Australia’s Trusted Experts in Offensive Security

Penetration tests are typically required as a compliance requirement for many industries. They can give you peace of mind, validate your controls are effective, and signal trust to potential prospects. In low-risk situations, or where security is not relevant to commercial outcomes or compliance requirements, other forms of security can be more cost-effective. At Galah, we are honest and will tell you whether a test is necessary, or whether other security controls can provide better value for you and your stakeholders.

A vulnerability scan is performed on a regular cadence by a computer system and searches for known weaknesses. Vulnerability scans are good at discovering basic vulnerabilities, but lack business impact and context as well as depth. Vulnerability scans are typically not accepted by buyers as a substitute for a penetration test. That said, they are valuable for continuously identifying simpler issues and making tests more comprehensive. At Galah, we will help you understand what form of offensive security is better suited for your organisation.

A red team engagement seeks to achieve an objective through activities that could include penetration testing. They typically simulate known threat actor groups and emulate their tactics, techniques, and procedures. Red team engagements are stealthy, long, and surgical and better for validating organisational capabilities. Penetration tests seek to identify relevant and impactful issues in a set time period and are better suited for finding vulnerabilities in relevant assets. At Galah, we will help you understand what form of offensive security is better for your organisation.

Penetration testing is relevant for organisations of all scales. Larger organisations typically have the most compliance and regulatory requirements, or assets that need the most protection, and so they’ll engage suppliers to do a variety of offensive security activities. But smaller businesses also need to demonstrate trust to customers, verify the efficacy of their existing security protections, comply with regulations, and build trust in potential prospects. At Galah, while we have large enterprise clients engaging us for testing, the majority of our projects are small businesses trying to achieve compliance, or software businesses looking to grow.

While you may not believe you are a target or have anything of value, hackers are creative and opportunistic. They will find methods to extract value from you and your business. Reputational damage, extortion, facilitation of money laundering, planting of illegal content, ransom, corporate or national espionage, cash/data/IP theft, information exposure, and simple disruption or sabotage are all objectives that opportunistic hackers may want to inflict on you. No business is immune to hackers. At Galah, we are happy to explain

We encourage clients to do their own research, use vulnerability scanners, and otherwise do what they can to uplift their security posture. But like with school, you cannot mark your own homework. Regulators and prospects will want to see independent assessment of your systems and your staff are unlikely to have the same level of qualification, skill, and expertise as pure security consultants. Get independent advice, get Galah.

Our typical engagement length is between 7-10 business days. We have had engagements as short as 3 business days, and as long as 60 business days. Other firms provide ‘T Shirt sized’ penetration tests. We don’t as we believe it universally results in a <bad client outcome>. Either poor test-coverage and quality from an underscoped engagement, or price-gouging from an overscoped engagement. We tailor our engagements to your objectives and constraints to consistently give quality assessments at fair prices.

Our engagements are tailored, and so are our costs. To provide rough budgetary guidance, smaller engagements range from $7000-$12000, mid-size engagements $18000-$24000, and large engagements can exceed $30000. At Galah, we will work with you to get the best outcome for your budget.

Check out our engagement model above! We’re happy to also provide a sample report, meet with you online, or introduce you to existing clients if you’re unsure of the engagement process and need further guidance.

At Galah Cyber, we tailor every engagement. Each business has unique challenges, unique assets, and unique constraints even in the same industry. We want to give you pricing that is fair and fit for your purposes. Not overcharge you or deliver inadequate quality services.

We are a premium provider and only employ senior or principal consultants. Our penetration testers are required to hold industry qualifications, have deep expertise, at least 5 years of experience, and take client experience seriously. More expensive firms have significant overheads or apply a brand markup. Cheaper firms are staffed by inexperienced graduates, rely on unsustainable overwork cultures, or rely heavily on automation such as scanners and AI. We believe our pricing is fair as we have low overheads, treat our staff ethically, don’t cut corners, and only work with exceptional humans.