We believe in transparency. For businesses like yours—especially in the SaaS, FinTech, and eCommerce spaces—you need to budget for security and compliance without the friction of a long, opaque sales process.

Our pricing is built on a "productized" model. You get a clear, predictable starting price for our expert-led services, allowing you to secure your platform, satisfy compliance (like ISO 27001, PCI, and tenders), and get the certificate you need to build trust with your customers.

No sales games. No hidden fees. Just expert-led testing with a clear, predictable cost.

Productized Services (Fixed Scope)

These services are our most popular, designed for business-critical applications and cloud infrastructure. The "from" price covers a standard-sized engagement. Every service includes a comprehensive, board-ready report and a formal Certificate of Penetration Testing.

Featured
Web Application Penetration Test
Web Application Penetration Test
from A$5,200.00

This is our comprehensive "black-box" assessment, designed for the majority of business-critical web applications.

This package is ideal for testing applications with multiple user roles (e.g., users, managers, administrators) and complex business logic. We simulate the actions of a real-world attacker to identify vulnerabilities that could compromise your application and its data.

Who is this for? Businesses needing to satisfy regulatory obligations (PCI DSS, ISO 27001), meet tender or customer security requirements, and proactively secure their primary web platforms.

Methodology: A thorough, manual penetration test based on OWASP and NIST standards, conducted by a senior certified penetration tester.

Deliverable: A comprehensive penetration testing report detailing all findings with a clear remediation plan, and a formal Certificate of Penetration Testing to share with your clients and stakeholders.

Thick Client Penetration Test
Thick Client Penetration Test
from A$5,200.00

This package is designed for business-critical desktop applications (Windows, macOS) that process or handle sensitive customer, financial, or healthcare data. It provides the assurance that this data is protected both on the user's computer and during transit to your servers.

Our assessment provides a comprehensive 'grey-box' review. We analyse the installed application to find client-side vulnerabilities like insecure local data storage, weak encryption, and potential for reverse engineering. We then rigorously test the backend APIs to ensure that all data is securely transmitted, authenticated, and authorised, preventing breaches at the server level.

Who is this for? Organisations in finance, healthcare, or other regulated industries that rely on thick client applications and require a high degree of assurance that sensitive data is being handled securely.

Deliverable: A comprehensive report, a remediation plan, and a Certificate of Penetration Testing.

Comprehensive App & Code Security Bundle
Comprehensive App & Code Security Bundle
A$7,800.00

This is our complete "glass-box" assessment for a single application, combining two of our core services: a "black-box" Application Penetration Test and a "white-box" Source Code Review.

This package is designed to provide the most thorough and comprehensive security view of your application. We test it from an attacker's perspective (the "black-box") while simultaneously analysing its internal logic and build (the "white-box"). This hybrid approach uncovers critical-risk vulnerabilities that either method, used in isolation, could miss.

Who is this for? Organisations with custom-built, business-critical applications. It is ideal for software companies, FinTech platforms, and any business that needs to provide the highest possible level of security assurance to stakeholders, regulators, and clients.

Methodology: A unified "glass-box" assessment. We combine a manual, black-box penetration test (OWASP WSTG) with an expert-led, white-box source code analysis (OWASP/NIST) for complete coverage.

Deliverable: A single, consolidated report detailing all findings from both the application and code layers. The report features a clear, prioritised remediation plan and a formal Certificate of Penetration Testing.

Comprehensive App, Code, & Cloud Security Bundle
Comprehensive App, Code, & Cloud Security Bundle
A$12,000.00

This is our all-in-one "glass-box" security assessment, combining three elite services into a single, unified engagement.

This package provides the highest level of assurance for your most critical applications. It combines a "black-box" Application Penetration Test, a "white-box" Source Code Review, and a "white-box" Cloud Security Review (AWS, Azure, or GCP). This holistic approach identifies vulnerabilities from the outside-in (like an attacker) and the inside-out (like a privileged insider), from the first line of code to the cloud infrastructure it runs on.

Who is this for? Organisations with business-critical, cloud-native applications. Ideal for B2B SaaS companies, FinTech platforms, and any business processing highly sensitive data that needs to satisfy the highest level of regulatory, customer, and board-level security scrutiny.

Methodology: A hybrid "glass-box" assessment. We combine black-box application testing (OWASP), white-box source code analysis (OWASP/NIST), and a white-box cloud configuration review (best practices for AWS, Azure, or GCP), all conducted by our senior certified experts.

Deliverable: One consolidated, comprehensive report detailing all findings from the application, code, and cloud layers with a single, prioritised remediation plan. You will also receive a formal Certificate of Penetration Testing for the entire bundle.

Featured
Gemini_Generated_Image_42g8rh42g8rh42g8.png
Cloud Security Penetration Test (AWS, Azure, GCP)
A$5,200.00

This package provides a comprehensive security assessment of a single cloud account or subscription (AWS, Azure, or GCP).

We simulate the actions of a determined attacker to identify and validate critical misconfigurations across your cloud environment. This assessment provides the assurance you need that your data, applications, and infrastructure are securely configured according to industry best practices.

  • Who is this for? Any organisation using cloud infrastructure to store or process sensitive data and wanting to prevent cloud-based data breaches.

  • Methodology: An expert-led "white-box" assessment of your cloud environment's configuration and security controls.

  • Deliverable: A comprehensive report detailing all misconfigurations, their potential business impact, and a clear, prioritised remediation plan, plus a Certificate of Penetration Testing.

Featured
Mobile Application Penetration Test Package
Mobile Application Penetration Test Package
from A$5,200.00

This package is designed to perform a thorough penetration test of a single mobile application binary (either iOS or Android) to satisfy regulatory, tender, or compliance requirements.

The test is conducted by our senior, Australian-based certified penetration testers. Our methodology is based on the OWASP Mobile Application Security Verification Standard (MASVS) and recommendations from NIST. The final report provides the assurance you need to meet regulatory obligations, tender requirements, and standards like PCI DSS or ISO 27001.

  • Scope: A comprehensive security assessment of one application binary (iOS or Android).

  • Deliverable: A detailed report with all findings, their potential impact, and a clear remediation plan, plus a Certificate of Penetration Testing.

Featured
API Security Assessment
API Security Assessment
from A$5,200.00

APIs are the nervous system of modern digital business, connecting your data, mobile apps, and partners. However, they are also the #1 target for sophisticated cyber attacks.

At Lean Security, we move beyond basic scanning. We provide an API Security Assessment that functions with the agility of Penetration Testing as a Service (PTaaS)—giving you direct access to a senior web penetration tester who thinks like a hacker to secure your infrastructure.

This package provides a comprehensive, expert-led penetration test for a single API application (typically up to 20 endpoints). We test modern REST, GraphQL, and legacy SOAP services to identify critical vulnerabilities that standard automated tests miss.

Who is this for? SaaS platforms, FinTechs, and mobile-first businesses requiring evidence of security for ISO 27001, SOC2, or PCI DSS compliance.

Methodology: A hybrid approach combining automated test efficiency with deep-dive manual testing based on the OWASP API Security Top 10.

Deliverable: A bank-ready report, a remediation plan, and a formal Certificate of Penetration Testing.

Featured
Static Source Code Analysis Package
Static Source Code Analysis Package
A$5,200.00

A standard penetration test checks your application from the outside; a source code review finds vulnerabilities from the inside. It is the most effective way to find deep-seated security flaws, complex business logic errors, and insecure dependencies before they ever reach production.

This package provides a comprehensive "white-box" security review for a single application codebase (up to 500,000 lines of code). It combines the efficiency of automated scanning with the critical thinking of an expert security analyst to deliver thorough and accurate results. We support over 21 programming languages, including Java, C#, Python, JavaScript, Go, and more.

Who is this for? Organisations with custom-built, business-critical applications. Ideal for software companies, FinTech platforms, and any business that needs to provide the highest level of assurance to stakeholders, auditors, and partners (satisfying ISO 27001, PCI DSS, etc.).

Methodology: A hybrid "white-box" assessment based on OWASP and NIST standards. Our experts combine industry-leading automated scanning tools with a deep manual review to identify flaws and eliminate false positives.

Deliverable: A comprehensive code review report detailing all findings with a clear remediation plan, and a formal Certificate of Secure Code Review to share with your clients and stakeholders.

Featured
External Infrastructure Penetration Test
External Infrastructure Penetration Test
from A$6,200.00

This assessment answers the question: "How would an attacker get in from the internet?"

We simulate the actions of an external attacker with no prior knowledge of your systems. Our test focuses on your internet-facing perimeter, including your web servers, VPNs, firewalls, and cloud services. We identify and validate vulnerabilities that could allow an attacker to breach your defences.

  • Who is this for? All organisations. This is the foundational assessment for understanding and securing your public-facing attack surface.

  • Methodology: An expert-led test simulating an external attacker, covering reconnaissance, vulnerability scanning, and controlled exploitation of perimeter systems.

  • Deliverable: A detailed report on all external vulnerabilities and a clear remediation plan, plus a Certificate of Penetration Testing.

Internal Infrastructure Penetration Test
Internal Infrastructure Penetration Test
from A$6,200.00

This assessment answers the question: "What could an attacker do if they were already inside our network?"

We simulate the actions of a malicious insider or an attacker who has successfully bypassed your perimeter defences (e.g., through a phishing attack). Starting from a position inside your network, we test for weaknesses in Active Directory, internal servers, and network segregation to see how far an attacker could get and what data they could access.

  • Who is this for? Organisations looking to defend against modern threats like ransomware and insider attacks and validate their internal security controls.

  • Methodology: A "white-box" test simulating an internal threat, focused on privilege escalation, lateral movement, and accessing critical internal assets.

  • Deliverable: A comprehensive report on internal network vulnerabilities and misconfigurations, plus a Certificate of Penetration Testing.

Your Questions, Answered

1. What does "from" pricing cover?

Our "from" price covers our comprehensive baseline test for a standard-sized application (e.g., a single web app with up to 3 user roles and ~50 unique functions/API endpoints). This is the full, expert-led test required by most compliance frameworks like ISO 27001 or for customer assurance.

The final, fixed price is confirmed after a quick, non-technical scoping call. This ensures you only pay for what you need.

Do you have a complex platform? If your environment involves multiple web interfaces, system-to-system APIs, and complex backend infrastructure, please contact us for a customised quote. We will provide the best possible pricing for your specific architecture.

2. What is included in every engagement?

All our productized services and bundles include:

  • A Senior Australian Expert: Your test is performed by a senior, certified penetration tester, not a junior analyst or an automated-only scanner.

  • A Comprehensive Report: A detailed, board-ready report with clear risk ratings, evidence, and actionable, step-by-step remediation guidance.

  • A Formal Certificate of Pen Testing: A clean, shareable certificate to prove your security posture to your clients, auditors, and partners.

  • Optional Fixed-Price Retest: After you've applied the fixes, you have the option to add a fixed-price retest. We will validate your remediation and provide a "clean" final report.

3. What is our 3-step process?

  1. Get a Quote: Click the button below and tell us which service you're interested in. We'll send a simple, non-technical scoping questionnaire.

  2. Confirm Scope & Price: We review your answers and provide a single, fixed-price quote, usually the next business day.

  3. We Test & Deliver: We schedule and perform the assessment, delivering your comprehensive report and certificate on the agreed date.

Contact us for a quote