The real reason your pen-tester didn’t find anything wrong
A clean penetration test report often proves the scope was wrong, not the business safe. With AU tests running $5k-$40k and the average breach now AUD $4.26M, here’s what to ask before you trust the result.
A penetration test with no critical findings often says more about the scope than the safety of the business:
- A pen test is a fixed-scope, time-boxed attempt against a defined list of assets — a clean report can simply mean the wrong things were tested
- Australian tests run roughly $5,000–$40,000, and the average breach now costs around AUD $4.26M, so the result is worth interrogating
- Before trusting a clean report, ask what was in scope — which assets, which techniques, how much time — not just what was found
A test that finds nothing is only reassuring if the scope was right. Most of the value is in the brief, not the verdict.
A friend who runs an engineering consultancy in Brisbane forwarded me a penetration testing report last month. Forty-seven pages. The executive summary said no critical or high-severity findings. The detailed section listed three medium issues and seven informational items. He paid eleven thousand dollars for it, and he sent it to me with one line: "is this any good?"
The honest answer is "I don't know, and neither do you."
What the report actually tells you
A penetration test buys you a fixed-scope, time-boxed attempt by one or two specific people to find vulnerabilities in a specific list of assets, using a specific set of techniques agreed in advance. The shape of the report depends on who showed up, what they were paid to look at, how many hours they billed, and what they happened to notice in those hours.
The report does not tell you that your environment is secure. It tells you what the tester found in the time they had, looking at the things they were pointed at.
A clean report can mean three different things. It can mean a competent tester gave it serious attention and found a genuinely well-defended environment. It can mean a busy tester spent most of the engagement on another client's work and ran scripted tooling against your IP ranges as a checkbox. Or it can mean the scope was so narrow that the actual attack surface, the thing an attacker would target, was excluded from the engagement.
Scope is the biggest lever, by a long way
In 2026, penetration testing in Australia ranges from about AUD 5,000 for a narrow web-application test up to AUD 40,000 or more for a broad multi-environment engagement (Cyberpulse, "Penetration Testing Cost Australia 2026"). The single biggest cost factor is scope: the number of applications, APIs, hosts and environments included. The single biggest value factor is also scope.
The scoping conversation is the test. The test itself is largely the execution of decisions made before anyone touched a keyboard.
If the scope is "the public website and the corporate VPN" and the real risk is "an employee opens a phishing email and the attacker pivots through the cloud SaaS stack to the bookkeeping system," then the test never looked at the real risk. That is not the tester's failure. The scoping conversation failed.
Three questions to ask before you read the next report
Ask what was actually tested. Read the scope, then compare it to the real attack surface of the business. The mismatch is usually visible in the first paragraph once you know what you are looking at.
Ask how many hours the tester actually billed against this engagement. Not the contracted hours. The real ones. If a 10,000-host environment got 40 hours of attention, the report is "we ran nmap and a vulnerability scanner against you." If the same environment got 200 hours including a manual web-application review, the report is something substantially deeper.
Ask whether the test included social engineering, phishing, physical access, or supply-chain components. Most do not. Most stop at the network and application layers, because those are what testers can do consistently. But the actual compromise paths for most Australian small businesses run through email, through trusted suppliers, and through poorly-configured cloud services. Those paths are usually out of scope.
My friend's report
His report turned out to be honest work on a narrow scope. The contract excluded social engineering, excluded phishing, excluded everything in his Microsoft 365 tenant beyond a single SharePoint site, and stopped at the firewall on the office network. The tester found three medium issues in the things he was paid to look at. He found nothing high because nothing high lived in the things he was paid to look at. Whether anything high lived in the things he was not paid to look at remains unmeasured.
Set that against the number everyone quotes. The average cost of a data breach for Australian organisations is now AUD $4.26 million (IBM Cost of a Data Breach Report 2025). The gap between the cost of a test and the cost of an incident makes pen testing look like easy maths. The maths only works if the test looks at where the incident would actually come from. Otherwise you are paying for a report that proves the parts of the business that were never going to be breached are still not going to be breached.
When pen-testing actually pays back
Penetration testing works best when the buyer already knows what they are defending, knows their attack surface, and is using the test to verify existing controls. It works worst when the buyer has a vague sense that "we should probably get tested" and is hoping the report will tell them what to worry about.
The first buyer pays $11k and gets verification. The second pays $11k, gets the narrow-scope report I described above, and is then often told they need a $40k follow-up to look at the next surface.
For most small businesses, the work that actually reduces real risk sits upstream of penetration testing. Email authentication. Two-factor. Backups you have tested. An incident plan. Basic hygiene on the DNS and HTTPS layer, the kind of thing the Australian Cyber Security Centre keeps putting at the top of its small-business guidance (ACSC Small Business Cyber Security Guide, 2025). It is also the kind of thing we measure when we scan a domain from the outside, and the kind of thing a pen-test will not find, because the tester knows it is not their job. They were hired to find what is broken, not to tell you what you never built.
Do that upstream work, and a properly-scoped penetration test is the sensible next step. Skip it, and the test produces a report that is technically accurate, contractually compliant, and deeply unhelpful. The pen-tester did not fail. The decision to commission a test before the upstream work was done, that is what failed.
My friend forwarded the report to his board with my note attached. They accepted it. Then they asked him what the upstream work looked like. Which is the right question.
Common questions
Does a clean penetration test mean my business is secure? No. A clean report means the tester found no high-severity issues inside the agreed scope, in the hours they billed. It says nothing about the attack surface that was excluded, which for most small businesses is where the real risk lives: email, staff, suppliers, and cloud configuration.
How much should a small business pay for a penetration test in Australia? Expect roughly AUD 5,000 for a narrow web-application test up to AUD 40,000 or more for a broad multi-environment engagement (Cyberpulse, "Penetration Testing Cost Australia 2026"). Scope drives the price far more than the provider's hourly rate, so define what you actually need tested before you ask for a quote.
What should I do before commissioning a pen-test? Get the upstream basics in place first: email authentication, multi-factor sign-in, tested backups, an incident plan, and clean DNS and HTTPS configuration. The ACSC's small-business guidance covers most of it, and a pen-test run before that work is done mostly just confirms gaps you could have closed yourself.