had run automated scans on the same scope first, the manual test surfaced issues the scan did not. Automation is necessary but not sufficient.
Email authentication is the cheapest fix you have not done. SPF, DKIM, and DMARC can usually be deployed in a fortnight. The CES dataset says most Australian SMBs still have not. The downside risk is paying a fraudulent invoice that looks like it came from an executive in your own company.
Attack surface is bigger than the asset register thinks. Forgotten subdomains, exposed admin panels, and end-of-life perimeter software show up in the CES dataset on roughly every domain scanned. Reducing exposure starts with knowing what is actually exposed, not what was exposed when the network diagram was last drawn.
Compliance is a floor, not a ceiling. Engagements scoped specifically to evidence PCI DSS, APRA CPS 234, ISO 27001, or SOC 2 still surface the same six pattern classes as engagements scoped without a compliance frame. The frameworks define the minimum bar. The findings define the actual risk.
Methodology and disclosures
How the data was collected
Manual penetration testing dataset. Sourced from paid engagements with consenting clients between May 2024 and December 2025. Engagements covered web applications, APIs, internal and external infrastructure, cloud environments, and OT systems. Findings are aggregated and anonymised; no client name, asset, or specific vulnerability instance can be identified from the published statistics. Severity ratings reflect real-world impact in the tested environment, not generic CVSS scores.
Cyber Exposure Snapshot research. Sourced from 1,000+ Australian SMB domains scanned since the CES product launched, using the same non-intrusive external scanning methodology as the paid CES product. Domains span industries, regions, and revenue bands. No traffic was sent that would have impacted the operation of any service. Domains are not named in this summary; the underlying dataset is held under the standard CES research disclosure terms.
Consultancy engagements. The "hundreds of consultancy engagements" reference covers vCISO retainers, AI security reviews, cloud architecture advisory, OT cybersecurity consulting, and incident readiness work delivered alongside the testing practice. Consultancy work is not part of the published statistics on this page; it informs the operating picture but is not data-rich enough to summarise numerically.
Questions about the methodology or requests for further detail can go to sales@cybernode.au.
Common questions
Research FAQ
The manual penetration testing dataset covers engagements delivered between May 2024 and December 2025. The Cyber Exposure Snapshot dataset is updated continuously and currently spans 1,000+ Australian SMB domains scanned since the product launched.
The penetration testing dataset is from paid engagements with consenting clients. Findings are aggregated and anonymised; no client name, asset, or specific vulnerability instance is identifiable. The CES research scans are run against publicly accessible attack surface only, using the same non-intrusive methodology as the paid CES product.
Yes. Attribute to Cyber Node and link to https://www.cybernode.au/insights/. If you are writing a longer analysis or want comment, email sales@cybernode.au.
A finding is a distinct security weakness identified during testing and reported with severity, evidence, and remediation guidance. Severity ratings reflect real-world impact in the tested environment, not a generic CVSS score. Informational items that do not carry exploit risk are not counted as findings in summary statistics.
Most industry reports aggregate scan output, vendor incident data, or self-reported survey responses. Cyber Node's penetration testing dataset is built from human-led engagements where every reported finding has been validated by a tester. The CES research is built from active scans of real Australian SMB domains rather than reused threat intelligence.