The dark art of penetration testing. A guide for Australian organisations.
Penetration testing shows how attackers would actually exploit your environment. Learn what it uncovers and why it matters for reducing real cyber risk.
So, you think you're cyber-safe? Ask yourself: If a real attacker tried, could they get into your environment - and how far would they get before you noticed? That’s where the art of penetration testing comes in.
So, what is penetration testing? Penetration testing (or “pen testing”) is an authorised simulation of real‑world cyber-attacks designed to identify whether your systems, applications, and controls can be compromised - and what damage an attacker could actually do if they got in.
The objective? To actively attempt to exploit weaknesses to demonstrate real risk and business impact.
Why commit to penetration testing?
Penetration testing by a trusted third party, such as Baidam, is frequently used to satisfy formal assurance obligations. It helps to plug all the potential and existing gaps that delight cybercriminals.
Software penetration testing is a subset of this and is included in pen testing engagements.
Traditionally, our penetration testing engagements utilise a combination of Vulnerability Assessment (VA) and Penetration Testing (PT) methodologies, rather than treating them as separate or mutually exclusive activities.
A word of caution, though: A penetration test can - and often does - uncover unexpected holes in your cybersecurity defences.
Who does pen testing and how?
Penetration testing is commonly used as part of the professional and offensive security services delivered by specialist consultants.
You can think of penetration testers as ethical (white-hat) hackers. They use the same methods, tools, and thinking as real attackers, but they operate legally, transparently, and obviously - with your permission. While they use the same techniques and are trained to think like malicious hackers, ethical hackers (thankfully) have a completely different purpose.
It’s their job to test your systems following defined scopes and rules of engagement, document everything they do, and prepare formal reports on their findings so any identified vulnerabilities can be fixed.
We typically conduct penetration testing remotely or on-site, using a combination of manual and automated testing.
Is it confidential? Yes. Baidam enters into formal confidentiality arrangements when providing penetration testing services for Australian government and regulated enterprises.
What does a pen test cover?
Penetration testing in Australia is usually aligned with accepted industry standards and governance requirements.
Most penetration testing services cover a wide range of potential vulnerabilities and include standard lists such as the OWASP Top 10 (as a baseline for web application risks) and the CWE/SANS Top 25 (for common, high-impact software weaknesses). However, most Australian pen testing services – ours included - will extend testing beyond these lists to reflect real‑world attacker behaviour.
So, what gets tested?
Baidam’s cybersecurity experts will challenge your existing security controls (and their own skills and knowledge) to discover hidden weaknesses and exploit vulnerabilities in your:
Cloud infrastructure
Web applications
Networks
Mobile applications
Systems
APIs
Code
Containers
IoT environments
Devices
Identity and access management controls
Can you get away with just doing software penetration testing?
Nope, nada, and no. Software penetration testing is a subset of penetration testing, not a replacement for it.
So, what is penetration testing in software testing?
Penetration testing assesses how an attacker could compromise your organisation’s overall environment, whereas software penetration testing focuses specifically on exploiting weaknesses in applications, APIs, and code. If you only request software penetration testing, you’re only doing half a job.
The moment of truth: Pass or fail?
If you’re anxious about what you may discover, don’t be – that’s its purpose. Penetration testing doesn’t deliver a pass-or-fail result – it's designed to expose real risk.
Most businesses and organisations do not “pass” penetration testing in the sense of having no findings. Industry reviews show that most organisations tested have exploitable weaknesses – especially those that test infrequently. For those enterprises that conduct pen testing as a regular cybersecurity exercise, the objective is to fail less severely over time and reduce the number of critical findings.
What does pen testing typically expose, though?
Broken authentication and identity weaknesses, including MFA gaps (especially for privileged or legacy access), weak or reused credentials, insecure service accounts and improper session handling.
Access control and privilege issues, like over‑privileged users or applications, the ability to access functions or data beyond intended permissions, and lateral movement opportunities once initial access is achieved.
Web application vulnerabilities, usually injection flaws (SQL, command, or template injection), Cross‑Site Scripting (XSS), insecure file handling or uploads, parameter manipulation, and forceful browsing.
Security misconfigurations (these are common across the Australian enterprise and government sectors alike!), including insecure cloud or SaaS configurations, exposed management interfaces, excessive API permissions, and default or hard‑coded credentials.
Chained and low‑severity issues with high impact, consisting of multiple medium or low-level issues, which, when combined, can lead to compromise or sensitive data access.
Lack of effective detection or control enforcement, which, while not always classified as a single vulnerability, includes activities that should trigger alerts but don’t, gaps between assumed and actual control effectiveness, and over‑trust in tools without validation.
Penetration testing and cybersecurity – better together
Pen testing is key to ensuring that your cybersecurity compliance programme and processes meet local and international standards such as PCI DSS.
Your initial pen testing report from Baidam will provide actionable recommendations (triaged by importance) to improve your cyber posture, and our regular assessments will build further resilience.
Pen testing will equip you to:
Get a head start: Take a proactive approach to hardening your digital assets against malicious attacks.
Check and double-check: Validate your security measures and processes against industry best practices.
Slash time wasting: Dramatically reduce the time and costs to manage false positives from automated scans.
Go live with confidence: Independently verify your systems and configurations before they go live.
Prove your point: Provide proof of exploits to stakeholders and management, including which assets can be compromised by an attack.
Get management buy-in: Achieve management support and approval for further cybersecurity investment by demonstrating the ROI of your existing tools, processes, and procedures.
Security penetration testing – what have you got to lose?
Pen testing doesn’t always make us popular. The consolation is that while you may not be happy with the outcome, you should be happy that you know what gaps, holes, omissions, vulnerabilities, and misconfigurations you need to resolve.
As well as the immediate benefits of remediating identified issues, you’ll address some of your larger goals:
Third-party verification: You’ll have an independent assessment of your current security posture and position, and an established baseline for improvement.
Reduced risk: You’ll be less exposed to potential fines and regulatory consequences of a breach.
A solid reputation: You’ll safeguard your brand from the consequences of a high-profile data breach, ensuring customer loyalty and trust.
Living up to expectations: You’ll be able to meet and even exceed the best practice expectations of your current and potential customers.
Align goals: With gaps identified and documented, you’ll be able to identify the opportunities to better align your security and business goals.
Improvement is the name of the game
A couple of years ago, we sent one of our white-hat hackers onsite to conduct a pen testing exercise on a new client’s IT systems and infrastructure. For the CEO, the results were completely unexpected.
“He sat there for a few days and just tried to hack everything in our system,” she said. “What was worrying was that after only three or four tries, he could hack into our emails, documents and more. That's how easy it was – and we’d had no idea. I felt sick, scared, and mortified.” (There was a happy ending, though! Read more here.)
Why partner with Baidam for pen testing?
Yes, a pen test can be nerve-wracking, and the results can even be somewhat embarrassing given your investment in safeguarding your environment. But penetration testing isn’t a blame game. It’s a proactive approach that leverages highly skilled ethical hackers to identify weaknesses and strengthen your security posture.
Baidam has significant and proven experience in providing sovereign managed cybersecurity services to Australia’s enterprise and government sectors. Which means that we know just how important it is to plug exploitable loopholes and gaps – in complete confidence.