External Network Penetration Testing

A penetration test identifies your organization's weaknesses the same way an attacker would — by hacking it. This enables organizations to better understand and ultimately minimize the risk associated with IT assets. During an external penetration test, we perform an assessment on all assets accessible from the Internet. In this way we are evaluating your security from the perspective of an outsider trying to look in.

Methodologies for External Penetration Testing

Penetration Methodology Steps

Host and service discovery compiles a complete list of all accessible systems and their respective services with the goal of obtaining as much information about your Internet facing assets as possible. This includes initial domain foot printing, live host detection, service enumeration, and operating system and application fingerprinting.

With the information collected from the discovery phase in hand, security testing transitions to identifying vulnerabilities in externally facing systems and applications using automated scans and manual testing techniques. Praetorian begins the vulnerability identification process with commercial and open source vulnerability scanners. Automated scans are good at identifying known and common vulnerabilities; however, automated scans are not good at detecting complex security issues, uncovering system and application specific vulnerabilities, developing attack chains, or validating the findings reported. For this reason, automated scans represent only a small facet of the overall security assessment with the majority of vulnerability testing focused on manual testing and verification. Finally, risk priorities are assigned to each vulnerability according to Praetorian's comprehensive risk rating scale.

The third, final, and sometimes optional phase includes exploitation of the underlying vulnerabilities. Because of the small potential for disruption, some clients may elect to omit this phase of the testing process and simply have a vulnerability assessment performed. For those customers that are interested in a proof of concept phase, once initial findings have been verified, Praetorian exploits the underlying issues to serve as proof the issues exist and to demonstrate the critical nature of the vulnerabilities. Praetorian will chain attacks to compromise as much of the environment as possible or focus on meeting specific objectives the client requests under a capture the flag scenario. Vulnerabilities may culminate in pilfering sensitive data such as patient records, customer credit cards numbers, and intellectual property.

What You Get

Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.


The report deliverable will include the following high level sections in a format suitable for management:

  • Purpose of the engagement including project's scope and approach
  • Positive security controls that were identified
  • Tactical resolutions to immediately reduce risk in the environment
  • Strategic recommendations for preventing similar issues from recurring
  • An industry comparison based on consultancy experience and results from similar previous engagements

The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:

  • A technical description and classification of each vulnerability
  • Anatomy of exploitation including steps taken and proof in the form of screenshots
  • Business or technical risk inherent in the vulnerability
  • Vulnerability classification that describes the risk level as a function of vulnerability impact and ease of exploitation
  • Technical description of how to mitigate the vulnerability

Success Story: External Penetration Test

A publicly traded company hired Praetorian to perform a penetration test to simulate a real world attack and provide a practical evaluation of their Internet facing systems. The engagement was structured as a black box test, and Praetorian had no prior knowledge of the client's network architecture, detection capabilities, or its control processes.

Initially, the client's perimeter infrastructure prevented Praetorian from compromising the environment at the network and system level. However, once the evaluation moved into the application layer, Praetorian identified several significant issues and compromised the client's DMZ due to vulnerabilities present in the client's web applications. Specifically, a SQL injection vulnerability allowed Praetorian to penetrate a database and exfiltrate sensitive and confidential customer information. Praetorian then leveraged the SQL injection vulnerability to gain unauthorized access to the underlying operating system of the database server using the stored procedure xp_cmdshell in MSSQL. The initial foothold in the DMZ environment eventually led to a complete compromise of the internal network.

The results of this assessment demonstrated that a simple vulnerability in a web application could lead to severe and irrevocable damage to the organizations IT capabilities and services. Praetorian's recommendations within the final report gave the client clear tactical action for remediation as well strategic recommendations to minimize future occurrence.


Explore more Praetorian success stories →

Frequently Asked Questions


  1. How much does an external penetration test cost?

    The cost is dependent on the size and complexity of the network and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.

  2. How is size and complexity determined?

    Size is determined by the size of the network ranges and the number of live hosts within them. An external penetration test has three phases: 1) host and service discovery, 2) vulnerability identification and verification, and 3) exploitation. Exploitation of the environment is the most complex and time consuming phase. Other factors impacting engagement complexity include which attack vectors will be employed such as network, application, and social engineering.

  3. How long does an external penetration test take to complete?

    The time to completion depends on the size and complexity of the network and the level of rigor in which it is performed. A small external footprint with a low level of testing rigor can be completed in a few days. For companies with large external footprints that require a high level of testing rigor, penetration testing can take several weeks. On average, the typical duration of an external penetration test is one week.

  4. What is the difference between an external penetration test and an external vulnerability assessment?

    An external penetration test has three phases: 1) host and service discovery, 2) vulnerability identification and verification, and 3) exploitation. The primary objectives of an external penetration test are to obtain sensitive information and/or gain unauthorized access. An external vulnerability assessment, on the other hand, only includes the first two phases: 1) host and service discovery and 2) vulnerability identification and verification. During an external vulnerability assessment the "proof of concept” phase that demonstrates the impact of the vulnerabilities identified is not performed.



Ready to get started?

Contact us at 1 (800) 675-5152 to get started with your External Penetration Testing needs, or request a callback by submitting the form below.