Real-world attacks.
Controlled environment.

Types of penetration testing explained.

Different parts of your environment require different testing approaches. A single penetration test type does not cover your full attack surface. Here is what each type targets and why it matters.

Web application penetration testing

Web application penetration testing focuses on the applications your customers, staff, and partners interact with daily. Our testers assess authentication mechanisms, session management, input validation, authorisation logic, and business logic flaws that automated scanners consistently miss. We test against the OWASP Testing Guide methodology and prioritise findings by genuine business impact -- not just technical severity. For complex applications, we conduct source code-assisted (white box testing) assessments to identify vulnerabilities that black box testing alone would not surface.

Internal network penetration testing

Internal network penetration testing answers the question every board should be asking: what happens after an attacker gets past the perimeter? We simulate an insider threat or a compromised endpoint and test lateral movement paths, privilege escalation opportunities, Active Directory weaknesses, and access to sensitive data stores. This is where most organisations discover their real exposure -- the gap between their assumed segmentation and what an attacker can actually reach from a standard workstation.

External network penetration testing

External network penetration testing evaluates everything exposed to the internet. We map your external attack surface, identify exposed services, test for known and unknown vulnerabilities, and attempt to gain initial access using the same techniques real attackers use. This includes testing firewalls, VPN gateways, mail servers, and any internet-facing infrastructure. External network testing is typically the starting point for organisations new to penetration testing.

Mobile application penetration testing

Mobile application penetration testing covers iOS and Android applications, assessing client-side security, API communication, data storage, certificate pinning, and authentication flows specific to mobile platforms. Mobile applications often have weaker security controls than their web counterparts because development teams treat them as less exposed. That assumption is usually wrong.

Cloud penetration testing

Cloud penetration testing targets Azure, AWS, and hybrid cloud environments. We assess IAM misconfigurations, storage bucket permissions, serverless function security, container escape paths, and cloud-specific attack vectors. Cloud environments have fundamentally different threat models to traditional infrastructure, and testing them requires testers who understand cloud-native architectures -- not just traditional network pen testing applied to cloud IP addresses.

IoT penetration testing

IoT penetration testing covers connected devices, operational technology interfaces, and embedded systems. This includes firmware analysis, communication protocol testing, physical interface assessment, and testing the interaction between IoT devices and their backend infrastructure. Organisations in energy, manufacturing, and critical infrastructure increasingly need IoT testing as their operational technology environments converge with IT networks.

Wireless network testing

Wireless network testing assesses WiFi security, rogue access point detection, guest network segmentation, and wireless attack vectors. Delivered by OSWP-certified wireless security specialists, this testing covers WPA2/WPA3 configuration weaknesses, evil twin attacks, and the real-world risk of wireless-based initial access. Guest networks that are supposed to be isolated from corporate environments frequently are not -- and wireless testing is how you find out.

Penetration testing for compliance.

Several Australian regulatory frameworks and international standards require or strongly recommend regular penetration testing as part of a security assurance programme. The compliance drivers most relevant to our clients include the following.

• APRA CPS 234. Requires APRA-regulated entities to test the effectiveness of information security controls through a systematic testing programme. Penetration testing is a core component of satisfying this obligation, and APRA expects testing to be commensurate with the threats faced by the entity.
• ISO 27001:2022. Annex A control A.8.8 requires management of technical vulnerabilities, including assessment and testing. Penetration testing provides the evidence that your vulnerability management process works in practice, not just on paper.
• PCI DSS. Requirement 11.3 mandates both internal and external penetration testing at least annually and after significant changes. Organisations processing card payments need pen testing that specifically addresses the PCI DSS scoping and testing requirements.
• Essential Eight. While the Essential Eight does not mandate penetration testing directly, testing is the most reliable way to validate the effectiveness of controls like application control, patching, and privilege restriction at your claimed maturity level.
• SOCI Act. Critical infrastructure operators have obligations to maintain a risk management programme. Independent security assessment through penetration testing provides evidence of due diligence in managing cyber risks to critical systems.

We structure penetration testing engagements to produce compliance-ready evidence. Reports map findings to the specific framework your organisation is measured against, so your compliance team can use them directly.

How much does penetration testing cost in Australia?

Penetration test cost depends on scope, complexity, and the type of testing required. We quote on a fixed-fee basis wherever possible. Here are indicative ranges for planning purposes.

• External network penetration testing. $8,000 to $15,000 for small to mid-sized environments. Larger environments with multiple internet-facing subnets run $15,000 to $25,000.
• Internal network penetration testing. $12,000 to $25,000 depending on network size, Active Directory complexity, and the number of sites.
• Web application penetration testing. $12,000 to $30,000 per application, depending on complexity, number of user roles, and whether source code access is provided.
• Cloud penetration testing. $15,000 to $35,000 for Azure or AWS environments, depending on the number of subscriptions, services in scope, and IAM complexity.
• Mobile application penetration testing. $10,000 to $20,000 per platform (iOS or Android), including API testing.

These are not the cheapest prices in the market. Cheap pen testing usually means automated scanning repackaged as manual testing. If you are comparing providers, ask how many hours of manual testing are included, what certifications the testers hold, and whether they will demonstrate exploitation or just list potential vulnerabilities.

Benefits of penetration testing.

The benefits of penetration testing extend beyond finding technical vulnerabilities. A well-scoped pen test delivers tangible business outcomes that justify the investment.

• Real risk visibility. Penetration testing shows you what an attacker can actually achieve in your environment -- not what might theoretically be possible. This is a fundamentally different view of your security posture than vulnerability assessments or compliance audits provide.
• Compliance evidence. Testing reports provide the independent assurance evidence required by APRA CPS 234, ISO 27001, PCI DSS, and other frameworks. This is not a nice-to-have -- it is increasingly a regulatory expectation.
• Insurance leverage. Cyber insurers are tightening underwriting requirements. A recent penetration test report with evidence of remediation is one of the most effective tools for securing reasonable premiums and coverage.
• Board assurance. Boards need to understand whether security investments are working. Penetration testing provides independent, evidence-based answers that governance reviews and compliance checklists cannot.
• Prioritised remediation. Not all vulnerabilities are equal. Pen testing shows you which weaknesses are genuinely exploitable and what the business impact would be, so you can prioritise remediation where it matters most.

Penetration testing services for Sydney organisations.

We are headquartered in Sydney CBD and a large share of our engagements are scoped, delivered, and reported from this office. Our penetration testers themselves are based across multiple Australian states, which lets us cover Sydney, Melbourne, Brisbane, Canberra, Perth, and Adelaide engagements without rotating offshore staff into your environment. The questions Sydney security and risk leaders ask us most often are below.

Where are your testers based?

Cliffside is headquartered in Sydney, and our penetration testers are Australian residents based across multiple states. We do not offshore testing and we do not subcontract delivery to overseas providers. The names on the engagement letter are the names doing the work, and they hold their OSCP, OSWE, OSCE, OSWP, CREST CPSA, and CRT credentials individually -- not at a "company has someone, somewhere" level.

Can you deliver onsite in Sydney?

Yes. Onsite delivery across the Sydney metropolitan area is straightforward, and we attend in person for internal network testing, wireless assessments, physical security walks, and any engagement where remote credential delivery is undesirable. Most external network, web application, cloud, and mobile testing is delivered remotely, but the choice between remote and onsite is driven by scope and your security requirements -- not by our convenience. The same approach applies to interstate engagements in Melbourne, Brisbane, Canberra, Perth, and Adelaide.

How quickly can a Sydney engagement start?

Scoping conversations can usually happen within the same week. Engagement start dates depend on tester availability and your internal change-control window. For mid-market external network or web application engagements, we typically schedule four to six weeks out. Urgent assessments tied to incident response, board reporting, regulator deadlines, or M&A timelines can be brought forward when the scope is clear.

Who will I be dealing with?

A senior penetration tester is your point of contact from scoping through to debrief. There is no account manager intermediary, and there is no junior consultant doing the work after a senior one signed the proposal. The Sydney-based partner who scopes your engagement remains accountable for the outcome.

Why does an Australia-based team matter?

For some engagements it does not. For APRA-regulated entities, government agencies, and any organisation with data sovereignty obligations, it matters significantly. Australian-resident testers simplify chain-of-custody for testing artefacts, satisfy security-cleared personnel requirements where applicable, and remove offshore data-handling complications from your privacy impact assessment. If your scope touches any of that, ask any provider where their actual testers sit -- not where their head office is registered.

Penetration testing methodology.

Our penetration testing methodology draws on established industry frameworks adapted to the realities of Australian mid-market and enterprise environments. Every engagement follows a structured approach, but the execution is driven by skilled testers making real-time decisions -- not by automated tools following a script.

For infrastructure engagements we align to the Penetration Testing Execution Standard (PTES) and the Open Source Security Testing Methodology Manual (OSSTMM). For web and mobile application assessments we follow the OWASP Testing Guide and the OWASP Application Security Verification Standard (ASVS) where a defined assurance level is required. For CREST-aligned engagements, we apply CREST methodology requirements -- and our testers hold individual CREST CPSA and CRT certifications, validated under formal examination rather than self-attested. The common thread across every framework is manual, evidence-based testing by certified professionals. No scanner repackaged as a methodology.

Each engagement progresses through clearly defined phases: scoping and rules of engagement, intelligence gathering and threat modelling, vulnerability identification, manual exploitation and post-exploitation, evidence capture, reporting, and remediation support. The phases are explicit because that is how we keep findings reproducible, auditable, and defensible -- whether the audience is your engineering team, your board, your auditor, or the regulator.

Our approach covers the full spectrum from black box testing (no prior knowledge, simulating an external attacker) through grey box testing (limited credentials, simulating a compromised user) to white box testing (full access, source code review, simulating an insider or advanced threat). We recommend the approach that gives you the most useful results for your specific risk profile -- not the one that generates the thickest report.

What separates genuine penetration testing from automated scanning dressed up as pen testing is the human element. Ethical hacking requires experienced testers who can chain low-severity findings into high-impact attack paths, identify business logic flaws that no scanner will find, and think like an adversary. Adversary simulation and red team engagements take this further, testing your detection and response capabilities alongside your preventive controls.

AI penetration testing and abuse case testing.

Organisations deploying AI-powered features -- LLM chatbots, AI assistants, automated decision-making systems, and AI-driven workflows -- face vulnerability classes that traditional penetration testing does not cover. The attack surface is different, the exploitation techniques are different, and the business impact of a successful attack can include data leakage, reputational damage, and regulatory exposure under emerging AI governance frameworks.

Our AI penetration testing covers the following attack vectors specific to AI and machine learning systems.

• Prompt injection. Testing whether malicious prompts can override system instructions, bypass safety controls, or cause the AI to perform unintended actions. This includes both direct prompt injection and indirect injection through data sources the AI consumes.
• Jailbreaking. Attempting to bypass the safety guardrails and content policies configured for the AI system, assessing whether the model can be manipulated into producing harmful, unauthorised, or sensitive outputs.
• Data leakage. Testing whether the AI system can be induced to reveal training data, system prompts, internal configurations, or sensitive information from connected data sources that it should not expose to end users.
• Hallucination exploitation. Assessing whether AI-generated outputs can be manipulated to produce convincing but false information that could mislead users, damage brand reputation, or create legal liability.

Abuse case testing goes beyond technical vulnerabilities to assess how AI features can be misused through their intended interfaces. This includes testing whether users can manipulate AI-powered workflows to bypass business rules, escalate privileges, exfiltrate data through conversational interfaces, or cause the system to take actions outside its intended scope. Abuse case testing requires understanding both the technology and the business logic it supports.

We assess AI implementations against the ISO 42001 AI management system standard where applicable, and our approach aligns with OWASP's LLM Top 10 threat categories. For a deeper look at how organisations should approach AI security governance, see our guide on adopting AI securely. Our penetration testing guide also covers the AI attack surface in the context of a broader testing programme.