Penetration testing is a manual, deeply invasive security assessment performed by humans who actively try to compromise your systems under signed agreement. It costs tens of thousands of dollars, takes weeks, and is designed for organisations with regulatory obligations or a defined threat model. Red Bridge Cyber is the opposite end of the scale: a self-service, non-invasive continuous scan of the public-facing parts of your business (Email, Speed, Domain, Visibility, Security), delivered as a live view in your account that starts populating with plain-English findings the moment you first log in, plus a weekly PDF snapshot every Monday, from $250 / month month-to-month with no contract. For most Australian small businesses, a Red Bridge Cyber scan is the right first step. Penetration testing comes later, if ever.
Side-by-side
| Attribute | Red Bridge Cyber | Penetration Testing |
|---|---|---|
| Price band | From $250 / month (month-to-month, cancel anytime) | $10,000–$60,000+ per engagement |
| Time to deliver | Initial findings live on first login; weekly PDF snapshot every Monday | 2–6 weeks of testing + reporting |
| Scope | Public-facing surfaces of your business — Email, Speed, Domain, Visibility, Security | Whole-of-environment: web app, internal network, endpoints, social engineering, cloud, on request |
| Invasiveness | Non-invasive — outside-only, the same checks an attacker would run during reconnaissance | Invasive — testers actively exploit vulnerabilities under signed agreement |
| Who it suits | 1–30 staff Australian small business with one or two public-facing services and no continuous security obligation | Organisations with regulatory drivers (APRA, healthcare, defence), prior breach history, or a defined threat model |
| What it does NOT cover | Internal network testing, social engineering, exploit chaining, lateral movement | Light-touch reconnaissance of public surfaces (overkill for the use case; not the point of the engagement) |
When each is right
Red Bridge Cyber is right when …
- You have a small business website and you do not know whether the basics are set up correctly.
- You have been told by a developer or hosting provider to fix something (DMARC, an expired certificate, security headers) and you do not know what that means.
- You are not under regulatory obligation to maintain ongoing security oversight.
- You want to fix the obvious before deciding whether to spend more.
Penetration testing is right when …
- You operate under regulatory cover that requires it — APRA CPS 234, health, government, defence, financial services.
- Your insurance, customer contract, or partner agreement explicitly requires a penetration testing report.
- You have already been breached and need an active assessment as part of recovery.
- You have a defined threat model and want to validate how your existing controls perform against a real adversary.
What we don’t do
Red Bridge Cyber does not run a penetration test. We do not actively attempt to compromise your systems, exploit vulnerabilities, or perform any invasive testing — our scans are outside-only reconnaissance, the same checks an attacker would run before deciding whether you are worth the effort. If your business genuinely needs penetration testing, that is the correct choice and the Small business hub from the Australian Cyber Security Centre is a no-cost starting point for understanding what level of security investment makes sense for your business.
Referral disclosure
When a customer genuinely needs a full penetration test, we maintain a small, vetted list of independent Australian pen-testing firms we are happy to refer them to.
We do not accept referral fees, kickbacks, or revenue share from any of those firms. Referrals are made on the basis of past delivery quality only — not on any commercial arrangement.
Every commercial relationship we have — and the ones we deliberately don’t — is published at Partner & referral disclosures.