Australia Based · Operating Internationally · OSCE / OSCP Certified
☏ 1300 859 443
Penetration Testing Services · Australia

Penetration Testing Services

Core Sentinel's penetration testing services give Australian organisations a senior-led, manual assessment of your applications, infrastructure and people — whether you're meeting a compliance mandate, answering a client or contract security requirement, or responding to a breach. Every engagement is run by a certified tester and reported with a prioritised, immediately-actionable fix list — never an automated scan-and-send.

  • OSCE / OSCP-certified testers
  • Senior-only — no junior bench
  • Free re-test & letter of attestation
Maps to Essential Eight ISO 27001 SOC 2 APRA CPS 234 PCI DSS IRAP-aligned SOCI Act ST4S
Choose your engagement

Our penetration testing services

Six senior-led engagements covering applications, network infrastructure and wireless. Ordered by what Australian teams ask us for most — pick the one that fits, or use the selector below.

Not sure where to start

Which test do I need?

Start with compliance-driven testing — for Essential Eight or ISO 27001 that usually means external + internal infrastructure testing, plus web application testing for any in-scope app.
Compliance

Penetration testing for Australian compliance

How our engagements map to the frameworks Australian organisations report against. Need this spelled out for an auditor? See penetration testing for compliance.

How Core Sentinel penetration testing engagements map to Australian compliance frameworks
FrameworkHow our testing maps
Essential Eight (ACSC) External + internal infrastructure testing, and web application testing for in-scope apps, to evidence the mitigation strategies.
ISO/IEC 27001 Independent penetration testing supports A.8 technical vulnerability management and the risk-treatment evidence auditors expect.
APRA CPS 234 Regular testing of information-asset controls for APRA-regulated entities and their third parties.
PCI DSS Requirement 11 external and internal penetration testing, plus segmentation testing of the cardholder-data environment.
SOC 2 Independent penetration testing evidences the CC4.1 / CC7.1 controls SOC 2 auditors look for in the security trust-services criteria.
SOCI Act / critical infrastructure Testing that supports the risk-management-program obligations for responsible entities.
IRAP-aligned Assessments aligned to the ISM controls for systems handling government data.
ST4S (Safer Technologies 4 Schools) For edtech SaaS platforms: ST4S penetration testing of the web application and its APIs, including the ST4S v2024.1 AI criteria — prompt-injection and PII-leakage testing.
How we work

A pentest isn't a scan.

  1. 01

    Scope

    We map the realistic threats to your business and agree clear rules of engagement.

  2. 02

    Test

    A senior, certified tester does the work — manually and methodically. No junior bench.

  3. 03

    Report

    A readable report with every finding risk-rated and a prioritised list of fixes.

  4. 04

    Re-test

    Once you've remediated, we re-test to confirm your risk is genuinely closed.

  5. 05

    Attest

    We issue a signed letter of attestation — ready for your clients, auditors and compliance needs.

Common questions

Penetration testing services — common questions

Which penetration testing services identify critical vulnerabilities before a security breach?

External and internal infrastructure penetration testing surface the network and access-control weaknesses attackers exploit, while web and mobile application testing catch the flaws in your software. Most organisations combine an infrastructure test with an application test for full coverage; if you're unsure, we'll scope it for you.

How much do penetration testing services cost in Australia?

Price depends on scope — the number of applications, IP ranges, users and the depth of testing. Every engagement is quoted up front with a fixed price and no automated scan-and-send. Tell us what you're protecting and we'll give you a clear quote.

How long does a penetration test take?

A typical application or infrastructure engagement runs from a few days to two weeks of active testing, followed by a prioritised report. We agree the timeline and rules of engagement before we start.

Do you provide a letter of attestation for clients and auditors?

Yes. Once you've remediated and we've verified the fixes with a re-test, we issue a signed letter of attestation suitable for clients, auditors and compliance evidence.

Which penetration testing service do I need for Essential Eight or ISO 27001?

For Essential Eight and ISO 27001 the common baseline is external and internal infrastructure testing, plus web application testing for any in-scope application. Our compliance testing page maps this out, or we'll scope it against your framework directly.

Get started

Not sure which test you need?

Tell us what you're protecting and a senior tester will help you scope the right engagement — for a quote, or just a chat.