External Network Penetration Testing
We test your firewalls, VPN gateways, mail servers, DNS infrastructure, and cloud perimeter for vulnerabilities that an unauthenticated attacker could exploit to reach your internal systems. CREST-accredited testing: no automated-scan padding, no bloated reports.
Perimeter Testing.
Beyond the Firewall.
Automated vulnerability scanners flag known CVEs. Our CREST-certified consultants follow PTES phases and CREST CRT technical guidelines to find what scanners miss: misconfigured cloud perimeters, forgotten subdomains, and authentication bypasses that represent real breach risk.
Attack Surface Discovery
We enumerate your entire external attack surface using certificate transparency logs, ASN lookups, passive DNS analysis, and OSINT techniques, finding forgotten subdomains, shadow IT, and exposed development portals that your team did not know were public-facing.
Identity & Access Testing
We enumerate authentication endpoints and test against real-world attack techniques: credential stuffing using leaked databases, password spraying respecting lockout thresholds, and MFA bypass via token replay, session fixation, and push-notification fatigue.
Cloud Estate Enumeration
We enumerate your cloud estate via OSINT, test exposed management APIs, and assess IAM misconfiguration that could allow unauthenticated access: open S3 buckets, misconfigured security groups, and exposed management interfaces across AWS, Azure, and GCP.
Network Service Exploitation
Active exploitation of exposed services: SSL VPN default credentials, unpatched Exchange servers (ProxyShell, ProxyNotShell), exposed RDP with weak passwords, misconfigured SMTP relays, and DNS zone transfer leaks. We chain low-severity issues into high-impact attack paths that scanners cannot construct.
Zero False Positives
Every finding is manually confirmed exploitable in your environment. We contextualise CVSS scores to your specific architecture: a critical CVE on a low-business-impact asset is reported accordingly. Automated scans return 200+ findings; our reports highlight findings that actually matter.
Actionable Intelligence
Findings are prioritised by real-world business risk, not just CVSS score. Every vulnerability includes a documented attack path, business impact statement, and prioritised remediation guidance. Reports include an executive summary for board or audit committee submission.
Perimeter Risk Profile
Your external network is the front line. 60% of successful breaches exploit known, unpatched vulnerabilities in internet-facing services.
Time to Breach
Average time for an attacker to breach an unmonitored perimeter (Mandiant).
Unpatched Assets
Of successful external breaches involve known, unpatched vulnerabilities (CVEs).
Compliance Frameworks
Testing satisfies PCI DSS, ISO 27001, CE Plus, NHS DSPT, NCSC CAF, and UK cyber insurance requirements.
Controls
What We Find That Scanners Cannot.
Anonymised examples from recent external network penetration testing engagements. These are the findings that automated vulnerability scanners flag as informational, or miss entirely.
SSL VPN Default Administrator Credentials
The organisation's Fortinet SSL VPN appliance was accessible on the public internet with default admin credentials (admin:admin). An attacker could authenticate to the management interface, modify firewall rules, and establish a persistent VPN tunnel directly into the internal network.
Exposed RDP via Misconfigured Cloud Security Group
An Azure Network Security Group allowed inbound RDP (port 3389) from 0.0.0.0/0 on a domain-joined server. The server accepted NLA authentication with a weak local administrator password discoverable via credential spraying.
Subdomain Takeover via Dangling DNS CNAME
A DNS CNAME record (staging.example.com) pointed to a deprovisioned Azure App Service. An attacker could claim the orphaned hostname, serve arbitrary content on the organisation's subdomain, and harvest credentials via a convincing phishing page.
Unpatched Exchange Server (ProxyShell Chain)
An on-premise Microsoft Exchange Server exposed to the internet was missing patches for CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The full ProxyShell chain was exploitable, allowing unauthenticated remote code execution as SYSTEM.
When Do Organisations Commission This Test?
External penetration testing is typically triggered by one of these six scenarios. If any apply, you are in the right place.
Annual Compliance Mandate
Your PCI DSS QSA or ISO 27001 auditor requires annual external penetration testing evidence.
Infrastructure Change
You have migrated to a new cloud provider, deployed a new VPN endpoint, changed firewall rules, or exposed new services to the internet since your last test.
Cyber Insurance Renewal
Your cyber insurance underwriter requires evidence of annual external penetration testing by a CREST-accredited provider for policy renewal or claims eligibility.
M&A Due Diligence
You are acquiring or merging with another organisation and need to assess the external attack surface of the target before integration.
Post-Breach Validation
A recent security incident or near-miss has prompted a post-event external security assessment to validate your perimeter hardening.
First External Test
Your organisation has never commissioned an independent external penetration test and you want to baseline your perimeter security posture.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Reconnaissance (OSINT)
Passive intelligence gathering: finding targets, employee emails, leaked credentials, and technical details without touching your servers. Sources include Shodan, Censys, certificate transparency logs, and leaked credential repositories.
Discovery & Scanning
Active scanning to find open ports, running services, and known CVEs. Service fingerprinting, SSL/TLS analysis, and DNS zone transfer attempts before any exploitation.
Manual Exploitation
Active exploitation of confirmed weaknesses, bypassing authentication controls, chaining low-severity issues to achieve meaningful access, and testing firewall rulesets for bypass conditions.
Reporting & Debrief
Full technical report and executive summary with attack paths, business impact, and prioritised remediation. Remediation retesting included within the agreed window.
What You Get
Every external network penetration test includes the following deliverables, formatted for both technical teams and non-technical stakeholders.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats.
External vs Internal Testing
Not sure whether you need external, internal, or both? Here is the distinction.
What external testing covers
Simulates an attacker on the open internet. Tests only what is publicly visible: firewalls, VPN gateways, web applications, mail servers, and cloud management interfaces. No prior access assumed.
What internal testing covers
Simulates an attacker with a foothold inside your network. Tests lateral movement, Active Directory security, and privilege escalation from inside the firewall.
View internal network penetration testingMost organisations commission both. External testing covers your internet-facing perimeter. Internal testing covers your inside-the-firewall environment. A CREST-accredited provider will scope the correct combination based on your compliance requirements and threat model.
External Pen Test Pricing
All pricing includes a scoping call, manual testing, written report, executive summary, and one round of remediation retesting.
Small Perimeter
£2,500-£6,000
1-20 external IPs. 2-4 day engagement.
Mid-Size Perimeter
£6,000-£8,000
20-50 IPs. Complex perimeter, cloud included.
Enterprise Scope
£8,000+
50+ IPs. Enterprise scope. Fixed-price quoted.
Every engagement includes
- Pre-engagement scoping call (no charge)
- Passive OSINT reconnaissance
- Active perimeter scanning and manual exploitation
- Manual verification of all findings (zero automated-scan padding)
- Full technical report with CVSS-contextualised findings
- Executive summary suitable for board or audit committee
- Remediation guidance for every finding
- Free remediation retesting within the assessment window
Mapped directly to your regulatory controls.
Our CREST-certified report includes a compliance mapping matrix that cross-references our exact technical findings to the specific framework clauses your auditor requires.
PCI DSS 11.3
External security test (annual and post-significant-change requirement)
ISO 27001:2022
Management of technical vulnerabilities
Cyber Essentials Plus
External vulnerability testing requirement
NHS DSPT
Penetration testing controls for NHS supply chain organisations
NCSC CAF
Cyber Assessment Framework security testing
UK Cyber Insurance
Annual external testing evidence for policy renewal and claims eligibility
Globally Accredited Consultants
All testing is conducted by CREST-certified professionals.
Close the Loop.
After the Test.
Your external penetration test identifies what is exploitable today. We feed those exact findings into our 24/7 Managed SOC and EdgeProtect attack surface management, building custom detection rules for your perimeter and continuously monitoring your external infrastructure between annual tests.
Explore Defensive Services24/7 MDR Monitoring
Continuous monitoring of your entire external perimeter with custom detection rules.
UK-Based SOC
Alerts tuned specifically to the findings in your external pen test report.
Attack Surface Management
Continuous external asset discovery between annual penetration tests.
Internal Network Testing
Pair with internal infrastructure testing for complete security posture coverage.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
External network penetration testing typically costs between £3,500 and £10,000 depending on the number of external IP addresses, complexity of your perimeter, and scope of testing. A standard external test for 1-20 IP addresses averages £6,000 for 3-5 days of testing. Larger organisations with 50+ IP addresses and complex cloud infrastructure typically cost £8,000-£10,000. We provide fixed-price quotes after reviewing your IP ranges and infrastructure architecture.
External penetration testing simulates an attacker on the open internet attempting to breach your organisation. It targets your public-facing assets (firewalls, VPN gateways, mail servers, web applications, and cloud management interfaces) to find exploitable weaknesses before real attackers do. Unlike automated vulnerability scanning, external penetration testing involves manual exploitation, attack chain construction, and OSINT-led discovery to demonstrate real-world business impact.
External penetration testing simulates an attacker with no prior access to your network, testing only what is publicly visible from the internet: your firewalls, VPN gateways, web applications, and cloud management interfaces. Internal penetration testing simulates an attacker who has already gained a foothold inside your network, testing lateral movement, Active Directory security, and privilege escalation. Most organisations that require comprehensive assurance conduct both. A CREST-accredited provider will scope the correct combination based on your compliance requirements and threat model.
External penetration testing covers all internet-facing assets within the agreed scope: firewall and router interfaces, VPN gateways (including SSL VPN), web applications and APIs, mail servers (SMTP, OWA, Exchange Online), DNS infrastructure (including zone transfer testing), remote access portals, cloud management consoles and exposed storage (AWS S3, Azure Blob), and any other services accessible from the public internet. Scope is defined during the pre-engagement scoping call and documented in the test authorisation letter.
We recommend annual testing at minimum, or after any material infrastructure change: cloud migrations, new VPN endpoints, firewall rule changes, or new application deployments. PCI DSS 11.3 mandates annual external penetration testing (and after significant changes). ISO 27001:2022 Annex A 8.8 requires a managed programme of technical vulnerability testing. Cyber Essentials Plus requires an external vulnerability assessment as part of recertification.
No. A vulnerability scan is an automated check for known patches. A penetration test is a manual, human-led simulation that attempts to actually exploit those vulnerabilities, chain them together, and find logic flaws that scanners miss. Vulnerability scanners might identify 100 potential issues, but a penetration test confirms which ones are actually exploitable and demonstrates real-world attack paths that matter to your business.
Our external network penetration testers hold industry-recognised certifications including CREST CRT (CREST Registered Tester), CREST CCT (Certified), and Offensive Security OSCP. All engagements are conducted by certified testers; automated tooling is used only as a discovery accelerator, never as the primary testing mechanism. Precursor Security is a CREST Member Company. Our accreditation can be verified at crest-approved.org.
External testing is designed to be non-disruptive and safe for production environments. We coordinate testing windows with your team and avoid destructive attacks like volumetric DDoS. However, in rare cases, exploitation attempts may trigger security alerts or cause temporary service degradation (similar to real attacker activity). We maintain abort codes and immediately cease testing if any critical systems are at risk.
Generally, no. We test for vulnerabilities that could lead to DoS (like weak application logic), but we do not perform volumetric DDoS attacks as they can disrupt your actual business operations.
For a Black Box test, we might only need your main domain name. For Grey Box or White Box tests, you might provide a list of IP addresses and CIDR ranges to ensure we target all your authorised assets.