Internal penetration testing simulates an attacker who already has access inside your network, testing for privilege escalation, lateral movement, and Active Directory weaknesses. External penetration testing targets your internet-facing assets from the outside: firewalls, VPNs, web applications, and cloud services. Most compliance frameworks, including PCI DSS 4.0, require both types annually because they assess fundamentally different risks.
What is internal penetration testing?
An internal penetration test simulates an attacker who already has access to your network. The tester starts from inside the LAN, typically with a low-privilege domain account, and attempts to escalate privileges, move laterally between systems, and compromise the Active Directory domain.
The goal is to answer one question: once an attacker gets past your perimeter, how far can they go?
Internal testers follow a structured attack path. A CREST-certified tester will typically begin by poisoning name resolution protocols (LLMNR/NBT-NS) with tools like Responder to capture credential hashes. From there, the tester attempts Kerberoasting to extract service account passwords, maps privilege escalation routes using BloodHound, performs Pass-the-Hash attacks for lateral movement, and targets DCSync to replicate domain controller credentials.
The findings are consistently severe. Schellman's 2024 penetration testing data found that internal assessments uncovered 269 vulnerabilities, with 50 rated high-severity. That is nearly four times the high-severity rate of external assessments. In a separate study, ZeroThreat reported that internal pentests across 23 organisations resulted in complete system takeovers within three days, and in 61% of organisations, attackers gained full control using just one simple vulnerability.
What is external penetration testing?
An external penetration test simulates an internet-based attacker targeting your public-facing assets with no prior access. The tester probes firewalls, VPNs, web servers, DNS records, email security configurations (DMARC/SPF/DKIM), and cloud infrastructure to identify exploitable weaknesses.
External testing answers a different question: can an attacker breach your perimeter from the outside?
The attack surface is often larger than organisations expect. Aggregated industry data shows that 77% of successful external pentest compromises used poorly protected web applications as the primary vector, and 86% of companies had at least one exploitable web application vulnerability. Schellman's 2024 data found that external assessments identified 248 vulnerabilities, with 146 related to configuration management and 84 linked to missing DMARC records that enabled email domain spoofing.
External penetration tests typically take two to five days and cost less than internal tests because the scope is narrower: the tester only sees what is visible from the internet.
How do internal and external penetration tests compare?
The table below summarises the key differences across seven dimensions. For a broader comparison of testing approaches, see our guide to vulnerability assessment vs penetration testing.
| Feature | Internal penetration testing | External penetration testing |
|---|---|---|
| Goal | Determine what an insider or post-breach attacker can do | Determine whether an outsider can breach the perimeter |
| Starting position | Inside the network (LAN access, low-privilege domain account) | Outside the network (zero access, black-box or grey-box) |
| Attack vectors tested | AD misconfigurations, LLMNR poisoning, Kerberoasting, privilege escalation, lateral movement, credential dumping, network segmentation | Web applications, firewalls, VPNs, DNS, email spoofing (DMARC), SSL/TLS configuration, cloud services |
| Common findings | Weak AD permissions, shared local admin passwords, Kerberoastable service accounts, flat network segmentation, cleartext credentials | Missing DMARC records, outdated SSL/TLS, exposed admin panels, SQL injection, XSS, misconfigured cloud services |
| Compliance mapping | PCI DSS 11.4.2, ISO 27001 A.8.8, DORA Art. 26, NIS2/CSRB | PCI DSS 11.4.1, ISO 27001 A.8.8, DORA Art. 26, Cyber Essentials Plus |
| Typical duration | 3 to 10 days | 2 to 5 days |
| UK cost range | £5,000 to £15,000 | £3,000 to £8,000 |
When should you choose an internal penetration test?
An internal test is the right choice when the threat is already inside your perimeter, or when you need to validate what happens if it gets there.
Post-breach validation. If your organisation has experienced a breach, or suspects compromise, an internal test determines how far an attacker could move through the network.
Active Directory security. If your organisation runs Windows Active Directory and has never tested it, an internal pentest is overdue. AD misconfigurations are the single most common path to full domain compromise.
Network segmentation testing. If you rely on VLANs, internal firewalls, or zero-trust controls to isolate sensitive systems, an internal test validates whether those controls actually work. Target Corporation's 2013 breach compromised 40 million card records because attackers moved laterally from an HVAC vendor portal to point-of-sale systems across 1,797 stores. The network segmentation that should have prevented this did not exist. An internal penetration test would have found the gap.
PCI DSS compliance. Requirement 11.4.2 mandates internal penetration testing of the cardholder data environment (CDE). The test must be conducted from within the CDE network segment.
Insider threat modelling. The Verizon 2025 Data Breach Investigations Report found that 38% of breaches involved internal threat actors. If your organisation handles sensitive data, an internal test models what a rogue employee or compromised endpoint could access.
When should you choose an external penetration test?
An external test is the right choice when you need to validate your perimeter defences against internet-based attackers.
New public-facing infrastructure. Launching a customer portal, API, or e-commerce platform creates new attack surface. An external test identifies vulnerabilities before attackers do.
Perimeter validation. If you have invested in firewalls, WAFs, and VPN configurations, an external test confirms whether those controls actually block exploitation. The Verizon 2025 DBIR found that 20% of breaches began with exploitation of public-facing vulnerabilities, a 34% increase year-on-year, with attacks on edge devices and VPNs rising eightfold.
Compliance requirements. PCI DSS 4.0 Requirement 11.4.1 mandates external penetration testing. Cyber Essentials Plus includes external vulnerability testing as part of the independent assessment.
Attack surface expansion. After a cloud migration, acquisition, or new domain deployment, an external test maps what is now exposed to the internet. Organisations frequently discover forgotten services, misconfigured cloud storage, and test environments that were never decommissioned.
First test on a limited budget. If you can only afford one engagement, an external test is the typical starting point because it addresses the most publicly visible risk. However, internal testing should follow as soon as budget allows.
Do you need both internal and external penetration testing?
Yes. They test fundamentally different things.
An external test tells you whether an attacker can get in. An internal test tells you what happens once they are inside. Running only one type leaves a critical blind spot.
The case for both is backed by data. Stolen credentials were the number one initial attack vector at 16% of breaches, costing an average of $4.81 million per incident (IBM 2024). Horizon3.ai documented 28,866 instances of successful credential dumping across 50,000+ penetration tests in 2025. Once credentials are compromised, external defences become irrelevant, and only internal controls stand between the attacker and your critical systems.
The compliance argument is equally clear. PCI DSS 4.0 Requirement 11.4 explicitly mandates both internal (11.4.2) and external (11.4.1) penetration testing annually and after significant infrastructure changes. ISO 27001 Control A.8.8 expects testing across the full vulnerability landscape.
For organisations with limited budgets, many penetration testing providers offer combined internal and external packages at a lower total cost than booking separately. A combined engagement typically costs £8,000 to £20,000 in the UK.
How much does internal vs external penetration testing cost in the UK?
External penetration testing: £3,000 to £8,000 for a standard engagement covering two to five days of testing. Scope covers your internet-facing IP ranges, web applications, and remote access services.
Internal penetration testing: £5,000 to £15,000 for a standard engagement covering three to ten days. Scope includes Active Directory assessment, network segmentation testing, and lateral movement analysis. Internal tests cost more because the scope is broader (more hosts and systems to test) and the AD attack chain requires deeper manual effort.
Combined internal and external: £8,000 to £20,000. Booking both together typically saves 10-20% compared to separate engagements.
CREST-accredited testers in the UK typically charge £1,000 to £1,500 per tester per day. Tests priced significantly below £500 per day are likely automated vulnerability scans rather than manual penetration tests.
For context, the global average cost of a data breach reached $4.88 million in 2024 (IBM). The UK Government Cyber Security Breaches Survey 2024 found that only 11% of UK businesses conducted a penetration test in the previous 12 months.
What compliance frameworks require internal and external penetration testing?
PCI DSS 4.0 is the most prescriptive. Requirement 11.4.1 mandates external penetration testing. Requirement 11.4.2 mandates internal penetration testing of the CDE. Both must be performed annually and after significant changes. The internal test must be conducted from within the CDE network segment, not from outside it. PCI DSS is the most common compliance driver for penetration testing, cited by 43% of respondents in the Core Security 2024 Penetration Testing Report.
ISO 27001:2022 Control A.8.8 requires organisations to manage technical vulnerabilities and take appropriate action. While ISO does not mandate specific testing types, annual penetration testing covering both internal and external attack surfaces is standard practice for certification.
DORA (Digital Operational Resilience Act), Article 26 requires threat-led penetration testing (TLPT) for financial entities, covering both internal and external attack surfaces. UK financial services firms preparing for DORA should plan for testing that goes beyond standard annual engagements.
NIS2 / UK Cyber Security and Resilience Bill will require operators of essential services to demonstrate ongoing security testing. Specific technical requirements are expected in secondary legislation. Read our guide to the Cyber Security and Resilience Bill for details.
Cyber Essentials Plus requires external vulnerability scanning and internal device testing as part of the independent assessment. For a comparison of certification levels, see our guide to Cyber Essentials vs Cyber Essentials Plus.
Frequently Asked Questions
What is the purpose of internal penetration testing? Internal penetration testing simulates what an attacker could do after gaining access to your internal network. The tester checks for Active Directory weaknesses, privilege escalation paths, lateral movement opportunities, and network segmentation failures. The goal is to determine how far an attacker could get and what data they could access from inside your organisation.
Can an internal penetration test be done remotely? Yes. Most internal penetration tests are conducted remotely. The testing firm ships a pre-configured device (sometimes called a "drop box") to your office, which connects to your internal network. The tester then accesses the device securely over VPN. On-site testing is sometimes preferred for wireless assessments or physical security testing but is not required for standard internal network tests.
How often should you run internal and external penetration tests? At minimum, annually and after any significant infrastructure change such as a new network segment, major application deployment, or cloud migration. PCI DSS requires annual testing. Organisations with higher risk profiles or regulatory obligations should consider testing more frequently. Approach Cyber's 2025 Pentest Report found that recurring clients who undergo regular testing see 70% fewer critical issues than first-time clients.
Is an internal penetration test the same as a vulnerability scan? No. A vulnerability scan is an automated tool that identifies known vulnerabilities (CVEs) across your network. An internal penetration test goes further: a qualified tester manually exploits vulnerabilities, chains findings together, and demonstrates real-world impact, such as compromising your domain controller or accessing sensitive data. For a full breakdown, see our guide to vulnerability assessment vs penetration testing.
Do you need both internal and external testing for PCI DSS compliance? Yes. PCI DSS 4.0 Requirement 11.4.1 mandates external penetration testing and Requirement 11.4.2 mandates internal penetration testing of the cardholder data environment. Both must be performed annually and after significant changes to the CDE. The internal test must be conducted from within the network segment that processes card data.