Frequently asked questions
Straight answers to the questions every buyer asks. If yours isn't here, ask us directly.
What is the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment is broad and mostly automated: it identifies known weaknesses across your systems and rates them. A penetration test is deep and manual: a tester actively exploits weaknesses, chains them together and shows real-world impact. VAPT simply means doing both. We've written a longer answer in this blog post.
How much does a penetration test cost?
It depends on the size and complexity of the target. As a guide, a focused test of a small web application typically starts around $6,000 to $8,000 AUD, most single-application engagements land between $10,000 and $25,000, and large or multi-target programs go beyond that. We quote a fixed price after a short scoping conversation. See our pricing guide for detail.
How long does a penetration test take?
Most engagements run one to three weeks of testing, depending on scope. Add a few days either side for scoping and reporting. If you have a deadline, an audit, a customer contract, a launch, tell us early and we'll plan backwards from it.
Will testing break our production systems?
We test carefully and agree rules of engagement up front: what's in scope, testing windows, emergency contacts and anything that's off-limits. Denial-of-service testing is excluded unless you explicitly request it. Where the risk profile warrants it we test a staging environment that mirrors production instead.
Do you use automated scanners or is it all manual?
Both, deliberately. Scanners are good at breadth: mapping attack surface and catching known patterns quickly. Humans are good at depth: logic flaws, access control gaps and chained attacks. Every finding in our reports is manually verified; nothing is copy-pasted from scanner output.
What do we get at the end?
A report with an executive summary in plain English, technical findings with CVSS ratings, evidence, reproduction steps and specific remediation advice, plus a debrief call. After you fix the findings we retest for free and issue an updated report and an attestation letter you can share with customers or auditors.
Can you help us with ISO 27001, SOC 2 or PCI DSS requirements?
Yes. Our testing and reporting are structured to serve as evidence for ISO 27001, SOC 2 and PCI DSS. Tell us which framework and control you're addressing during scoping and we'll make sure the report speaks to it directly.
What do you need from us to start?
For most engagements: the target URLs or IP ranges, test accounts for each user role, a technical contact, and written authorisation to test. We provide a scoping questionnaire that captures all of it in about fifteen minutes.
How often should we get tested?
At least annually, and after any significant change: a new application, a major feature, an infrastructure migration. Many of our clients pair an annual deep test with lighter checks when big releases ship.
Is our data safe with you?
Engagement data and evidence are stored encrypted, access is limited to the testers on your engagement, and everything is deleted on an agreed schedule after closure. We're happy to sign your NDA before scoping begins.
Still have questions?
Scoping conversations are free and obligation-free. Worst case, you leave knowing exactly what to ask the next vendor.