Penetration testing
questions answered

A penetration test (pen test) is an authorised, simulated cyberattack against your application or infrastructure. A security professional — or AI agent acting under human supervision — attempts to find and exploit vulnerabilities the same way a real attacker would.

The goal is to discover weaknesses before malicious actors do, so you can fix them first. You receive a detailed report of every finding with severity ratings and actionable remediation steps.

Vulnerability Assessment (A$499): Systematically identifies, classifies, and reports security weaknesses. It tells you what vulnerabilities exist and how serious they are. Think of it as a thorough security health check — ideal for understanding your risk posture or meeting a compliance requirement.

Penetration Test (A$2,499): Goes further — it actively attempts to exploit vulnerabilities to demonstrate real-world impact. It proves whether a flaw can actually be used to compromise your system, steal data, or escalate privileges. Required by most cyber insurers and enterprise clients.

Our AI agents run automated reconnaissance, enumerate attack surface, and execute a large library of tests at machine speed — covering far more ground in less time than a manual-only approach. This drives down cost without sacrificing coverage.

Every finding is then reviewed and validated by a human security professional before appearing in your report. You get the speed of automation with the judgement of an experienced tester.

We scope every engagement carefully to minimise any operational impact. For production systems we avoid destructive tests (like data deletion or denial-of-service) unless you've specifically requested them and have a backup in place.

We recommend testing against a staging environment where possible, especially for critical production systems. We'll discuss this during scoping.

Security Assessment: Delivered within 3 business days of receiving access and sign-off on scope.

Full Pen Test: Delivered within 10 business days. Complex applications or large scope may take longer — we'll advise during scoping.

Enterprise engagements are scoped and scheduled individually.

Typically: the URLs of applications in scope, test account credentials (for authenticated testing), a brief description of the app's purpose and your main concerns, and a signed scope agreement. We'll walk you through this after you book — nothing complex.

You receive a PDF report with: an executive summary for non-technical readers; a risk summary showing critical/high/medium/low/info finding counts; detailed findings with CVSS scores, OWASP category, proof-of-concept evidence, business impact, and step-by-step remediation guidance; and a remediation priority matrix.

You can preview our report template here.

Absolutely. All engagement details, findings, and any credentials you provide are treated as strictly confidential. We sign a non-disclosure agreement (NDA) as part of every engagement. Reports are marked CONFIDENTIAL and delivered securely.

We never disclose client information, publish case studies using identifying details, or share your report with third parties without your written consent.

Yes. Full Pen Test packages include a complimentary re-test of critical and high-severity findings within 30 days of report delivery. Security Assessment re-tests are available at a discounted rate. Contact us to discuss.

Yes. Most Australian cyber insurers now require evidence of recent penetration testing or vulnerability assessments as part of the underwriting process. Our reports are formatted to meet these requirements and include the CVSS scoring, OWASP categorisation, and remediation evidence insurers ask for.

Our assessments are aligned to ACSC guidance and we explicitly map findings to the Essential Eight where applicable. We also provide a free ACSC Essential Eight self-assessment checklist.

Yes. Our reports flag vulnerabilities that create risk of a Notifiable Data Breach (NDB) under the Privacy Act 1988 and highlight findings relevant to your obligations under Australian privacy law. We also offer a free Incident Response Playbook with NDB notification timelines.