Buyer’s guide
How to choose a penetration testing provider in Australia
Choosing a penetration testing provider is harder than it looks, because almost every firm uses the same words. Everyone says manual. Everyone says experienced. Everyone says compliance-ready. The difference between a test that finds the flaw an attacker would use and a test that produces a tidy PDF is real, but it is not visible in the marketing. This guide is what we would tell a friend who asked how to tell them apart. The criteria below hold up whoever you end up hiring.
Before you compare
Start with why you are testing
Before you compare providers, be clear on what the test is for. Most engagements are driven by one of two things: a compliance obligation, or a genuine need for assurance.
If it is compliance, name the standard. APRA CPS 234, SOC 2, ISO 27001, PCI DSS, and the Essential Eight each expect testing, but they expect different things, at different depths, with different evidence. A good provider scopes to the exact wording your auditor will read, and writes the report so the auditor can tick the control without a follow-up call. A provider who quotes you a generic annual pen test without asking which standard you answer to has not understood the job.
If it is assurance, because you are shipping a new platform, or you have never tested, or something feels wrong, then scope follows risk. The provider should ask what would hurt most if it failed, and aim the test there, rather than running the same checklist everywhere.
The biggest quality gap
Manual testing or automated scanning, which are you actually buying?
This is the single biggest quality gap in the market, and the easiest to get wrong.
An automated vulnerability scan runs a tool against your systems and lists known issues. It is useful, cheap, and fast, and it should be part of your security programme. It is not a penetration test. A penetration test is a person attempting to break in the way an attacker would: chaining small weaknesses, abusing business logic, exploiting the things a scanner cannot see because they require judgement.
Plenty of providers sell scan output dressed as a pen test. To tell the difference, ask for a sample report with the client details removed. A real manual test reads like a story of how someone got in and what it would have cost you. A scan reads like a list sorted by severity, with generic remediation text copied from a database. If the findings could have been produced without a human touching your system, you are buying a scan at pen test prices. We wrote a longer breakdown of this in penetration test vs vulnerability scan, and what a real engagement looks like in manual penetration testing.
Delivery
Who actually does the work?
Ask who will be on the keyboard, and where they sit.
In a lot of firms the senior name on the proposal is not the person who runs your test. The work drops to a junior bench, or is handed offshore after the sales call. That is not automatically bad, but you should know, because it changes the depth of the test and who has access to your systems and data. For sensitive environments, regulated data, OT, anything where a breach is a board-level event, onshore delivery by a named, senior tester is worth paying for. Ask for the tester’s background, not just the firm’s.
What accreditations tell you, and what they don’t
CREST is the accreditation you will see most. It is a recognised, organisational standard covering a firm’s processes, and it is a reasonable signal, particularly for larger buyers who need a box ticked. It is worth having on the shortlist criteria.
It is also widely misunderstood. CREST accredits the organisation and its process, not the depth of any individual test, and strong, engineer-led firms deliver excellent work without it. So treat accreditation as one input, not the answer. Whatever badges a firm holds, verify the thing underneath: the CVs of the people doing your test, a sample of real findings, and references from clients in your sector. A badge tells you a firm cleared an audit. It does not tell you they will find your flaw.
Fit and follow-through
Does the provider understand your environment?
A web application, a payments platform, an industrial control system, and an AI agent are not the same test, and they are not interchangeable skills.
A generalist who tests corporate IT well may have never touched a PLC, an OT protocol, or a SCADA network, and an OT test by someone learning on your plant is a safety risk, not just a security one. The same is true for FinTech payment flows, for cloud infrastructure, and for AI systems where the failure modes, prompt injection, tool-use abuse, data leakage, did not exist a few years ago. Ask the provider to describe a test they have run on a system like yours. If they cannot, you are paying them to learn.
The report, and what happens after it lands
The report is the product, and most of its value is in what it lets you do next.
A good report rates findings by real severity, not scanner score, explains each one in terms an engineer can act on, and gives remediation specific enough to fix without guessing. It should also be something you can hand your auditor, your board, or a customer’s security team without translation. Then there is the part that gets skipped: the retest. A finding is not closed until someone has confirmed the fix works. A provider who delivers a PDF and disappears has done half the job. Confirm that a retest, and a readout where your team can ask questions, are included before you sign.
Pricing
How penetration testing is priced in Australia
Manual penetration testing in Australia broadly ranges from around AUD $6,000 for a contained web application test to $40,000 or more for complex infrastructure or multi-system compliance work. Price tracks scope and the seniority of the tester, not much else.
Prefer a fixed price against a defined scope. You know what you are paying and what you are getting, and the incentive to pad the hours is gone. Be wary of a few things: per-vulnerability pricing, which rewards a provider for finding noise; open-ended day rates with no agreed scope; and quotes that are dramatically cheaper than the rest, which usually means a scan, an offshore junior, or both. Cheap testing that misses the finding is the most expensive testing there is.
Red flags
Six things that should give you pause
- ×
A scan presented as a penetration test
- ×
The work handed offshore or to a junior after the sales call
- ×
No retest included
- ×
Vague or templated scope that does not mention your systems by name
- ×
No named tester, and no tester CV on request
- ×
A report you could not give your auditor or your board
The checklist
The questions to ask any provider
Drop these into your RFP or your first call. The answers separate the field quickly. If a provider answers these straight, you are most of the way to a good decision, whoever you choose.
- 01
Who exactly will run the test, and what is their background?
- 02
Where is the work delivered, onshore or offshore?
- 03
How much of the engagement is manual, and how much is tooling?
- 04
Can I see a sample report with the client details removed?
- 05
Have you tested a system like ours, and can you describe it?
- 06
Is the scope fixed, and is the price fixed against it?
- 07
Is a retest included, and a readout for my team?
- 08
Will the report satisfy my standard, APRA CPS 234, SOC 2, ISO 27001, PCI DSS, or Essential Eight?
Common questions
Penetration testing provider FAQ
Manual penetration testing in Australia broadly ranges from around AUD $6,000 for a contained web application test to $40,000 or more for complex infrastructure or compliance-driven work. The main drivers are the scope of systems in the test and the seniority of the people running it. Prefer a fixed price against a clearly defined scope.
CPS 234 does not use the words penetration test. It requires systematic testing of information security controls, at a frequency that reflects how material and fast-changing the asset is. In practice, manual penetration testing is the standard evidence APRA-regulated entities use to meet that requirement, scoped and documented so an auditor accepts it. More on CPS 234 testing.
At least annually, and again after any material change to the systems in scope, such as a major release, a new platform, or a significant architecture change. Higher-risk systems and regulated environments often warrant more frequent testing. The right cadence matches the rate of change and the consequence of a breach.
A vulnerability scan is an automated tool that lists known issues. A penetration test is a person attempting to exploit weaknesses the way an attacker would, including business logic flaws and chained exploits a scanner cannot find. Both are useful, but a scan is not a substitute for a manual test, and should not be sold as one. See the full comparison.
CREST is a recognised organisational accreditation and a reasonable signal, and some buyers require it. It is not the only marker of quality: it accredits a firm’s process, not the depth of an individual test, and strong engineer-led firms deliver excellent work without it. Verify the testers’ experience and a sample of real findings regardless of the badge.
A contained web application test is often a few days of testing plus reporting. Larger infrastructure or multi-system compliance engagements run one to several weeks. Scope sets the timeline, so agree the scope first, then the schedule.