Penetration testing services for Australian organisations

dotSec has provided penetration testing services for Australian government and enterprise organisations for over 25 years.

Our assessors don’t just test systems. They also build and defend them, rotating through roles including SOC and SIEM analyst, system hardening, IAM implementation, and EDR-evasion research.

That operational experience means our findings come with remediation guidance that is practical, prioritised, and grounded in what it actually takes to fix things.

What is a penetration test?

A penetration test is a controlled security assessment in which a skilled assessor attempts to discover, exploit, and report on vulnerabilities in a target system. It builds on vulnerability scanning by going further: the assessor manually validates each finding, attempts real exploitation, chains individual issues into higher-impact attack paths, and assesses the actual business consequences of a successful compromise.

The result is not a list of theoretical weaknesses. It is an evidence-based assessment of what an attacker could achieve, what the associated risks are, and what to fix first. Findings are rated using CVSS v4.0 and referenced against frameworks including the OWASP Top 10:2025 and OWASP Web Security Testing Guide where applicable.

Penetration testing services

dotSec provides penetration testing across four distinct service areas. Each targets a different part of your attack surface and follows a methodology appropriate to the technology and threat landscape involved.

Web application penetration testing

Web applications are where most organisations handle customer data, process transactions, and expose business logic to the internet. They are consistently among the most targeted and most exploited components in Australian environments.

dotSec’s web application penetration tests cover authentication, access controls, input validation, API security, business logic, cryptography, and server-side configuration. Testing is informed by the OWASP Web Security Testing Guide and aligned to the OWASP Top 10:2025. We test REST, GraphQL, and SOAP APIs as part of the standard engagement scope, and can include source code review where it adds value.

Web application pen testing is dotSec’s highest-volume testing service and a requirement under PCI DSS v4.0.1 (Requirements 6.4 and 11.4), ISO 27001:2022, and APRA CPS 234.

External network penetration testing

Your internet-facing infrastructure is the first thing an attacker sees. External network penetration testing determines whether your public-facing systems can withstand a targeted attack from outside your network perimeter.

dotSec’s external assessments cover network services and protocols, web applications and customer portals, email infrastructure (SPF, DKIM, DMARC), DNS configuration, VPN and remote access gateways, cloud service endpoints (AWS, Azure, GCP), and certificate and TLS configuration. Testing methodology aligns with NIST SP 800-115 and NIST SP 800-53 Rev. 5 control CA-8.

AI penetration testing

If your organisation deploys AI or LLM components, whether customer-facing chatbots, internal knowledge assistants, document processing systems, or code generation tools, those components introduce attack vectors that conventional penetration testing will not detect.

dotSec’s AI penetration testing service covers prompt injection, training data extraction, insecure output handling, data model poisoning, and guardrail bypass. Assessments are structured around the OWASP Top 10 for LLM Applications and the MITRE ATLAS framework.

AI pen testing can be combined with a web application assessment to cover both traditional application vulnerabilities and AI-specific risks in a single engagement.

Red teaming and adversary simulation

A penetration test targets a defined scope and seeks to identify vulnerabilities within it. Red teaming is broader: it simulates a motivated attacker operating across the entire environment, using multiple attack vectors, with the goal of testing your organisation’s detection and response capabilities.

dotSec’s red team engagements are structured as collaborative exercises. Our offensive specialists also actively defend against attacks through SOC and SIEM operations, which means they understand both sides of the equation. Findings are classified using MITRE ATT&CK technique references and reported with CVSS v4.0 severity ratings.

Red teaming is most valuable for organisations that already have mature security controls. If basic hygiene (patching, MFA, endpoint protection) is not yet in place, a penetration test is a more appropriate starting point. dotSec can advise on which approach suits your current maturity level.

Why dotSec’s pen testers are different

Most pen testing firms employ testers who only test. dotSec’s assessors also build and operate secure systems. They rotate through roles across the business, including SOC and SIEM analysis, system hardening and secure configuration, identity and access management, and EDR-evasion and assumed-breach research.

This matters because a tester who has built and maintained secure infrastructure produces different findings from one who has only attacked it. They understand what remediation actually involves, which recommendations are practical to implement, and how to prioritise findings in a way that reflects operational reality rather than theoretical severity.

dotSec has applied this approach across federal government systems, APRA-aligned cryptographic services, data-exfiltration detection for a national law firm, and IAM platforms for major utilities.

How penetration testing supports compliance

Most governance, risk management, and compliance frameworks require or strongly recommend regular penetration testing:

PCI DSS v4.0.1 requires penetration testing at least annually and after significant changes (Requirement 11.4), plus specific protections for public-facing web applications (Requirement 6.4). dotSec is a PCI QSA company and a PCI DSS-compliant service provider.
ISO 27001:2022 Annex A controls A.8.25 (Secure development life cycle), A.8.26 (Application security requirements), and A.8.28 (Secure coding) all support the case for regular security testing as part of an ISMS.
APRA CPS 234 requires APRA-regulated entities to test the effectiveness of information security controls commensurate with the criticality of the assets they protect.
The ACSC Essential Eight maturity model addresses application patching and administrative privilege restriction, both of which are informed by pen test findings.
NIST SP 800-53 Rev. 5 control CA-8 defines penetration testing as a required security assessment activity.

Whether compliance is the primary driver or not, penetration testing provides an evidence-based view of how well your security controls actually perform under adversarial conditions.

Beyond the pen test: from findings to action

Pen test findings are only valuable if they lead to action. dotSec provides services across the full remediation cycle:

Managed system hardening for secure configuration of Windows, Linux, and cloud environments, deployable via Intune, Ansible, or CloudFormation
Managed WAF for web application protection while code-level fixes are implemented
SOC, SIEM, and EDR for ongoing detection and response, with pen test findings feeding directly into detection rule tuning
Vulnerability scanning and assessment for continuous monitoring between pen test engagements
GRC and cyber maturity reviews to align findings with your risk register and provide audit-ready evidence

Accelerating pen tests with AI

dotSec’s AI-augmented penetration testing approach uses machine learning to accelerate reconnaissance, attack surface mapping, and vulnerability correlation. Automated discovery runs in hours rather than days, and intelligent vulnerability correlation helps identify findings that manual-only approaches might miss within the same testing window.

AI augmentation extends the scope of what a testing engagement can cover without extending the timeline. It builds on the same NIST SP 800-115 and OWASP methodologies as conventional testing, with machine learning models layered on top for speed and coverage.

What next?

If your organisation needs a penetration test, whether for compliance, risk reduction, or as part of a broader security improvement programme, dotSec can scope an engagement to match your requirements.

Not sure which type of test you need? dotSec can advise based on your environment, maturity level, and compliance obligations.

Premier Australian cyber security specialists

ISO 27001 consulting

Practical and experienced Australian ISO 27001 and ISMS consulting services. We will help you to establish, implement and maintain an effective information security management system (ISMS).

Penetration tests

dotSec’s penetration tests are conducted by experienced, Australian testers who understand real-world attacks and secure-system development. Clear, actionable recommendations, every time.

PCI DSS

dotSec stands out among other PCI DSS companies in Australia: We are not only a PCI QSA company, we are a PCI DSS-compliant service provider so we have first-hand compliance experience.

WAF and app-sec

Web Application Firewalls (WAFs) are critical, protecting web apps and services by inspecting and filtering malicious requests before they reach your servers. Web page or API, a WAF is your first defence.

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. As part of this service, we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises, simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

Penetration testing

dotSec’s penetration testing services help you identify and reduce technical security risks across your applications, cloud services and internal networks. Clear, actionable recommendations, every time!

Managed SOC/SIEM

dotSec has provided Australian managed SOC, SIEM and EDR services for 15 years. PCI DSS-compliant and ISO 27001-certified. Advanced log analytics, threat detection and expert investigation services.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

dotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and improving resilience against attacks.

CIS 18 Critical Controls

Evaluation against the CIS 18 Controls establishes a clear baseline for stakeholders, supporting evidence-based planning, budgeting, maturity-improvement and compliance decisions

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.