Security testing spectrum showing vulnerability scanning, penetration testing and red teaming compared for Australian businesses

Pen Testing vs Red Teaming vs Vulnerability Scanning | 2026 AU Guide

Table of Contents

Cyber Security  •  2026 Australian Guide

Penetration Testing vs Red Teaming vs Vulnerability Scanning: What Your Business Actually Needs

Three very different engagements get sold under the banner of “security testing” — at prices ranging from a few hundred dollars to well over $100,000. Here is what each one actually does, what it costs in Australia, and which one to buy first.

By the Stanfield IT Security TeamUpdated July 202614 min read

The short answer: a vulnerability scan is an automated tool that lists known weaknesses, a penetration test is a skilled human proving which weaknesses an attacker could actually exploit, and a red team engagement is a covert, weeks-long simulation of a real adversary that tests your people and detection capability as well as your technology. They differ in depth, cost and purpose — and most Australian businesses need them in exactly that order.

The confusion is not academic. We regularly meet businesses that paid pen-test prices for a rebadged automated scan, and others that were sold a red team engagement when they had no monitoring in place to detect it — which is a very expensive way to learn nothing. According to the Australian Signals Directorate’s Annual Cyber Threat Report, a cybercrime is reported in Australia roughly every six minutes, and Google Mandiant’s research puts the average time between a vulnerability being disclosed and being exploited at about five days. Knowing which form of testing you need, and when, is now a core business decision rather than an IT nicety.

Key takeaways

  • Vulnerability scans find known weaknesses automatically and cheaply; they should run continuously, not once a year.
  • Penetration testing is a manual, expert-led exercise that proves real-world impact. In Australia in 2026, most engagements cost $5,000–$40,000 AUD depending on scope.
  • Red teaming is a covert adversary simulation costing $40,000–$100,000+. It only delivers value once you have detection and response capability worth testing.
  • Red team = offence, blue team = defence, purple team = the two working together. Most SMBs get their “blue team” through a managed detection and response (MDR) service.
  • The ASD announced in June 2026 that the Essential Eight will be retired within two years in favour of an outcomes-based Essentials series — which makes independent testing more important, because testing is how you prove outcomes.

What is a vulnerability scan?

In one sentence: a vulnerability scan is an automated sweep of your systems that compares what you are running against databases of known weaknesses — missing patches, outdated software, weak configurations and exposed services — and produces a ranked list of findings.

Scanning is the smoke detector of security testing: inexpensive, automated and designed to run constantly. A scanner will tell you that a server is missing a critical patch or that a firewall port is open to the internet, and it will tell you within hours of the problem appearing. What it cannot do is think. It will not chain three low-severity findings into a path to your customer database, it cannot judge business context, and it produces false positives that need human review.

Because the average time from disclosure to exploitation of a new vulnerability is now measured in days rather than months, an annual scan is close to worthless. Scanning belongs in the “always on” category — continuous or at least monthly — and in a well-run environment it is bundled into your managed cyber security services rather than purchased as a one-off event.

Watch out for: providers selling an automated scan report at penetration-test prices. If the engagement took a day, nobody spoke to your team about scope, and the “report” is raw scanner output with a new cover page, you bought a scan — whatever the invoice says.

What is penetration testing?

In one sentence: a penetration test (pen test) is a manual, authorised exercise in which a qualified security specialist actively attempts to exploit weaknesses in an agreed scope — chaining findings together the way a real attacker would — to demonstrate what could actually be compromised.

Where a scanner reports “this door lock is an old model”, a penetration tester picks the lock, walks inside, and shows you exactly which filing cabinets they could open. That difference — demonstrated impact versus theoretical weakness — is what boards, auditors, insurers and enterprise customers are asking for when they request a “pen test report”. Good testing follows recognised methodologies such as OWASP and MITRE ATT&CK, and in Australia the strongest signal of quality is a provider whose testers hold CREST certification.

Common types of penetration test include:

  • External network testing — your internet-facing systems: firewalls, VPNs, mail gateways and anything an attacker can reach without credentials.
  • Internal network testing — what an attacker (or malicious insider) could do after getting a foothold: privilege escalation, lateral movement and access to sensitive data.
  • Web application and API testing — customer portals, booking systems and SaaS platforms, including logic flaws no scanner can find.
  • Cloud and Microsoft 365 configuration testing — identity, permissions and tenant hardening in the environments where most Australian SMBs now actually live.
  • Social engineering — controlled phishing and pretexting exercises that test your people alongside your technology.

A pen test is typically a one-to-two-week engagement against a defined scope, your IT team usually knows it is happening, and the goal is breadth: find and verify as many exploitable issues as possible, then hand you a prioritised plan to fix them. The deliverable that matters is not the moment of compromise — it is the report, the debrief and the retest that confirms your fixes worked.

What is red teaming?

In one sentence: red teaming is a covert, objective-driven simulation of a real adversary — conducted over weeks, without warning your defenders — designed to test whether your organisation can detect and respond to a sophisticated attack, not just whether individual systems have flaws.

A red team is given a mission, not a checklist: “access the payroll system”, “exfiltrate the client database”, “take control of the domain”. Only a small trusted group inside your business knows the exercise is running. The operators move slowly and quietly, blending in with normal activity, using phishing, stolen credentials, physical intrusion or whatever a genuine attacker would use. Success is measured on two sides at once: what the red team achieved, and what your defenders noticed while it was happening.

That second half is the point — and it is why buying a red team engagement too early is the most common and expensive mistake in security testing. If you have no 24/7 monitoring, no endpoint detection, and no incident response plan, a red team will succeed in week one, your organisation will detect nothing, and you will have paid $40,000 or more to confirm what a $10,000 penetration test would have told you with far more actionable detail. Red teaming is the final exam. Sit it after you have done the coursework: baseline controls in place, penetration test findings remediated, and a detection capability — in-house or through a managed detection and response partner — genuinely worth examining.

Vulnerability scanning vs penetration testing vs red teaming: side by side

The three engagements sit on a spectrum. As you move from left to right, breadth gives way to depth, automation gives way to human expertise, and the question being answered changes from “what is weak?” to “what can be exploited?” to “would we even notice?”

The security testing spectrum

Step 1

Vulnerability scan

Automated • continuous

“What is weak?”

Step 2

Penetration test

Human-led • scoped • 1–2 weeks • annual

“What can be exploited?”

Step 3

Red team

Covert • objective-driven • 4–12 weeks • tests people, process and detection

“Would we even notice?”

Depth, realism, human effort and cost all increase →

Vulnerability scan

Question answered

What known weaknesses exist?

Performed by

Automated tools

Your team’s awareness

Fully aware

Duration

Hours, run continuously

Typical cost (AUD)

Low — often included in managed services

Frequency

Continuous or monthly

Best suited to

Every business, as baseline hygiene

Penetration test

Question answered

What could an attacker exploit, and what is the impact?

Performed by

Certified specialists (CREST in Australia)

Your team’s awareness

Usually aware

Duration

Days to two weeks

Typical cost (AUD)

$5,000–$40,000 per engagement

Frequency

Annual, plus after major change

Best suited to

Any business holding sensitive data or facing compliance, insurance or customer requirements

Red team

Question answered

Can we detect and respond to a real adversary?

Performed by

Senior offensive-security operators

Your team’s awareness

Covert — defenders are not told

Duration

Four to twelve weeks

Typical cost (AUD)

$40,000–$100,000+

Frequency

Every 1–2 years, once mature

Best suited to

Organisations with monitoring and response capability in place

Red team vs blue team vs purple team: who does what?

Security testing borrows its colour scheme from military exercises, and the jargon trips up a lot of buyers. It is simpler than it sounds:

  • The red team plays offence. Ethical hackers who think and act like attackers — penetration testers and red team operators both sit on this side.
  • The blue team plays defence. The people watching logs and alerts, hunting threats, and responding to incidents. Very few Australian businesses under 200 staff can justify an in-house 24/7 blue team — which is why most consume this capability as a managed detection and response (MDR) service.
  • Purple teaming is the two working together. Not a third department — a way of running exercises. The red team executes a technique, the blue team says what they saw (or did not see), detection is tuned on the spot, and the technique is run again. Attack knowledge converts directly into defensive improvement, in hours instead of months.

Red, blue and purple explained

RED TEAM

Offence: attack & expose

Pen testers • red team operators

BLUE TEAM

Defence: detect & respond

SOC analysts • MDR service

attack techniques ⇄ detection feedback

PURPLE TEAMING

Offence and defence in the same room, tuning detection live

A useful rule of thumb from the industry: red and blue are nouns, purple is a verb. You do not hire a purple team; you run purple team exercises with your testing provider and whoever handles your detection. For a mid-sized Australian business, a half-day purple exercise pairing your MDR provider with a penetration tester is often the single highest-value hour-for-hour spend in the entire security budget — every technique either validates a detection or creates one.

Which one does your business actually need?

Match the engagement to your maturity, not to the most impressive-sounding proposal. Here is the decision path we walk new clients through:

Where should you start?

Never had independent testing?

No scan history, no reports on file

→  Baseline: continuous scanning + external penetration test

Tender, insurer or client asking for evidence?

Security schedules, renewal questionnaires, due diligence

→  Scoped CREST pen test with board-ready report + retest

Regulated industry?

APRA, health, aged care, legal

→  Annual testing program + 24/7 MDR monitoring

Controls mature, MDR in place, pen test findings fixed?

Detection capability genuinely worth examining

→  Purple team exercises, then a full red team

Three mistakes to avoid, because we see them constantly:

  • Buying a red team before you can detect one. Fix the basics and build monitoring first — otherwise you are paying a premium to be told you have no locks.
  • Treating a scan as a pen test. Insurers, auditors and enterprise clients increasingly reject scanner output dressed up as testing — and so should you.
  • Testing once and filing the report. An unremediated finding is a documented liability. Budget for the fixes and the retest, not just the test.

The Australian compliance drivers (including the Essential Eight change)

No single Australian law says “thou shalt pen test”. In practice, a web of obligations and commercial pressures gets you to the same place:

  • APRA CPS 234 requires banks, insurers, superannuation funds and other regulated entities to systematically test the effectiveness of their information security controls, using appropriately skilled and functionally independent testers. If you serve APRA-regulated clients, expect those obligations to flow down the supply chain to you. Our guide to cyber security for financial services covers this in depth.
  • The Privacy Act requires reasonable steps to protect personal information, and penalties for serious or repeated breaches now reach $50 million or more. Demonstrating regular independent testing is one of the clearest ways to evidence “reasonable steps” after an incident.
  • ISO 27001 certification expects a managed program of technical vulnerability identification and testing — auditors will ask for scan records and test reports.
  • PCI DSS mandates penetration testing for any environment that stores, processes or transmits card data.
  • Cyber insurance and enterprise procurement are, for many SMBs, the real forcing functions. Renewal questionnaires and tender security schedules increasingly ask the same two questions: when was your last penetration test, and were the findings remediated?

July 2026 update: the Essential Eight is being retired — and it makes testing more important, not less

In June 2026 the Australian Signals Directorate confirmed it will begin deprecating the Essential Eight in around 12 months and retire it within about 24 months, replacing it with a broader “Essentials” series — separate, outcomes-focused guidance for enterprise IT, cloud and operational technology, with agentic AI flagged as a likely future chapter. ASD has been explicit that work already done under the Essential Eight carries over.

The strategic shift is from prescriptive checklists to security outcomes. A checklist tells you what to build; only testing tells you whether it works. As Australia’s baseline guidance becomes outcomes-based, independent validation — scanning, penetration testing and attack simulation — becomes the primary way to demonstrate those outcomes to regulators, insurers and customers.

How often should you test?

Vulnerability scanning

Recommended frequency

Continuous, or monthly at minimum

Also trigger after

Any new internet-facing system

External penetration test

Recommended frequency

Annually

Also trigger after

Network redesign, new VPN or firewall, office move

Web application / API test

Recommended frequency

Annually

Also trigger after

Major releases or new customer-facing features

Internal penetration test

Recommended frequency

Every 1–2 years, risk dependent

Also trigger after

Mergers, migrations, major identity changes

Purple team exercise

Recommended frequency

1–2 per year once MDR is in place

Also trigger after

Onboarding or changing your detection provider

Red team engagement

Recommended frequency

Every 1–2 years, mature environments only

Also trigger after

Significant investment in detection and response

What security testing costs in Australia in 2026

Most providers hide pricing behind “contact us”. Based on published Australian market pricing in 2026, here are honest indicative ranges (AUD, excluding GST). Scope is the dominant variable — the number of applications, hosts, user roles and locations — so treat these as planning figures, not quotes.

Managed vulnerability scanning

From a few hundred dollars per scan

Typical effort: automated, ongoing — often bundled with managed security

External network pen test

$6,000–$15,000

Typical effort: 2–5 days

Web application pen test

$5,000–$20,000 per application

Typical effort: 3–10 days

Internal network pen test

$10,000–$30,000

Typical effort: 5–10 days

Cloud / Microsoft 365 review

$6,000–$18,000

Typical effort: 3–8 days

Red team engagement

$40,000–$100,000+

Typical effort: 4–12 weeks

Indicative ranges, AUD excluding GST, based on published Australian market pricing surveyed July 2026.

Two pricing signals worth heeding. A quote dramatically below these ranges usually means automated scanning in disguise, offshore delivery with no accountability under Australian law, or a scope so narrow the report will not satisfy whoever asked for it. And a quote without a scoping conversation is a template, not an assessment — nobody can price testing your environment without asking questions about your environment.

How to choose a testing provider: a seven-point checklist

1. CREST certification

Australia’s recognised benchmark for penetration testing capability and ethics. Ask which certifications the actual testers hold, not just the company.

2. A real scoping process

Quality providers ask detailed questions before quoting. If the price arrives before the questions, walk away.

3. Manual testing, evidenced

Ask what proportion of the engagement is hands-on-keyboard versus tooling, and ask to see a sanitised sample report before you sign.

4. Board-ready reporting

An executive summary in business language plus technical detail with severity ratings, evidence and a prioritised remediation plan.

5. Retest included

The engagement should end with verified fixes, not a PDF. Confirm a remediation retest is in the price.

6. Australian-based team

Your testers gain privileged knowledge of your weaknesses. Know where they sit, who employs them, and which legal system governs the engagement and your data.

7. A path beyond the test

Findings need fixing. A provider who can also remediate, monitor and re-validate turns a report into a security uplift instead of a filing exercise.

Frequently asked questions

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is an automated check that lists known weaknesses such as missing patches and misconfigurations. A penetration test is a manual engagement in which a qualified specialist actively exploits weaknesses and chains them together to show what an attacker could really achieve. Scans find known issues cheaply and often; pen tests prove real-world impact.

What is the difference between penetration testing and red teaming?

Penetration testing aims to find as many exploitable weaknesses as possible within an agreed scope, and your teams usually know it is happening. Red teaming is a covert, objective-driven simulation of a real adversary that also tests your people, processes and detection capability — deeper, longer and significantly more expensive.

How much does penetration testing cost in Australia?

In 2026, most Australian penetration tests fall between $5,000 and $40,000 AUD depending on scope. A single web application test typically costs $5,000–$20,000, external network testing $6,000–$15,000, and internal testing $10,000–$30,000. Red team engagements generally start around $40,000 and can exceed $100,000.

How often should a business do penetration testing?

At least annually, and after significant change: a new customer-facing application, a cloud migration, a merger or a major network redesign. Vulnerability scanning should run continuously in between. APRA-regulated entities need a systematic testing program under CPS 234, and many insurers and enterprise customers now require evidence of annual testing.

What are red, blue and purple teams?

The red team plays offence, simulating attackers to expose weaknesses. The blue team plays defence — monitoring, detecting and responding; most Australian SMBs deliver this through a managed detection and response (MDR) service. Purple teaming is the two working together transparently so every attack technique immediately becomes better detection.

Is penetration testing mandatory in Australia?

No single law mandates it for every business, but it is effectively required in many situations: APRA CPS 234 requires systematic control testing, ISO 27001 expects technical testing, PCI DSS mandates it for card environments, and insurers and enterprise procurement teams increasingly demand recent reports before signing.

Does the retirement of the Essential Eight change testing requirements?

No — if anything it raises the bar. The ASD confirmed in June 2026 that the Essential Eight will be deprecated in around 12 months and retired within about 24, replaced by an outcomes-based Essentials series, with existing controls carrying over. Outcome-based guidance makes independent testing the primary way to prove your security actually works.

What should a penetration test report include?

An executive summary in business language, scope and methodology, findings rated by severity with evidence and reproduction steps, a prioritised remediation plan, and strategic recommendations. A reputable provider will walk your team through the findings and include a retest to verify the fixes worked.

Not sure which test your business needs first?

Stanfield IT’s Australian-based security team delivers vulnerability management, penetration testing, attack simulation and 24/7 managed detection and response — and we will tell you honestly if the cheaper option is the right one for your maturity. Start with a conversation, not a quote.

Related reading

Sources and further reading

Australian Signals Directorate — Annual Cyber Threat Report and Essential Eight guidance (cyber.gov.au)  •  iTnews, “ASD to retire Essential Eight cyber security framework within next two years”, 24 June 2026 (itnews.com.au)  •  APRA Prudential Standard CPS 234 Information Security (apra.gov.au)  •  OAIC, Privacy Act penalty guidance (oaic.gov.au)  •  Google Mandiant time-to-exploit research. Cost ranges reflect published Australian security-testing pricing surveyed July 2026 and are indicative only.

Experience better IT services

If your IT feels reactive or unclear, we’ll stabilise the essentials and align it to your business goals.

IT Services for Australian Businesses - Stanfield IT
Scroll to Top