Penetration testing for Australian SMBs in 2026: what it costs and what it finds

By Greg Markowski / Feb 8, 2023 / Cybersecurity & Compliance

Penetration testing in Australian SMBs is one of the most over-promised and under-delivered services in the cyber market. Businesses pay $15,000 to $50,000 for a “pen test”, receive a 60-page report dominated by findings that any decent vulnerability scanner would have found for free, and walk away believing they have validated their security posture. Many of them have not.

This is not because pen testing is a bad investment. It is because most Australian SMBs do not know what they are buying, the market has a strong incentive to sell volume rather than depth, and the difference between a real penetration test and a packaged vulnerability scan is invisible from a quote document. Let us walk through what a real pen test actually involves, what it costs in 2026, and how to tell the difference before you commit the budget.

What a penetration test actually is

A penetration test is a controlled attempt by skilled humans to compromise your environment using the techniques real attackers use. The deliverable is not a list of vulnerabilities. The deliverable is a narrative of what an attacker could actually achieve, starting from defined assumptions about their starting position, ending with documented proof of impact.

The distinction from a vulnerability assessment matters. A vulnerability assessment scans your environment for known weaknesses and produces a list. Useful, but not what a pen test is. A penetration test takes those findings (and many others not visible to scanners) and chains them together into a realistic attack path. The output answers a different question. Not “where are we exposed”, but “what can an attacker accomplish if they exploit that exposure”.

The penetration test market in Australia includes work at three distinct depths.

The first depth is essentially automated vulnerability scanning with a human-written report on top. Cost is $5,000 to $12,000. Time investment is two to five days of effort. Outputs are largely what a Tenable or Qualys scan would produce, packaged with manual write-ups. This is the most commonly sold “pen test” in the Australian SMB market and it is not what a real one looks like.

The second depth is genuine manual testing against a defined scope. Cost is $18,000 to $45,000. Time investment is two to four weeks of skilled human effort. Outputs include vulnerability findings plus exploitation chains, post-exploitation movement, and impact demonstration. This is what most regulated industries actually need.

The third depth is full red team engagement, often combined with social engineering and physical components. Cost is $60,000 to $200,000+. Time investment is six to twelve weeks. Outputs include realistic attacker simulation against a mature defensive posture. This is rarely the right purchase for SMBs but increasingly relevant for larger Australian mid-market businesses, particularly in regulated sectors.

What you should actually be testing

The honest scoping conversation depends on your business reality, not on what the testing vendor wants to sell. Four categories cover most Australian SMB needs.

External infrastructure testing covers internet-facing systems. Your website, email gateway, VPN endpoints, any exposed services. This is the foundation. Every business with internet presence should test this annually. Cost is at the lower end of the range because the scope is bounded and tooling is well-developed.

Internal network testing covers what an attacker can do once inside your network. Compromised user account, malicious insider, infected device, exposed Wi-Fi. The test simulates that starting position and traces what is reachable. This is significantly more revealing than external testing for most businesses because the internal posture is usually weaker than the perimeter.

Cloud and Microsoft 365 testing covers your tenant configuration, identity controls, Conditional Access, and SaaS application security. This is the area most Australian SMBs miss because they assume Microsoft’s controls are sufficient. The reality is that misconfiguration is the dominant attack pattern in cloud, not vendor vulnerability. Testing your specific tenant is necessary because the default state is rarely the secure state.

Application testing covers custom-built or heavily-customised applications your business depends on. Your customer portal, your in-house CRM, the bespoke compliance tool somebody built years ago. These rarely receive the security attention they need, and they are increasingly a primary target because their weaknesses are not in any commercial vulnerability database.

How to recognise a real pen test from a packaged one

Five things to look for in any quote.

  1. Named testers with verifiable credentials. OSCP, OSCE, CREST CRT, or equivalent at minimum. Senior testers will have OSEP, CRTO, or specialised certifications. If the vendor cannot name the individuals doing the work, the work is being subcontracted to whoever is available, and the quality varies wildly.
  2. Daily effort allocation, not just calendar duration. “Two weeks” is meaningless. “Sixty hours of senior tester effort across two weeks” is meaningful. Ask for the breakdown. The honest vendors will provide it.
  3. A scoping conversation before the quote, not a price first. Vendors who quote off a simple form are selling templated work. Vendors who insist on a 60 to 90 minute scoping call before pricing are scoping the work to your reality. The second pattern produces better outcomes.
  4. Sample reports from comparable engagements. Every reputable vendor can provide redacted sample reports. If you cannot get one, the vendor is either inexperienced or hiding low-quality work. Reading a sample report tells you more about the vendor than any sales conversation.
  5. A defined retest included in the engagement. Finding vulnerabilities is half the work. Confirming remediation is the other half. Vendors who charge separately for retests are signalling that they expect to find things and then charge again to confirm fixes. The good vendors include one retest cycle.

What we see in Australian SMB pen test reports

Across the engagements we review for clients, the same findings appear repeatedly. The top five categories.

Microsoft 365 Conditional Access misconfiguration is the single most common high-severity finding in Australian SMB pen tests in 2026. Legacy authentication still enabled. Conditional Access policies that exclude critical user groups. MFA bypass paths through fallback methods, the same problem we covered in our MFA fallback piece. Most businesses think their M365 is locked down. Most are wrong.

Privileged account hygiene failures. Domain admin accounts used for daily work. Service accounts with interactive logon enabled. Shared admin credentials. Failure to implement tiered administration. These are the findings that translate to “attacker can take the whole environment in under 4 hours”, and they remain depressingly common.

Backup configuration with attacker access. Backups stored in the same network as production. Backup admin accounts shared with general admin accounts. Missing offline or immutable copies. The Essential Eight requirement for daily backups is widely met. The requirement that backups survive a compromise is widely missed.

External infrastructure with avoidable exposure. Forgotten cloud assets running outdated software. Exposed RDP or SSH that should be VPN-only. Subdomain takeovers from abandoned services. The basics that should not appear in 2026 still appear.

Internal patch latency on critical services. Domain controllers running unpatched. Exchange or hybrid components with known vulnerabilities. SQL Server with default configurations. The boring findings, but the ones that decide breach outcomes.

How often to test

The Essential Eight does not mandate penetration testing directly. ISO 27001 and SMB1001 both reference it. Cyber insurance underwriters increasingly require it for renewal. The federal Privacy Act amendments coming into effect in December 2026 will indirectly tighten expectations by requiring demonstrable security controls for businesses handling automated decisions.

The realistic cadence for Australian SMBs in 2026.

External infrastructure testing annually for any business with internet presence. Internal network testing every 18 to 24 months unless the network changes materially. Cloud and Microsoft 365 testing annually if Conditional Access is actively in use, every two years if it is more static. Application testing every time a significant release goes live, with a comprehensive review annually.

The cost of this cadence for a typical 50-person professional services SMB lands at $30,000 to $50,000 per year all-in, spread across the test types. Less if scoped narrowly. More if the environment is complex. The ROI calculation depends on what you are protecting, but for any business holding sensitive client data, the cost compares favourably to a single Notifiable Data Breach incident handled badly.

What we recommend

For Australian SMBs that have never had a real penetration test, start with a focused external plus M365 engagement. Roughly $20,000 to $30,000, two to three weeks, covers the two highest-impact attack surfaces.

For businesses preparing for ISO 27001, SMB1001 Level 3, or Essential Eight ML2 audits, the testing should align to the framework requirements. The auditor will ask. Better to have it done than to be doing it under pressure.

For businesses already running annual pen tests with the same vendor for three or more years, consider switching providers. Familiarity breeds blind spots. Fresh testers see the things their predecessors miss. The cost is identical and the findings are usually different.

For businesses with cyber insurance renewals coming up in the next 12 months, the testing question will be in the underwriting questionnaire. Better to lead with proof than to scramble at renewal time.

Frequently asked questions

How much does a penetration test cost in Australia in 2026?
For a focused external plus internal test against an Australian SMB, expect $18,000 to $45,000 depending on scope and depth. Cheaper engagements are usually packaged vulnerability scans rather than real penetration tests. More expensive engagements are typically scoping a larger environment or adding red team elements. The right cost depends entirely on what is being tested and how deep the work goes.
What is the difference between a penetration test and a vulnerability scan?
A vulnerability scan uses automated tooling to identify known weaknesses and produces a list. A penetration test uses skilled humans to chain weaknesses into realistic attack paths and documents the actual impact an attacker could achieve. Vulnerability scans are useful and inexpensive. Penetration tests are necessary and more expensive. Many Australian businesses pay penetration test prices for what is essentially packaged vulnerability scanning. Knowing the difference matters.
How long does a penetration test take?
For an Australian SMB with a typical environment, a meaningful penetration test runs two to four weeks of skilled human effort from initial scoping to final report. The active testing window is usually one to two weeks. The remainder is scoping, reporting, and a final walkthrough. Engagements quoted at five days or less are rarely doing the depth of work the title implies.
Do we need penetration testing for Essential Eight or SMB1001 compliance?
The Essential Eight does not explicitly mandate penetration testing. ISO 27001, SMB1001 Level 3, and most cyber insurance policies do. Penetration testing also provides evidence for the broader Essential Eight controls, particularly around patching, restrict admin privileges, and event logging. For any business at Essential Eight Maturity Level 2 or above, annual penetration testing is the implicit expectation even where it is not explicitly required.
Should we test our cloud and Microsoft 365 environment?
Yes. Microsoft 365 misconfiguration is the most common high-severity finding in Australian SMB penetration tests in 2026. Conditional Access gaps, legacy authentication, MFA bypass paths, over-permissioned service accounts. These do not show up in vulnerability scans because they are configuration issues rather than software vulnerabilities. They are also the most likely path for a real attacker. Cloud and M365 testing is no longer optional for businesses serious about their security posture.
What should we look for in a pen test report?
An executive summary that articulates business impact, not just technical findings. Attack chains that connect individual vulnerabilities into realistic scenarios. Severity ratings that reflect actual exploitability, not theoretical CVSS scores. Specific remediation guidance for each finding. Evidence of exploitation, not just vulnerability identification. Reports dominated by automated scan output, generic remediation language, and no attack narrative are signals of low-quality work regardless of price.

Need help scoping a penetration test that actually delivers value?

We help Australian SMBs scope penetration tests that match their real risk, evaluate vendor proposals, and interpret report findings independently. No conflict of interest because we do not run pen tests ourselves, we connect clients with the right testers and validate the outcome.

Book a free pen test scoping conversation

About the Author
Written by Greg Markowski, Founding Director of Epic IT, a CRN Fast50-recognised Microsoft Solutions Partner managing IT and cybersecurity for Perth businesses since 2003. Greg holds a Degree in Computer Science and a Diploma in Computer Systems Engineering from Edith Cowan University, and is ITIL certified.

Further Reading

Previous
No previous posts to show
Return to News
Back to News
Next

Managed IT services vs break/fix: which model actually costs less in 2026?