CyberCTRL — Australian penetration testing
Services / External

External Penetration Testing in Australia

From $1,550 ex GST. A professional external pen test of your internet-facing infrastructure - all 65,535 TCP and UDP ports scanned, SSL/TLS configuration reviewed, subdomains enumerated, web vulnerabilities probed, findings cross-validated by two AI models. Your PDF report is delivered within a day, not 4 weeks.

Aligned to the ASD ISM and OWASP Web Security Testing Guide. Suitable as Essential Eight audit evidence and for APRA CPS 234, ISO 27001 and SOC 2 control assurance. Australian-owned and operated, hosted in AWS Sydney.

Start your testSee pricing

What is included

  • Full TCP and UDP port scan
    All 65,535 ports scanned with nmap across up to 10 external IPs. No top-1000 shortcuts - we find the forgotten admin panel on port 8443 that the last scanner missed.
  • SSL/TLS configuration review
    testssl.sh and sslyze probe every TLS endpoint for weak ciphers, expired certificates, missing OCSP stapling, protocol downgrades, and known issues (Heartbleed, ROBOT, LOGJAM, BEAST).
  • DNS security and subdomain enumeration
    dnsrecon and subfinder map your DNS footprint and discover subdomains you may have forgotten about - stage, dev, old.acme.com.au - then add them to the scan scope.
  • WAF detection and technology fingerprinting
    wafw00f identifies which WAF (if any) sits in front of your web stack. whatweb fingerprints CMS, frameworks, server software, and third-party scripts so the report tells you exactly what is running on the perimeter.
  • Web vulnerability scanning
    nuclei runs thousands of community-maintained templates for current CVEs and misconfigurations. nikto adds web-server-specific checks. Both are kept current and run on every discovered HTTP service.
  • HTTP header analysis and service banner grabbing
    Security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy) audited on every web endpoint. Service banners pulled from open ports to identify outdated daemons.
  • AI cross-validated findings
    Raw tool output is analysed by two independent AI models (Qwen Plus and Deepseek), findings deduped and merged. False positives drop, prioritisation improves, and every finding gets a written recommendation and a reference URL.
  • Defensible PDF report
    Cover page, executive summary, methodology, scope, severity-rated findings with CVSS scores, open-ports table, glossary. Aligned to ASD ISM and OWASP. Accepted by auditors, insurers, and enterprise procurement.

How it works

  1. STEP 01

    Buy and configure

    Register an account, complete TOTP MFA enrolment, pay via Stripe (Visa, Mastercard, Amex). Configure your scope: primary domain, primary website, and up to 10 external IP addresses with optional descriptions.

  2. STEP 02

    Scan runs in the background

    Click Start. The pipeline runs in three phases - DNS reconnaissance, then 8 tools in parallel (nmap, testssl.sh, sslyze, nuclei, nikto, whatweb, wafw00f, headers), then service banner grabbing. Close your browser if you like.

  3. STEP 03

    AI cross-validation

    Once the raw scan finishes, two independent AI models analyse the output. Findings are merged, deduplicated, severity-rated using CVSS v3.1, and written up with plain-English recommendations and a reference URL.

  4. STEP 04

    Report delivered, retest any time

    PDF report appears in your dashboard within a day of starting. Download as many times as you like. Fix the issues, then run the scan again (up to 5 runs over 2 weeks) for evidence of closure.

What you receive

A professional PDF report you can hand directly to your auditor, cyber insurer, or enterprise customer's procurement team. Every finding has a CVSS v3.1 severity rating, plain-English impact statement, a remediation recommendation written in 2 to 3 sentences, and a reference URL to OWASP, the ASD ISM, ACSC guidance, or vendor documentation.

Cover page with logo, scope and date
Executive summary written for non-technical readers
Methodology section (ASD ISM + OWASP)
Severity-rated findings with CVSS scores
Open-ports discovery table
Glossary of terms (E8, ASD, ACSC, ISM, WSTG)
View a sample report →

Methodology and compliance

Every CyberCTRL external test follows a methodology aligned to the Australian Signals Directorate Information Security Manual (ASD ISM) and the OWASP Web Security Testing Guide. Reports are written to be defensible evidence for the audits and frameworks Australian businesses actually face.

Essential Eight
Findings mapped to relevant E8 mitigations; supports Maturity Level evidence.
APRA CPS 234
Demonstrates regular testing of information security controls.
ISO 27001 / SOC 2
Satisfies A.12.6.1 / CC7.1 technical vulnerability management.
Cyber insurance
Defensible evidence of testing for premium reductions and renewal.

One price, no surprises

$1,550
AUD ex GST per engagement
Up to 10 external IPs, up to 5 test runs over 2 weeks

Bundle with a Grey Box test and save 25 percent.

Start your testCompare all plans

Frequently asked questions

What is an external penetration test?

An external penetration test is a controlled security assessment of everything an attacker on the public internet can see and reach: your perimeter IPs, websites, mail servers, VPN gateways, exposed APIs, and any other internet-facing service. CyberCTRL performs full TCP and UDP port scanning across all 65,535 ports, then probes each open service for misconfiguration, missing patches, weak TLS, and known vulnerabilities. The output is a professional PDF report aligned to the ASD ISM and OWASP, suitable as Essential Eight audit evidence.

How is an external pen test different from a grey box test?

External testing assesses what an unauthenticated attacker on the internet can do without any credentials - perimeter posture, open ports, TLS configuration, exposed admin panels, public web vulnerabilities. Grey box testing assesses what an attacker can do once they are logged in to your web application - broken access control, IDOR, session weaknesses, authenticated injection. Most organisations need both; the bundle saves 25 percent.

How many IP addresses can I test?

Each external engagement covers up to 10 external IP addresses plus one primary domain and one website. That is typically enough for an SME perimeter (web, mail, VPN, file transfer, remote access). If you need more, contact us before purchase or use multiple engagements.

Is a retest included if I fix issues?

Yes. Each engagement includes up to 5 test runs within a two-week window. Run the first scan, remediate the findings, re-scan to verify the fixes, and you have evidence of the closure for your auditor or insurer. IP addresses can be updated between runs.

What does the report look like?

A professional PDF with cover page, executive summary, methodology, scope, severity-rated findings (each with description, impact, recommendation, CVSS score, and a reference URL to OWASP / ASD / vendor docs), an open-ports table, and a glossary. Reports are accepted by auditors, cyber insurers, and enterprise procurement teams as evidence of testing for Essential Eight, APRA CPS 234, ISO 27001 and SOC 2.

How quickly do I receive the report?

The active scan typically runs 60 minutes to 2 hours. AI cross-validation and report generation follow. Your finished PDF is delivered within a day of starting the scan, not weeks. No quote cycle, no scheduling delays.

See your perimeter the way an attacker does.

Buy the test now. Report in your inbox within a day.

Start your testView sample report