What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is automated and lists known weaknesses. A penetration test is hands-on: a skilled tester exploits and chains those weaknesses to show what an attacker could actually achieve.

How much does a penetration test cost in Australia?

It depends on scope: the number of systems, applications and IP ranges, the type of testing, and whether a retest is included. Very cheap quotes are often an automated scan rather than skilled testing.

How often should we do a penetration test?

At least annually for most businesses, and after any major change such as a new application, infrastructure update or office move. Some frameworks and contracts require testing on a set schedule.

What types of penetration testing are there?

Network testing, web application testing, phishing and social engineering, and wireless testing. A good provider scopes the engagement to the risks that matter most rather than testing everything by default.

Do we need a penetration test for compliance?

Often, yes. Many frameworks and customer contracts expect regular penetration testing as evidence controls work, and it pairs with the ACSC Essential Eight and ISO 27001.

What a Penetration Test Actually Finds

A penetration test, or pen test, is one of those services that sounds dramatic and is often misunderstood. People picture a hacker in a hoodie breaking in for sport. In reality it is a controlled, authorised exercise: a skilled tester deliberately attacks your systems the way a real attacker would, with your written permission, to find the weaknesses before someone malicious does. Here is what a penetration test actually finds, the main types, what drives the cost, and how to make sense of the report.

What a penetration test is, and what it isn't

A penetration test goes a step beyond a vulnerability scan. A scan is automated and lists known weaknesses. A penetration test is hands-on: a tester chains those weaknesses together, tries to exploit them, and shows what an attacker could actually reach, like proving that a forgotten admin account plus one unpatched server equals access to your client database. It is the difference between a list of unlocked doors and someone demonstrating they can walk through them to the safe.

What a pen test actually finds

Every environment is different, but the same categories come up again and again:

Missing patches and outdated software. Internet-facing systems running versions with known, publicly documented exploits.
Weak and reused passwords. Accounts that fall to password spraying, and admin credentials reused across systems.
Over-privileged accounts. Staff and service accounts with far more access than they need, so a single compromise spreads fast.
Exposed services and forgotten assets. Old servers, test environments and remote-access ports left open and unmonitored.
Web application flaws. Injection, broken access controls and insecure file uploads that let an attacker reach the data behind an app.
People. Staff who click a convincing phishing email or read out a one-time code, often the fastest way in of all.

The main types of penetration testing

Network testing targets your internal and external network: servers, firewalls and remote access.
Web application testing focuses on your websites and web apps, where customer and business data often lives.
Phishing and social engineering tests how your people respond to realistic lures, which no firewall can stop.
Wireless testing checks whether your Wi-Fi can be used as a way in.

A good provider scopes the test to the risks that matter most to your business rather than testing everything for its own sake. Penetration testing also complements the ACSC Essential Eight: the Essential Eight sets the controls, and a pen test validates that they actually hold up under attack.

What drives the cost

The honest answer is scope. A pen test is priced on how much there is to test and how deeply. The main factors are the number of systems, applications and IP ranges in scope, the type of testing (a focused external network test costs less than a combined web-app, network and phishing engagement), and whether findings are retested afterwards. Be wary of a quote that looks suspiciously cheap, it is often an automated scan dressed up as a penetration test. A genuine test involves skilled human time, and the value is in what that person finds that a tool never would.

What you actually get: the report

The deliverable is not the attack, it is the report, and a good one is written so both your technical team and your leadership can act on it. It should include an executive summary in plain language, each finding rated by risk, clear evidence of what was exploited and how, and, most importantly, a prioritised remediation roadmap: what to fix first, second and third. The best engagements also include a retest, so you can prove the issues are genuinely closed rather than just logged.

The bottom line

A pen test tells you what an attacker would find first.

You can't fix what you can't see. A penetration test turns "we think we're secure" into a ranked, evidenced list of exactly where you're exposed and what to do about it, proven by someone trying to break in rather than a tool ticking boxes.

If you handle client data, are working towards a security certification, or simply have not tested your defences, a penetration test is one of the highest-value security investments you can make. Our Adelaide-based penetration testing team uses certified ethical hackers and reports in plain language with a clear remediation roadmap. Want a quick sense of your baseline first? Try our free Essential Eight self-assessment.

Cameron Weymouth is a Solutions Architect at InterIntra, an Adelaide-based ISO 27001 certified managed service provider helping South Australian businesses test and strengthen their cyber security. Meet the team →

What a penetration test actually finds (and what it costs).