Skip to main content
✓ Sydney HQ · Australia-based testers · OSCP / OSWE / OSCE / CREST · No offshoring

Penetration Testing / Brisbane

Brisbane penetration testing.
No offshore. No surprises.

Cliffside delivers penetration testing for Brisbane and Queensland organisations -- APRA-regulated banks and supers, SOCI-aligned critical infrastructure, Queensland Government agencies, and ASX-listed resources HQs. Sydney-headquartered, with OSCP, OSWE, OSCE, and CREST-certified testers based across Australia. Onsite in Brisbane when scope requires it. Remote-from-Australia when it does not.

Discuss your testing needs → Full pen-test methodology

Brisbane is one of Australia's least-served penetration testing markets relative to its risk profile. The city hosts national banks, member-owned funds, two of Queensland's largest super administrators, the head offices of a meaningful slice of the resources sector, and regulated critical-infrastructure operators across energy, water, and ports. Most of these organisations buy testing from interstate or offshore providers, and most of those engagements deliver a report that the security team has to translate twice -- once for the board, once for the regulator.

We work differently. Every Cliffside engagement starts with an honest scoping conversation about what you actually need tested, what evidence the report needs to produce, and what your remediation capacity looks like. If the answer is that you need awareness training before another pen test, we tell you. If the answer is a focused web application test rather than the comprehensive engagement you were quoted, we tell you that too.

Our penetration testers are Australian residents based across multiple states -- including capacity that supports Brisbane delivery -- and individually hold OSCP, OSWE, OSCE, OSWP, CREST CPSA, and CRT credentials under formal examination. We do not offshore testing. We do not subcontract delivery. The names on the engagement letter are the names doing the work, and the senior tester who scopes your engagement remains accountable for the outcome.

Brisbane sectors we test for.

The risk profile changes meaningfully depending on what you do. Below are the Brisbane and wider Queensland sectors where we deliver penetration testing most often, and the regulatory context that shapes the scope.

APRA-regulated financial services

Queensland is home to several APRA-regulated entities including national banks, member-owned funds, and superannuation administrators. CPS 234 expects penetration testing as part of a systematic security assurance programme, and the regulator examines whether the testing actually informs your risk register -- not just whether a report exists. We scope engagements so the findings translate directly into CPS 234 evidence and into board-reportable risk language.

Critical infrastructure and energy

Queensland's energy, water, and ports sectors carry SOCI Act obligations and operate environments where the IT/OT boundary is the highest-stakes attack surface. We test the segmentation between corporate IT and operational technology, the remote vendor access paths, and the assumption that air-gapped means actually-air-gapped. Most of the time, it does not.

Queensland Government and agency suppliers

Queensland Government departments and statutory bodies operate under the QGEA and IS18:2018, which expects penetration testing of high-value systems and a documented vulnerability management process. Service providers who handle agency data inherit those expectations through their contracts. Our reports map findings to IS18 control families and the Information Security Manual where the agency is required to align with both.

Resources, mining, and ASX-listed Brisbane HQs

Brisbane hosts the head offices of several resources and mining-services groups whose IT estates have grown by acquisition into highly heterogeneous environments. The vulnerabilities we find most often are not at the perimeter -- they are in the seams between the legacy mining-systems network, the cloud migrations completed in haste, and the third-party operational platforms that nobody on the security team owns end-to-end.

How we deliver penetration testing in Brisbane.

Most external network, web application, cloud, and mobile testing is delivered remotely from Australia. The engagement is scoped over a video call, the rules of engagement are signed, credentials are handed over via your preferred secure channel, and the testers work against your environment from Australian-resident workstations. You receive daily check-ins for engagements over a week and an immediate phone call if a critical finding surfaces mid-engagement.

Onsite delivery in Brisbane is appropriate for a specific subset of work: internal network testing where physical or VPN access is required, wireless assessments that need on-the-ground signal and rogue access point detection, physical security walks, and any engagement where credential delivery into your environment is not acceptable remotely. We attend onsite for these and travel to other Queensland sites when the scope demands it -- the Sunshine Coast, Gold Coast, Townsville, and regional industrial sites included.

Reporting follows the same standard regardless of delivery mode: an executive summary with clear risk ratings; technical findings with description, evidence, severity, and specific remediation guidance; a prioritised remediation matrix; and a retest process for critical findings. The report should be useful to both your leadership team and the engineers who will remediate the issues. If it is not, we have failed.

Brisbane regulatory context.

Penetration testing in Brisbane sits inside a regulatory landscape that is partly federal and partly Queensland-specific. The frameworks that most often shape the scope of our engagements are below.

  • APRA CPS 234. Applies to APRA-regulated entities including the Queensland-headquartered banks, insurers, and superannuation administrators. CPS 234 expects testing aligned to the threats the entity actually faces, and the regulator looks for evidence that test results inform the risk register and remediation programme.
  • SOCI Act and the CIRMP. The Security of Critical Infrastructure Act covers designated assets across Queensland's energy, water, port, and data sectors. The Critical Infrastructure Risk Management Programme rule requires risk management plans that explicitly address cyber hazards, and penetration testing is one of the strongest forms of independent evidence available.
  • QGEA and Information Security Policy IS18:2018. Queensland Government agencies and statutory bodies operate under the QGEA, and the Information Security Policy expects testing of high-value systems and a documented vulnerability management process. Service providers who handle agency data inherit those expectations through contract.
  • Australian Privacy Principles and the Notifiable Data Breaches scheme. Federal obligations apply to most Brisbane organisations regardless of sector. Penetration testing supports the "reasonable steps" obligation under APP 11 and is one of the controls assessors look for in determining whether a notification was avoidable.
  • ISO/IEC 27001:2022 Annex A.8.8. Where Brisbane organisations hold or pursue ISO 27001 certification, technical vulnerability management is a required control, and penetration testing is the cleanest source of independent evidence that the process works in practice.

What's included in a Cliffside engagement.

Every engagement covers scoping and rules of engagement, intelligence gathering and threat modelling, vulnerability identification, manual exploitation and post-exploitation, evidence capture, reporting, and a remediation support window. We align to the Penetration Testing Execution Standard (PTES) and OSSTMM for infrastructure engagements, the OWASP Testing Guide and OWASP ASVS for web and mobile applications, and CREST methodology requirements for CREST-aligned engagements.

For the full breakdown of testing types -- web application, internal network, external network, cloud, mobile, IoT, and wireless -- and our complete methodology, frameworks, certifications, and pricing detail, see the main penetration testing services page. This Brisbane page covers the local angle. The hub page covers the depth.

Penetration testing across Australia

Sydney

Our headquartered location and the main service hub.
Melbourne

Victorian fintech, healthcare, and CIRMP-regulated organisations.

Frequently asked questions.

Do you have penetration testers in Brisbane?
Cliffside is headquartered in Sydney, and our penetration testers are Australian residents based across multiple states. We do not offshore testing. For Brisbane engagements we deliver remotely from Australia and travel onsite for internal network testing, wireless assessments, physical security walks, and any work where remote credential handling is undesirable. The names on the engagement letter are the names doing the work.
Can you support Queensland Government Enterprise Architecture (QGEA) and IS18 obligations?
Yes. Queensland Government agencies operate under the QGEA and the Information Security Policy (IS18:2018), which expects testing of high-value systems and clear evidence of vulnerability management. Our reports map findings to IS18 control families and the Information Security Manual (ISM) where the agency is required to align with both. We also work with Queensland-based service providers who handle agency data and inherit those expectations through their contracts.
Do you test for SOCI Act obligations on Queensland critical infrastructure?
Yes. The Security of Critical Infrastructure (SOCI) Act applies to designated assets across energy, water, ports, and other Queensland critical sectors. Penetration testing supports the risk management programme obligation by providing independent evidence of control effectiveness against credible attack scenarios. We scope engagements to test the operational technology / IT boundary, the segmentation between corporate and OT environments, and the remote access paths that real-world incidents most often abuse.
Are your testers CREST and OSCP certified?
Yes, individually. Our testers hold OSCP, OSWE, OSCE, OSWP, CREST CPSA, and CRT certifications under formal examination, not at a company-wide attestation level. The full credential list and what each one validates is on our main penetration testing page.
How much does penetration testing cost in Brisbane?
The same as anywhere in Australia for the same scope. We quote fixed fees wherever possible. Indicatively: external network from $8,000 to $15,000; internal network $12,000 to $25,000; web application $12,000 to $30,000 per application; cloud $15,000 to $35,000. Pricing is driven by what you need tested and how thoroughly, not by your postcode.
Can a Brisbane engagement be scheduled within four weeks?
Often, yes. Scoping conversations can usually happen within the same week. For mid-market external network or web application engagements we typically schedule four to six weeks out. Urgent assessments tied to incident response, board reporting, or regulator deadlines can be brought forward when the scope is clear.

Related insights

Deeper reading on this topic.

Penetration Testing Guide

Types, timing, provider selection, and what separates useful penetration testing from compliance theatre.

Explore →
APRA CPS 234 Compliance Guide

What CPS 234 actually expects from APRA-regulated entities, and how penetration testing supports it.

Explore →
Essential Cybersecurity Assessments

Which assessments matter, how to sequence them, and how to align with real business risk.

Explore →
Cybersecurity Audit for Business

How a cybersecurity audit differs from a pen test, and when each is the right tool for the job.

Explore →

Brisbane testing,
honest reporting.

Book a scoping conversation. We'll understand your environment, your regulatory obligations, and what you genuinely need tested -- not a recycled scope from another engagement.

Book a scoping call →Full pen-test methodology

Not sure where to start?

Book a free Lighthouse Assessment. Honest, transferable, no lock-in.

Book Free Assessment