CyberCTRL — Australian penetration testing
Services / Essential Eight

Essential Eight Audit Evidence and Penetration Testing

Get defensible Essential Eight Maturity Model evidence from a single penetration test. CyberCTRL is aligned to the ASD Information Security Manual and the ACSC Essential Eight Maturity Model. Reports include Maturity Level commentary on every covered mitigation and are accepted by auditors, insurers and procurement teams across Australia.

From $1,550 ex GST per engagement. Report delivered within a day, not weeks. Suitable for APRA CPS 234, the NSW Cyber Security Policy, ISO 27001, SOC 2, and cyber-insurance renewals.

Start your testSee pricing

What we cover (and what we do not)

A penetration test gives you direct technical evidence for four of the eight ASD mitigations and structured observations for the rest. We are upfront about which is which so your auditor can take the report at face value.

Patch applications
Detected via nuclei + nikto vulnerability scanning across every discovered HTTP service.
Patch operating systems
Detected via nmap service banners, OS fingerprinting, CVE matching against running daemons.
Multi-factor authentication
Grey Box test reviews the MFA enrolment, login, and session-management flows.
User application hardening
Security headers, TLS configuration, exposed admin panels, dangerous default settings.
OBS
Restrict admin privileges
Reported as observation. Full coverage requires AD/IDP audit beyond a pen test.
OBS
Configure MS Office macros
Out of scope for external/web testing. Report includes recommended next steps.
OBS
Application control
Endpoint control out of scope for external/web testing.
OBS
Regular backups
Operational control. Report includes recommended evidence to collect.

OBS = reported as observation with recommended evidence-collection next steps. Full Maturity Level assessment requires evidence beyond a single pen test (policy, deployed tooling, backup procedures).

How it works

  1. STEP 01

    Choose the right test

    External Penetration Test ($1,550) covers the perimeter mitigations. Add Grey Box Standard ($1,550) or Plus ($2,090) if your organisation runs an authenticated web application and you want MFA-flow evidence too. The bundle saves 25 percent.

  2. STEP 02

    Configure scope

    Provide your primary domain, primary website, and up to 10 internet-facing IP addresses. For Grey Box, add the test application URL and your credentials (form, TOTP, or pre-captured session).

  3. STEP 03

    Scan and analyse

    Pipeline runs nmap, nuclei, testssl.sh, sslyze, nikto, whatweb, wafw00f, subfinder, dnsrecon in three phases. Findings are cross-validated by two AI models and mapped to the Essential Eight mitigations they evidence.

  4. STEP 04

    Hand the report to your auditor

    Within a day you have a PDF that explicitly references the ASD ISM, ACSC Essential Eight, and OWASP WSTG. Methodology section, scope, severity-rated findings, and Maturity Level commentary - structured for direct citation.

What is in the report

A PDF report structured around the Essential Eight - cover page, executive summary, methodology (ASD ISM + OWASP WSTG), scope, severity-rated findings with CVSS scores and reference URLs to ASD/ACSC/OWASP guidance, Essential Eight mapping table, and a glossary that defines ACSC, ASD, ISM, E8 and WSTG for non-technical readers.

View a sample report →

Who uses Essential Eight evidence

APRA-regulated entities
CPS 234 requires regular testing of information security controls. The CyberCTRL report is defensible evidence at audit time.
NSW Government suppliers
NSW Cyber Security Policy and the NSW Procurement supplier security questionnaire reference the Essential Eight directly.
SMEs uplifting maturity
Run an annual external + grey box to measure progress against the Maturity Model. Evidence the journey to Level Two and Level Three.
Insurance renewals
Cyber-insurance underwriters increasingly ask for E8 evidence and recent penetration test reports. The CyberCTRL report covers both.
Enterprise procurement
When a larger customer asks "have you had a pen test", hand them the CyberCTRL PDF. Avoids the supplier-questionnaire spiral.
ISO 27001 / SOC 2 auditors
Satisfies A.12.6.1 / CC7.1 technical vulnerability management evidence with a single defensible document.

From $1,550 ex GST

External Penetration Test from $1,550. Grey Box Standard $1,550. Grey Box Plus $2,090. External + Grey Box bundle saves 25 percent.

Start your testCompare all plans

Frequently asked questions

What is the Essential Eight?

The Essential Eight is a set of eight prioritised mitigation strategies published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). They are: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening, and regular backups. Maturity is measured on a scale from Maturity Level Zero through Maturity Level Three. The Essential Eight is the most widely-referenced cyber security baseline in Australian government and SME procurement.

How does a penetration test produce Essential Eight evidence?

A penetration test directly evidences four of the eight mitigations: Patch Applications (detected by vulnerability scanning), Patch Operating Systems (detected by version banner grabbing and CVE matching), User Application Hardening (detected by misconfiguration checks and exposed admin panels), and Multi-Factor Authentication (detected by authentication-flow review during grey box testing). For the other four (application control, macros, admin privileges, backups), the report calls out related observations and recommended next steps. The whole document is structured so an auditor or risk officer can cite it as Maturity Level evidence.

Will the report give us a Maturity Level rating?

The report includes Maturity Level commentary for each Essential Eight mitigation it covers - what we observed in the environment and what would be required to move to the next level. A formal organisation-wide Maturity Level assessment requires evidence beyond a single penetration test (policies, deployed tooling, backup procedures), so we present the technical findings in the Essential Eight structure rather than awarding a final number. Many customers use the CyberCTRL report alongside a self-assessment to produce a defensible Maturity Level claim.

Is this suitable for APRA, NSW government or insurance use?

Yes. Reports are written to be defensible evidence for APRA CPS 234, the NSW Cyber Security Policy, NSW Government supplier security questionnaires, ISO 27001, SOC 2, and most Australian cyber-insurance renewals. The methodology section names the ASD ISM and the OWASP Web Security Testing Guide explicitly so reviewers can verify alignment quickly.

Which test should I buy for Essential Eight evidence?

Start with the External Penetration Test ($1,550 ex GST). It covers Patch Applications, Patch Operating Systems and User Application Hardening on your internet-facing perimeter. If your organisation also runs a web application that requires authentication (a SaaS product, an e-commerce platform, a portal), add the Grey Box test (Standard $1,550 or Plus $2,090) for MFA evidence and authenticated User Application Hardening. The External + Grey Box bundle saves 25 percent.

How current is the Essential Eight guidance you align to?

The CyberCTRL methodology references the current ACSC Essential Eight Maturity Model and the current ASD Information Security Manual (ISM). Our scan templates and rulesets are kept current with the published guidance and with CVE data refreshed continuously. The PDF report names the methodology version used so an auditor can verify alignment at the time of the engagement.

Defensible Essential Eight evidence by tomorrow.

Buy a test now. PDF in your dashboard within a day.

Start your testView sample report