Penetration Testing Services
Core Sentinel's penetration testing services give Australian organisations a senior-led, manual assessment of your applications, infrastructure and people — whether you're meeting a compliance mandate, answering a client or contract security requirement, or responding to a breach. Every engagement is run by a certified tester and reported with a prioritised, immediately-actionable fix list — never an automated scan-and-send.
- OSCE / OSCP-certified testers
- Senior-only — no junior bench
- Free re-test & letter of attestation
Our penetration testing services
Six senior-led engagements covering applications, network infrastructure and wireless. Ordered by what Australian teams ask us for most — pick the one that fits, or use the selector below.
-
Applications
Web Application Penetration Testing
Full OWASP-aligned testing of your web apps and APIs — injection, authentication, access control and business-logic flaws.
Going live · client/compliance requirement · post-incident -
Applications
Mobile Application Penetration Testing
iOS and Android tested client-side, in transit and server-side, with full OWASP Mobile coverage — insecure storage, weak crypto and more.
App launch · app-store or client security review -
Network / infrastructure
Internal Infrastructure Penetration Testing
Internal network penetration testing that simulates a rogue insider or post-breach attacker — privilege escalation to domain admin, documented step by step.
Essential Eight · assumed-breach · segmentation checks -
Network / infrastructure
External Infrastructure Penetration Testing
External network penetration testing of your internet-facing IPs, firewalls, IPS and VPNs — the realistic attack paths, so you can close them first.
Perimeter review · compliance · pre-launch -
Advisory
Professional Services
Beyond testing: incident response, forensic imaging, secure code review, architecture & design review, risk assessment and WAF guidance.
IR retainer · code review · security architecture -
Network / infrastructure
Wireless Penetration Testing
Find insecure or misconfigured Wi-Fi before an attacker in the car park does — weak encryption, rogue APs and segmentation gaps.
Office / site security · compliance
Which test do I need?
Penetration testing for Australian compliance
How our engagements map to the frameworks Australian organisations report against. Need this spelled out for an auditor? See penetration testing for compliance.
| Framework | How our testing maps |
|---|---|
| Essential Eight (ACSC) | External + internal infrastructure testing, and web application testing for in-scope apps, to evidence the mitigation strategies. |
| ISO/IEC 27001 | Independent penetration testing supports A.8 technical vulnerability management and the risk-treatment evidence auditors expect. |
| APRA CPS 234 | Regular testing of information-asset controls for APRA-regulated entities and their third parties. |
| PCI DSS | Requirement 11 external and internal penetration testing, plus segmentation testing of the cardholder-data environment. |
| SOC 2 | Independent penetration testing evidences the CC4.1 / CC7.1 controls SOC 2 auditors look for in the security trust-services criteria. |
| SOCI Act / critical infrastructure | Testing that supports the risk-management-program obligations for responsible entities. |
| IRAP-aligned | Assessments aligned to the ISM controls for systems handling government data. |
| ST4S (Safer Technologies 4 Schools) | For edtech SaaS platforms: ST4S penetration testing of the web application and its APIs, including the ST4S v2024.1 AI criteria — prompt-injection and PII-leakage testing. |
A pentest isn't a scan.
-
01
Scope
We map the realistic threats to your business and agree clear rules of engagement.
-
02
Test
A senior, certified tester does the work — manually and methodically. No junior bench.
-
03
Report
A readable report with every finding risk-rated and a prioritised list of fixes.
-
04
Re-test
Once you've remediated, we re-test to confirm your risk is genuinely closed.
-
05
Attest
We issue a signed letter of attestation — ready for your clients, auditors and compliance needs.
Penetration testing services — common questions
Which penetration testing services identify critical vulnerabilities before a security breach?
External and internal infrastructure penetration testing surface the network and access-control weaknesses attackers exploit, while web and mobile application testing catch the flaws in your software. Most organisations combine an infrastructure test with an application test for full coverage; if you're unsure, we'll scope it for you.
How much do penetration testing services cost in Australia?
Price depends on scope — the number of applications, IP ranges, users and the depth of testing. Every engagement is quoted up front with a fixed price and no automated scan-and-send. Tell us what you're protecting and we'll give you a clear quote.
How long does a penetration test take?
A typical application or infrastructure engagement runs from a few days to two weeks of active testing, followed by a prioritised report. We agree the timeline and rules of engagement before we start.
Do you provide a letter of attestation for clients and auditors?
Yes. Once you've remediated and we've verified the fixes with a re-test, we issue a signed letter of attestation suitable for clients, auditors and compliance evidence.
Which penetration testing service do I need for Essential Eight or ISO 27001?
For Essential Eight and ISO 27001 the common baseline is external and internal infrastructure testing, plus web application testing for any in-scope application. Our compliance testing page maps this out, or we'll scope it against your framework directly.
Not sure which test you need?
Tell us what you're protecting and a senior tester will help you scope the right engagement — for a quote, or just a chat.