Cyber Security • 2026 Australian Guide
Penetration Testing vs Red Teaming vs Vulnerability Scanning: What Your Business Actually Needs
Three very different engagements get sold under the banner of “security testing” — at prices ranging from a few hundred dollars to well over $100,000. Here is what each one actually does, what it costs in Australia, and which one to buy first.
The short answer: a vulnerability scan is an automated tool that lists known weaknesses, a penetration test is a skilled human proving which weaknesses an attacker could actually exploit, and a red team engagement is a covert, weeks-long simulation of a real adversary that tests your people and detection capability as well as your technology. They differ in depth, cost and purpose — and most Australian businesses need them in exactly that order.
The confusion is not academic. We regularly meet businesses that paid pen-test prices for a rebadged automated scan, and others that were sold a red team engagement when they had no monitoring in place to detect it — which is a very expensive way to learn nothing. According to the Australian Signals Directorate’s Annual Cyber Threat Report, a cybercrime is reported in Australia roughly every six minutes, and Google Mandiant’s research puts the average time between a vulnerability being disclosed and being exploited at about five days. Knowing which form of testing you need, and when, is now a core business decision rather than an IT nicety.
Key takeaways
- Vulnerability scans find known weaknesses automatically and cheaply; they should run continuously, not once a year.
- Penetration testing is a manual, expert-led exercise that proves real-world impact. In Australia in 2026, most engagements cost $5,000–$40,000 AUD depending on scope.
- Red teaming is a covert adversary simulation costing $40,000–$100,000+. It only delivers value once you have detection and response capability worth testing.
- Red team = offence, blue team = defence, purple team = the two working together. Most SMBs get their “blue team” through a managed detection and response (MDR) service.
- The ASD announced in June 2026 that the Essential Eight will be retired within two years in favour of an outcomes-based Essentials series — which makes independent testing more important, because testing is how you prove outcomes.
In this guide
What is a vulnerability scan?
Scanning is the smoke detector of security testing: inexpensive, automated and designed to run constantly. A scanner will tell you that a server is missing a critical patch or that a firewall port is open to the internet, and it will tell you within hours of the problem appearing. What it cannot do is think. It will not chain three low-severity findings into a path to your customer database, it cannot judge business context, and it produces false positives that need human review.
Because the average time from disclosure to exploitation of a new vulnerability is now measured in days rather than months, an annual scan is close to worthless. Scanning belongs in the “always on” category — continuous or at least monthly — and in a well-run environment it is bundled into your managed cyber security services rather than purchased as a one-off event.
Watch out for: providers selling an automated scan report at penetration-test prices. If the engagement took a day, nobody spoke to your team about scope, and the “report” is raw scanner output with a new cover page, you bought a scan — whatever the invoice says.
What is penetration testing?
Where a scanner reports “this door lock is an old model”, a penetration tester picks the lock, walks inside, and shows you exactly which filing cabinets they could open. That difference — demonstrated impact versus theoretical weakness — is what boards, auditors, insurers and enterprise customers are asking for when they request a “pen test report”. Good testing follows recognised methodologies such as OWASP and MITRE ATT&CK, and in Australia the strongest signal of quality is a provider whose testers hold CREST certification.
Common types of penetration test include:
- External network testing — your internet-facing systems: firewalls, VPNs, mail gateways and anything an attacker can reach without credentials.
- Internal network testing — what an attacker (or malicious insider) could do after getting a foothold: privilege escalation, lateral movement and access to sensitive data.
- Web application and API testing — customer portals, booking systems and SaaS platforms, including logic flaws no scanner can find.
- Cloud and Microsoft 365 configuration testing — identity, permissions and tenant hardening in the environments where most Australian SMBs now actually live.
- Social engineering — controlled phishing and pretexting exercises that test your people alongside your technology.
A pen test is typically a one-to-two-week engagement against a defined scope, your IT team usually knows it is happening, and the goal is breadth: find and verify as many exploitable issues as possible, then hand you a prioritised plan to fix them. The deliverable that matters is not the moment of compromise — it is the report, the debrief and the retest that confirms your fixes worked.
What is red teaming?
A red team is given a mission, not a checklist: “access the payroll system”, “exfiltrate the client database”, “take control of the domain”. Only a small trusted group inside your business knows the exercise is running. The operators move slowly and quietly, blending in with normal activity, using phishing, stolen credentials, physical intrusion or whatever a genuine attacker would use. Success is measured on two sides at once: what the red team achieved, and what your defenders noticed while it was happening.
That second half is the point — and it is why buying a red team engagement too early is the most common and expensive mistake in security testing. If you have no 24/7 monitoring, no endpoint detection, and no incident response plan, a red team will succeed in week one, your organisation will detect nothing, and you will have paid $40,000 or more to confirm what a $10,000 penetration test would have told you with far more actionable detail. Red teaming is the final exam. Sit it after you have done the coursework: baseline controls in place, penetration test findings remediated, and a detection capability — in-house or through a managed detection and response partner — genuinely worth examining.
Vulnerability scanning vs penetration testing vs red teaming: side by side
The three engagements sit on a spectrum. As you move from left to right, breadth gives way to depth, automation gives way to human expertise, and the question being answered changes from “what is weak?” to “what can be exploited?” to “would we even notice?”
The security testing spectrum
Step 1
Vulnerability scan
Automated • continuous
“What is weak?”
Step 2
Penetration test
Human-led • scoped • 1–2 weeks • annual
“What can be exploited?”
Step 3
Red team
Covert • objective-driven • 4–12 weeks • tests people, process and detection
“Would we even notice?”
Depth, realism, human effort and cost all increase →
Vulnerability scan
Question answered
What known weaknesses exist?
Performed by
Automated tools
Your team’s awareness
Fully aware
Duration
Hours, run continuously
Typical cost (AUD)
Low — often included in managed services
Frequency
Continuous or monthly
Best suited to
Every business, as baseline hygiene
Penetration test
Question answered
What could an attacker exploit, and what is the impact?
Performed by
Certified specialists (CREST in Australia)
Your team’s awareness
Usually aware
Duration
Days to two weeks
Typical cost (AUD)
$5,000–$40,000 per engagement
Frequency
Annual, plus after major change
Best suited to
Any business holding sensitive data or facing compliance, insurance or customer requirements
Red team
Question answered
Can we detect and respond to a real adversary?
Performed by
Senior offensive-security operators
Your team’s awareness
Covert — defenders are not told
Duration
Four to twelve weeks
Typical cost (AUD)
$40,000–$100,000+
Frequency
Every 1–2 years, once mature
Best suited to
Organisations with monitoring and response capability in place
Red team vs blue team vs purple team: who does what?
Security testing borrows its colour scheme from military exercises, and the jargon trips up a lot of buyers. It is simpler than it sounds:
- The red team plays offence. Ethical hackers who think and act like attackers — penetration testers and red team operators both sit on this side.
- The blue team plays defence. The people watching logs and alerts, hunting threats, and responding to incidents. Very few Australian businesses under 200 staff can justify an in-house 24/7 blue team — which is why most consume this capability as a managed detection and response (MDR) service.
- Purple teaming is the two working together. Not a third department — a way of running exercises. The red team executes a technique, the blue team says what they saw (or did not see), detection is tuned on the spot, and the technique is run again. Attack knowledge converts directly into defensive improvement, in hours instead of months.
Red, blue and purple explained
RED TEAM
Offence: attack & expose
Pen testers • red team operators
BLUE TEAM
Defence: detect & respond
SOC analysts • MDR service
attack techniques ⇄ detection feedback
PURPLE TEAMING
Offence and defence in the same room, tuning detection live
A useful rule of thumb from the industry: red and blue are nouns, purple is a verb. You do not hire a purple team; you run purple team exercises with your testing provider and whoever handles your detection. For a mid-sized Australian business, a half-day purple exercise pairing your MDR provider with a penetration tester is often the single highest-value hour-for-hour spend in the entire security budget — every technique either validates a detection or creates one.
Which one does your business actually need?
Match the engagement to your maturity, not to the most impressive-sounding proposal. Here is the decision path we walk new clients through:
Where should you start?
Never had independent testing?
No scan history, no reports on file
→ Baseline: continuous scanning + external penetration test
Tender, insurer or client asking for evidence?
Security schedules, renewal questionnaires, due diligence
→ Scoped CREST pen test with board-ready report + retest
Regulated industry?
APRA, health, aged care, legal
→ Annual testing program + 24/7 MDR monitoring
Controls mature, MDR in place, pen test findings fixed?
Detection capability genuinely worth examining
→ Purple team exercises, then a full red team
Three mistakes to avoid, because we see them constantly:
- Buying a red team before you can detect one. Fix the basics and build monitoring first — otherwise you are paying a premium to be told you have no locks.
- Treating a scan as a pen test. Insurers, auditors and enterprise clients increasingly reject scanner output dressed up as testing — and so should you.
- Testing once and filing the report. An unremediated finding is a documented liability. Budget for the fixes and the retest, not just the test.
The Australian compliance drivers (including the Essential Eight change)
No single Australian law says “thou shalt pen test”. In practice, a web of obligations and commercial pressures gets you to the same place:
- APRA CPS 234 requires banks, insurers, superannuation funds and other regulated entities to systematically test the effectiveness of their information security controls, using appropriately skilled and functionally independent testers. If you serve APRA-regulated clients, expect those obligations to flow down the supply chain to you. Our guide to cyber security for financial services covers this in depth.
- The Privacy Act requires reasonable steps to protect personal information, and penalties for serious or repeated breaches now reach $50 million or more. Demonstrating regular independent testing is one of the clearest ways to evidence “reasonable steps” after an incident.
- ISO 27001 certification expects a managed program of technical vulnerability identification and testing — auditors will ask for scan records and test reports.
- PCI DSS mandates penetration testing for any environment that stores, processes or transmits card data.
- Cyber insurance and enterprise procurement are, for many SMBs, the real forcing functions. Renewal questionnaires and tender security schedules increasingly ask the same two questions: when was your last penetration test, and were the findings remediated?
July 2026 update: the Essential Eight is being retired — and it makes testing more important, not less
In June 2026 the Australian Signals Directorate confirmed it will begin deprecating the Essential Eight in around 12 months and retire it within about 24 months, replacing it with a broader “Essentials” series — separate, outcomes-focused guidance for enterprise IT, cloud and operational technology, with agentic AI flagged as a likely future chapter. ASD has been explicit that work already done under the Essential Eight carries over.
The strategic shift is from prescriptive checklists to security outcomes. A checklist tells you what to build; only testing tells you whether it works. As Australia’s baseline guidance becomes outcomes-based, independent validation — scanning, penetration testing and attack simulation — becomes the primary way to demonstrate those outcomes to regulators, insurers and customers.
How often should you test?
Vulnerability scanning
Recommended frequency
Continuous, or monthly at minimum
Also trigger after
Any new internet-facing system
External penetration test
Recommended frequency
Annually
Also trigger after
Network redesign, new VPN or firewall, office move
Web application / API test
Recommended frequency
Annually
Also trigger after
Major releases or new customer-facing features
Internal penetration test
Recommended frequency
Every 1–2 years, risk dependent
Also trigger after
Mergers, migrations, major identity changes
Purple team exercise
Recommended frequency
1–2 per year once MDR is in place
Also trigger after
Onboarding or changing your detection provider
Red team engagement
Recommended frequency
Every 1–2 years, mature environments only
Also trigger after
Significant investment in detection and response
What security testing costs in Australia in 2026
Most providers hide pricing behind “contact us”. Based on published Australian market pricing in 2026, here are honest indicative ranges (AUD, excluding GST). Scope is the dominant variable — the number of applications, hosts, user roles and locations — so treat these as planning figures, not quotes.
Managed vulnerability scanning
From a few hundred dollars per scan
Typical effort: automated, ongoing — often bundled with managed security
External network pen test
$6,000–$15,000
Typical effort: 2–5 days
Web application pen test
$5,000–$20,000 per application
Typical effort: 3–10 days
Internal network pen test
$10,000–$30,000
Typical effort: 5–10 days
Cloud / Microsoft 365 review
$6,000–$18,000
Typical effort: 3–8 days
Red team engagement
$40,000–$100,000+
Typical effort: 4–12 weeks
Indicative ranges, AUD excluding GST, based on published Australian market pricing surveyed July 2026.
Two pricing signals worth heeding. A quote dramatically below these ranges usually means automated scanning in disguise, offshore delivery with no accountability under Australian law, or a scope so narrow the report will not satisfy whoever asked for it. And a quote without a scoping conversation is a template, not an assessment — nobody can price testing your environment without asking questions about your environment.
How to choose a testing provider: a seven-point checklist
1. CREST certification
Australia’s recognised benchmark for penetration testing capability and ethics. Ask which certifications the actual testers hold, not just the company.
2. A real scoping process
Quality providers ask detailed questions before quoting. If the price arrives before the questions, walk away.
3. Manual testing, evidenced
Ask what proportion of the engagement is hands-on-keyboard versus tooling, and ask to see a sanitised sample report before you sign.
4. Board-ready reporting
An executive summary in business language plus technical detail with severity ratings, evidence and a prioritised remediation plan.
5. Retest included
The engagement should end with verified fixes, not a PDF. Confirm a remediation retest is in the price.
6. Australian-based team
Your testers gain privileged knowledge of your weaknesses. Know where they sit, who employs them, and which legal system governs the engagement and your data.
7. A path beyond the test
Findings need fixing. A provider who can also remediate, monitor and re-validate turns a report into a security uplift instead of a filing exercise.
Frequently asked questions
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is an automated check that lists known weaknesses such as missing patches and misconfigurations. A penetration test is a manual engagement in which a qualified specialist actively exploits weaknesses and chains them together to show what an attacker could really achieve. Scans find known issues cheaply and often; pen tests prove real-world impact.
What is the difference between penetration testing and red teaming?
Penetration testing aims to find as many exploitable weaknesses as possible within an agreed scope, and your teams usually know it is happening. Red teaming is a covert, objective-driven simulation of a real adversary that also tests your people, processes and detection capability — deeper, longer and significantly more expensive.
How much does penetration testing cost in Australia?
In 2026, most Australian penetration tests fall between $5,000 and $40,000 AUD depending on scope. A single web application test typically costs $5,000–$20,000, external network testing $6,000–$15,000, and internal testing $10,000–$30,000. Red team engagements generally start around $40,000 and can exceed $100,000.
How often should a business do penetration testing?
At least annually, and after significant change: a new customer-facing application, a cloud migration, a merger or a major network redesign. Vulnerability scanning should run continuously in between. APRA-regulated entities need a systematic testing program under CPS 234, and many insurers and enterprise customers now require evidence of annual testing.
What are red, blue and purple teams?
The red team plays offence, simulating attackers to expose weaknesses. The blue team plays defence — monitoring, detecting and responding; most Australian SMBs deliver this through a managed detection and response (MDR) service. Purple teaming is the two working together transparently so every attack technique immediately becomes better detection.
Is penetration testing mandatory in Australia?
No single law mandates it for every business, but it is effectively required in many situations: APRA CPS 234 requires systematic control testing, ISO 27001 expects technical testing, PCI DSS mandates it for card environments, and insurers and enterprise procurement teams increasingly demand recent reports before signing.
Does the retirement of the Essential Eight change testing requirements?
No — if anything it raises the bar. The ASD confirmed in June 2026 that the Essential Eight will be deprecated in around 12 months and retired within about 24, replaced by an outcomes-based Essentials series, with existing controls carrying over. Outcome-based guidance makes independent testing the primary way to prove your security actually works.
What should a penetration test report include?
An executive summary in business language, scope and methodology, findings rated by severity with evidence and reproduction steps, a prioritised remediation plan, and strategic recommendations. A reputable provider will walk your team through the findings and include a retest to verify the fixes worked.
Not sure which test your business needs first?
Stanfield IT’s Australian-based security team delivers vulnerability management, penetration testing, attack simulation and 24/7 managed detection and response — and we will tell you honestly if the cheaper option is the right one for your maturity. Start with a conversation, not a quote.
Related reading
- Cyber Security for Financial Services: A Practical Guide for Australian Firms
- 12 Cyber Security Tips for Business
- Cyber Security Consulting Services
Sources and further reading
Australian Signals Directorate — Annual Cyber Threat Report and Essential Eight guidance (cyber.gov.au) • iTnews, “ASD to retire Essential Eight cyber security framework within next two years”, 24 June 2026 (itnews.com.au) • APRA Prudential Standard CPS 234 Information Security (apra.gov.au) • OAIC, Privacy Act penalty guidance (oaic.gov.au) • Google Mandiant time-to-exploit research. Cost ranges reflect published Australian security-testing pricing surveyed July 2026 and are indicative only.