Why One Penetration Test a Year Is No Longer Enough
What the ASD’s 2024–25 Annual Cyber Threat Report Means for Your Business
By Harshang Shah, CISO & Founder, Cyber Forte | June 2026
The Australian Signals Directorate’s 2024–25 Annual Cyber Threat Report — the most recent published data on Australia’s threat landscape — makes for sobering reading. If you haven’t seen it yet, here is the number that should stop you in your tracks:
One Australian business is hit by a cybercrime every six minutes.
Over 84,700 cybercrime reports were received in the past year. The average cost per business incident was $80,850. And the ASD responded to more than 1,200 cybersecurity incidents — an 11% increase on the prior year — while proactively notifying organisations of malicious activity 1,700 times, up 83% from the year before.
The threat is not slowing down. It is accelerating.
And yet, most Australian businesses are still relying on a single penetration test once a year to satisfy their security obligations.
The Problem With a Once-a-Year Snapshot
A penetration test tells you where your vulnerabilities are on the day the tester logs in. It is genuinely valuable work — and every organisation should be doing it. But the moment the test ends, the clock starts ticking.
Over the next twelve months, your environment will change. New software will be deployed. Plugins will go out of date. Cloud configurations will drift. New CVEs will be disclosed for software you are already running. Staff will leave and access permissions will not be fully revoked. A new subdomain will be spun up and forgotten about.
None of this is visible in last year’s report. When your insurer asks for your current security posture, or an enterprise client requests evidence of recent testing, or a regulator comes knocking after an incident — a twelve-month-old penetration test is not the answer they are looking for.
What the Threat Report Is Actually Telling Businesses
Three findings from the ASD’s 2024–25 report stand out for Australian SMBs and mid-market organisations — and they are as relevant today as when the report was published:
1. Ransomware remains the most damaging threat — but the attack has evolved.
Ransomware made up 34% of the highest-severity incidents responded to by the ACSC. But the tactics have shifted. Attackers are increasingly bypassing encryption entirely and going straight to data exfiltration — stealing your data and threatening to publish it rather than locking you out. Why? Because they know most organisations now have backups. The leverage has moved from disruption to exposure.
This matters because your existing backup strategy does not protect you from this version of the attack. The only defence is finding and closing the entry points before attackers use them.
2. DDoS attacks surged over 280% in a single year.
The report noted a dramatic increase in denial-of-service attacks against Australian organisations. For any business dependent on an eCommerce platform, customer portal, or online service for revenue, a sustained DDoS attack is not an IT problem — it is a business continuity problem. Testing your exposure to this kind of attack once a year means you have eleven months of blind spots.
3. State-sponsored actors are targeting businesses, not just government.
This is no longer a concern limited to defence contractors or critical infrastructure operators. The ACSC noted that state-sponsored actors are targeting businesses to gain access to government supply chains. If you supply services to any government agency or large enterprise, you are a potential target.
What "Continuous Security Testing" Actually Looks Like
When we talk about continuous security testing at Cyber Forte, we are not describing a complex, expensive programme that only enterprise organisations can afford. For most SMBs and mid-market businesses, it looks like this:
Monthly automated vulnerability scanning — every month, your external-facing systems, web applications, and network assets are scanned for known vulnerabilities, new CVEs, configuration weaknesses, SSL/TLS issues, and exposed assets you may not have known about. The results are analyst-reviewed before delivery — you receive a concise, prioritised report, not a raw tool output.
Annual manual penetration test — once a year, a certified human tester attempts to exploit your environment the way a real attacker would. This finds the complex, chained, business-logic vulnerabilities that automated tools cannot discover. It is the depth that the monthly scanning cannot replicate.
Together, these two workstreams give you something a single annual test cannot: a continuous, current picture of your security posture.
The Business Case Is Simple
Consider the numbers. A standalone annual web application penetration test for a typical SMB costs between $8,000 and $35,000 depending on scope. That buys you one report, valid for one day, with no ongoing monitoring.
A continuous programme that combines the annual test with monthly scanning can be delivered for a predictable monthly retainer. The cost difference is modest. The coverage difference is enormous.
And when your cyber insurer asks — as they increasingly do — whether you have conducted a penetration test in the past twelve months, and whether you have ongoing security monitoring in place, the answer matters. Insurers are beginning to price coverage based on security maturity, not just revenue. Organisations that can demonstrate continuous testing are better positioned for favourable premiums and faster claims processing.
Three Things to Do This Month
You do not need to overhaul your entire security programme overnight. Start here:
1. Check when your last penetration test was conducted. If it was more than twelve months ago, you have a gap. If you cannot easily locate the report, that is also a gap.
2. Ask whether your current test includes web applications and APIs. A network penetration test and a web application penetration test are different engagements. If your eCommerce platform, customer portal, or API-driven service has not been specifically tested, it is likely carrying unidentified vulnerabilities.
3. Assess whether you have visibility between annual tests. If a new CVE is disclosed tomorrow for software you are running, would you know within days or only at your next annual engagement? Monthly scanning is the answer to this question.
What the ASD Report Should Prompt You to Ask Your Current Provider
If you already have a security testing arrangement in place, ask your provider:
- When was our last test and when is the next one scheduled?
- Are we being informed of newly disclosed CVEs that affect our specific environment?
- Does our scope include all externally-facing systems, not just the ones we thought to include last year?
- What would you do if you discovered a critical vulnerability between our scheduled tests?
If the answers are unsatisfying, it may be time to reassess whether your current arrangement is keeping pace with the threat environment the ASD just described.
A Final Thought
The ASD report is not a scare document. It is a factual account of what is happening to Australian organisations right now — organisations of every size, across every sector. The education sector, hospitality, retail, professional services, healthcare and government supply chains all featured in the incidents described.
The organisations that navigate this environment successfully are not necessarily the ones with the largest security budgets. They are the ones who have moved from reactive, point-in-time assessments to proactive, continuous visibility.
The bar has moved. The question is whether your security testing has moved with it.
Ready to find out where your gaps are?
Cyber Forte offers a free 30-minute security gap assessment for Australian businesses. We will review your current testing coverage, identify the highest-priority gaps, and give you a clear, jargon-free picture of where you stand — with no obligation to proceed further.
Book your free assessment at www.cyberforte.com.au or call Harshang directly on 0409 417 664.
Cyber Forte Pty Ltd is an Australian multi award-winning cybersecurity company headquartered in Melbourne. We deliver penetration testing, ISO 27001 certification, managed security services, and compliance programmes for organisations across Australia and New Zealand.
ABN: 14 636 444 838 | harsh@cyberforte.com.au | www.cyberforte.com.au
