top of page

External Network Penetration Testing

What is an external network penetration test?

An external network penetration test looks at your organisation from the outside - the same view an attacker on the internet has before they try anything. We map your internet-facing systems and then attempt to find and exploit vulnerabilities in them, the same way a real attacker would.

This includes your public IP addresses, domain infrastructure, VPNs, remote access systems, mail servers, and any other services your organisation exposes to the internet. Many businesses are surprised by how much is visible from outside, particularly if infrastructure has grown over time without a regular audit of what is actually internet-facing.

What we test

Asset discovery and enumeration - before testing anything, we build a picture of your external attack surface. This includes identifying IP ranges, subdomains, exposed services and ports, and any systems that may have been forgotten or are no longer actively maintained but are still reachable from the internet. Forgotten systems are a common source of findings.

Vulnerability identification and exploitation - we assess identified services for known vulnerabilities, misconfigurations and weak configurations, and where it is safe to do so, attempt to exploit them to demonstrate real-world impact. This goes beyond a vulnerability scan, which will identify potential issues but won't tell you whether they are actually exploitable or what an attacker could do with them.

VPN and remote access - remote access infrastructure is one of the most targeted parts of any organisation's external footprint. We test for known vulnerabilities in VPN products, weak authentication configurations, and whether access controls are enforced correctly.

Email security - we review your domain's email security configuration, including SPF, DKIM and DMARC records, which govern whether your domain can be spoofed in phishing attacks. Misconfigured or missing records are a straightforward finding that is also straightforward to fix.

SSL/TLS configuration - checking that encrypted connections to your services are configured correctly, that weak cipher suites and outdated protocol versions are not in use, and that certificates are valid and properly issued.

Subdomain and DNS review - reviewing DNS records for misconfigured or abandoned subdomains that could be taken over by an attacker, and checking for any information in DNS records that could assist an attacker in mapping your internal environment.

Breached credential check - we check whether any credentials associated with your organisation's domains appear in publicly available data breach dumps or infostealer logs, which an attacker could use to attempt access to your external systems.

Who needs an external network penetration test?

Any organisation with internet-facing systems. If your business has a website, a VPN, a mail server, or any service reachable from outside your office network, you have an external attack surface worth understanding. For many SMBs this is more extensive than expected once it is actually mapped out.

Compliance requirements. ISO 27001 includes external-facing infrastructure in scope for security assessments. PCI DSS requires external penetration testing annually, and after significant changes to the environment, for any organisation that stores, processes or transmits cardholder data. If your business is working toward either standard, external penetration testing is a required component.

Before going live with new infrastructure. If your organisation is launching a new public-facing system, moving to a new hosting environment, or exposing a new service to the internet, testing before go-live is considerably less disruptive than finding issues after.

Regular ongoing testing. Your external attack surface changes over time as new services are added, certificates expire, software is updated, and infrastructure is reconfigured. An annual external test gives you a current picture and a consistent baseline to measure against year on year.

What the process looks like

External penetration testing is conducted entirely remotely and there is no need for on-site access. We work from a black-box starting point, meaning we begin with only publicly available information about your organisation, which is the same starting position a real attacker would have.

Before testing begins we confirm the scope with you in writing including the IP ranges, domains and systems we are authorised to test. This is important both to make sure we are testing the right things and to ensure the engagement is properly documented if questions arise from your hosting provider or ISP about the traffic we generate.

Testing typically runs over two to four days. The report covers every finding with a severity rating, a plain-language explanation of what it means and what an attacker could do with it, and specific remediation steps. We also include a summary of your external attack surface as we mapped it, which is useful context for your IT team or managed service provider.

Retesting

We offer retesting once remediation has been completed, confirming that vulnerabilities have been resolved and that the fixes have not introduced new issues. This is particularly useful when you need to demonstrate remediation to an auditor or customer.

Based in Auckland, working across New Zealand

External testing is conducted remotely and works equally well for businesses anywhere in New Zealand. There is no requirement for us to be on-site.

bottom of page