Penetration Testing Services for Australian Organisations
For over 25 years, dotSec has provided cyber security penetration testing services from our Brisbane base to a wide range of corporate and government organisations across Australia. But what makes dotSec’s pen tests unique?
Surprise: dotSec’s pen testers don’t just do pen testing!
Instead, our pen testers can build things like secure-hosted services, EDR-bypass proof-of-concept and pseudo-malware experiments for effective red-team exercises, IAM systems. They have system hardening skills, and they rotate through roles including EDR and SIEM analyst.
And to add to that, they contribute to the EDR-evasion and malware investigation work that is a result of our own, in-house EDR-bypass and assumed-breach development skills.
As a result, dotSec’s testers are uniquely experienced to provide you with pen testing services and deliver prioritised strategies that are practical and reasonable to implement.
What is a penetration test (pen test)?
A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).
Penetration testing almost always includes a vulnerability assessment, where the assessor will use scanning tools in an attempt to identify known vulnerabilities in the target asset(s). Pen testing builds on vulnerability scanning and assessment: The assessor will use automated and manual techniques to first confirm that the reported vulnerabilities are real (not false positives) before then seeking to exploit those vulnerabilities in order to engineer a successful attack, within any pre-agreed constraints or conditions.
How do penetration testing services improve your security?
Penetration testing can benefit your business in a number of ways. Most obviously, pen testing will provide you with:
An understanding of shortcomings and risks
A list of problems is not going to help anyone so dotSec’s pen testing services always focus on the risks associated with each shortcoming, and on the associated remediation options.
The idea is to present a qualitative risk assessment that is consistent with relevant AS/NZ, and ISO/IEC Risk Assessment and Management standards and security guidelines.
And where appropriate, we will refer to vulnerability descriptions such as (where relevant) vulnerabilities described in the OWASP Top Ten guidelines. And we will assign a severity rating to vulnerabilities using the Common Vulnerability Scoring System (CVSS v4).
A prioritised, risk-based, practical plan
The most important part of a pen test is a prioritised list of recommendations, describing how each of the identified risks may be reduced to an acceptable level.
dotSec has been implementing and maintaining secure systems for over 25 years. For example, we’ve helped secure the services for a federal government service provider, data-exfiltration detection system of a national law firm, cryptographic systems for APRA, and Identity and Access Management systems for utilities companies. And more!
Since we know what it takes to build secure systems, our pen test reports provide you with a prioritised and practical path to address the risks associated shortcomings we discover.
Assist with Governance, Risk and Compliance
Most governance, risk management and compliance frameworks and standards require some kind of testing program:
The PCI DSS requires that testing be conducted on a regular basis and following any significant system changes. For example, CPS 234 requires a systematic testing program. And ISO 27001 notes that Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards.
But whether compliance requirements are relevant or not, a penetration test will still help you. We can help you (the target/resource owner) to understand the level of risk, so that you can therefore prioritise your risk management programs of work.
Validation of cyber risk controls
An equally valuable outcome of a pen test is independent validation of your cyber risk-management strategies:
dotSec’s pen tests will deliver an unbiased view of how well your security controls actually perform when tested by experienced attackers.
dotSec has been independently assessing, building, and operating secure environments for over 25 years. Some examples include federal government systems, APRA-aligned cryptographic services, and Identity and Access Management (IAM) platforms for major utilities.
Our assessments don’t rely on assumptions or theory; they provide objective, evidence-driven verification of what is secure, what isn’t, what needs attention, and in what order of priority.
How we test: dotSec’s cyber security penetration testing methodology
dotSec’s penetration testing methodology is built on over 25 years of hands-on experience securing systems for Australian government, financial services, critical infrastructure and enterprise clients. Our approach is consistent with NIST SP 800-115, OWASP and CREST testing standards, and follows five phases.
Plan for success
Step 1: Scoping and planning
Before any testing begins, dotSec’s assessors work with your team to define the scope, objectives and constraints of the engagement. This phase produces a detailed plan and a set of Rules of Engagement (ROE) that address questions including:
- What credentials or access will be provided, and are there limits on how they should be used?
- Does the target exist in a production or non-production environment, and what constraints does that create?
- Are there timing restrictions, known stability concerns, or active protection systems (such as WAFs or IPSs) that may need to be considered?
- What notification procedures should apply if high or critical vulnerabilities are discovered during testing?
- Are there third parties (hosting providers, security operations centres) that need to be informed?
Both parties commit to the plan before testing starts, ensuring clear expectations and controlled risk.
See what's there
Step 2: Reconnaissance and boundary tests
Our assessors gather detailed information about systems, business processes, information flows and the technologies that support business operations. This phase identifies the attack surface and informs the testing strategy.
Begin testing
Step 3: Testing and exploitation
dotSec combines automated scanning tools with specialist manual techniques to identify and exploit vulnerabilities. Automated tools are effective at detecting known vulnerability patterns, but manual testing remains essential for uncovering:
- Complex business logic flaws that automated scanners cannot identify
- Chained attack paths where individually low-risk findings combine into high-impact exploits
- Contextual vulnerabilities that depend on application-specific factors
- False positives that would otherwise waste your remediation effort
Our assessors draw on practical experience building secure systems, developing EDR-evasion proof-of-concepts and operating as SOC analysts, giving them an attacker’s perspective that pure pen testers typically lack.
Plan for improvement
Step 4: Analysis and reporting
Findings are verified, assessed for exploitability and business impact, and compiled into a structured assessment report. The report includes:
- An executive summary with prioritised risks and recommended actions
- Detailed vulnerability descriptions referencing OWASP, CVE and CVSS v4 scoring
- A qualitative risk assessment consistent with AS/NZS ISO 31000 and ISO/IEC 27005
- A prioritised remediation plan that accounts for your existing controls and operational constraints
Continued support
Step 5: Post-report support and meetings
dotSec’s engagement does not end with the report. We conduct follow-up meetings with your stakeholders to walk through findings, discuss remediation strategies and help align recommendations with your broader security programme. When remediation is complete, retesting verifies that identified vulnerabilities have been effectively addressed.
Penetration testing approaches
The right penetration testing approach depends on what you need to learn about your environment. dotSec tailors each engagement to your objectives, and our assessors can work across several approaches within a single engagement.
Black-box testing
Black-box testing
Grey-box testing
Grey-box testing
White-box testing
White-box testing
External testing
External testing
Internal testing
Internal testing
Combined testing
Combined testing
Penetration testing FAQ
What is penetration testing and how is it different from a vulnerability scan?
A penetration test is an evidence-based assessment where a skilled tester discovers, validates and attempts to exploit vulnerabilities to understand real-world business impact. A vulnerability scan is automated and does not determine whether weaknesses are exploitable or meaningful. Penetration testing requires manual analysis, attacker-style reasoning and contextual risk evaluation.
NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment
How often should an organisation conduct a penetration test?
Testing frequency depends on risk appetite, regulatory requirements and how often systems change. PCI DSS requires at least annual testing and after significant changes. NIST and ACSC guidance recommend conducting tests as part of a continuous assurance regime, especially when modifying authentication, deploying cloud services or introducing new technologies.
What types of penetration testing does dotSec perform?
dotSec provides external, internal, web application, mobile, cloud, API and authentication-system penetration testing. Our testers also bring broader engineering experience across AWS, IAM systems, hardening, SIEM and EDR, allowing them to identify chained attack paths that automated scanners often miss.
Will a penetration test disrupt business operations?
A well-run test has documented rules of engagement and uses safe-to-perform techniques unless you explicitly authorise otherwise. dotSec follows documented methodologies, and coordinates with operational staff to minimise disruption.
What should a good pen test report include?
A meaningful report verifies each finding, explains exploitability and business impact, and provides a prioritised remediation plan aligned with your environment. It should reference standards, guidelines and systems such as OWASP, CVE, ISO 27001, NIST or PCI DSS, and provide evidence-based guidance for control improvement.
Prudential practice guide – CPS 234
Information Supplement: Penetration Testing Guidance
How much does a penetration test cost in Australia?
There is no fixed price for a penetration test. Cost depends on the scope of the engagement, the complexity of the target environment, the testing approach (black-box, grey-box or white-box), and whether retesting is included. A small web application assessment will cost significantly less than a comprehensive engagement covering internal networks, external infrastructure, APIs and cloud services. dotSec provides a detailed scope and quote after an initial consultation, so that pricing reflects the actual work required rather than a generic estimate.
Information Supplement: Penetration Testing Guidance — PCI Security Standards Council
How long does a penetration test take?
Duration varies with scope and complexity. A focused web application test may take several days, while a comprehensive engagement covering multiple environments can take several weeks. Testing timelines are agreed during the scoping and planning phase, and dotSec coordinates scheduling with your operational teams to minimise disruption. The assessment report is typically delivered within an agreed period following the completion of testing.
What qualifications should a penetration tester hold?
Look for testers who hold recognised, hands-on certifications such as OSCP (Offensive Security Certified Professional), BSCP (Burp Suite Certified Practitioner) or CREST certifications, and who work within a CREST-accredited organisation. Beyond certifications, practical experience matters: dotSec’s assessors hold qualifications including OSCP, BSCP, CISM, CISA and PCI QSA, and they rotate through operational roles across penetration testing, EDR/SIEM analysis, system hardening and IAM engineering, so their testing reflects real-world attacker techniques and defender perspectives.
What next?
A penetration test is only the first step. The real value comes from converting testing evidence into practical security and compliance outcomes. dotSec’s strength is that we do not just deliver a list of problems. Instead, using our 25+ years of experience building, securing and operating systems for corporate and government clients, we help you turn test-results into measurable improvements.
Our engineers can assist with remediation planning, secure configuration, IAM hardening, log and telemetry uplift, cloud security controls, segmentation reviews, and implementation of security baselines mapped to the ACSC Essential Eight, the CIS 18 critical controls, ISO 27001 and PCI DSS. Because our testers also work across AWS security, IAM systems, EDR, SIEM and infrastructure projects, their recommendations reflect what is actually achievable in a production environment.
If your organisation also needs governance and assurance support, dotSec’s GRC specialists can help align remediation work with your risk register, provide objective evidence for internal and external audits, and improve your maturity against frameworks including ISO 27001, CPS 234 and the Essential Eight Maturity Model. This combination of testing, engineering and GRC capability ensures that you do not just fix individual findings, but strengthen your entire security posture in a structured and defensible way.
If you would like to discuss how dotSec can support testing, implementation or broader risk and compliance objectives, we would be pleased to assist.
Premier australian cyber security specialists
