What is external penetration testing?

External penetration testing assesses your internet-facing systems from an attacker's perspective. Our testers use the same techniques as real threat actors — OSINT, vulnerability chaining, and targeted exploitation — to find and demonstrate genuine attack paths before they're used against you.

How is this different from a vulnerability scan?

Automated scanners produce a list of potential vulnerabilities. External penetration testing goes further: our testers manually chain findings together to build real attack scenarios, demonstrate exploitability, and rule out false positives. The result is a report your team can act on, not a spreadsheet of alerts.

How long does an external test take?

Most external penetration tests complete within five to ten business days, depending on the size of your attack surface. We agree on scope and timeline before work begins, with a written quote provided within the week.

Do we need to tell our staff or IT team?

We work directly with your IT team or managed service provider throughout the engagement. Depending on scope, we may agree to notify certain staff or test without prior notice to simulate a more realistic attack scenario.

What is included in the deliverable?

A written report covering your external attack surface map, risk-rated vulnerability findings, OSINT results, exploitation evidence, remediation guidance, Essential Eight alignment notes, and an executive summary. All remediated findings are eligible for a free 30-day retest.

CREST-aligned external testing

External Network Penetration Testing

CREST-aligned testers who map your internet-facing attack surface the way a real attacker would — and tell you exactly what they could do with it.

Every internet-facing asset your business relies on is a potential entry point. We test it before attackers find it first.

Scope an external test →What we test

48-hour critical alert

100% manual testing

30-day free retest

Our methodology

An attacker's view of your perimeter

Every external test follows the same sequence a real threat actor would use. We don't start with a scan — we start with open-source intelligence gathering to understand what your organisation looks like from the outside.

Findings are manually validated and chained together to produce real attack paths, not a list of CVEs.

OSINT & Reconnaissance

Domain enumeration, certificate transparency logs, employee profiles, and leaked credential searches. We build your attacker profile before testing begins.

Attack Surface Mapping

Every internet-facing asset: web apps, VPN gateways, email portals, cloud storage, and exposed management interfaces.

Vulnerability Identification

Manual testing of every identified asset. Findings are chained together to reveal real attack paths, not just automated scanner output.

Exploitation

Where safe and in-scope, we exploit vulnerabilities to demonstrate actual impact — credential bypass, unauthenticated access, or remote code execution.

Coverage

What we test.

Every internet-facing asset in scope. No cherry-picking. We test what an attacker would find, not what's convenient to test.

Web applications & portals

VPN & remote access gateways

Email infrastructure

Cloud assets (Azure, AWS, GCP)

Firewall & perimeter devices

DNS infrastructure

Authentication portals

Publicly exposed APIs

The report

Risk-rated findings with exploitation evidence. Screenshots, request/response pairs, and step-by-step reproduction notes. Every finding is clearly rated by likelihood and impact.

Executive summary for board and leadership
Risk-rated vulnerability findings with exploitation evidence
Complete external attack surface map
OSINT findings including leaked credentials or exposed data
Essential Eight and ACSC hardening alignment notes
Prioritised remediation guidance per finding

The retest

Every remediated finding is retested free of charge within 30 days of the original report. We don't just take your word for it. We verify the fix worked.

Free retest of all remediated findings within 30 days
Clear pass/fail against each original vulnerability
Written confirmation suitable for board reporting
Updated risk register reflecting remediation status

What you gain

What changes after the test

Four concrete outcomes from every external penetration test, documented and retestable.

Closed attack paths

Known vulnerabilities patched, perimeter hardened, and attack surface documented.

Board-ready reporting

Clear risk ratings and an executive summary your leadership team can act on.

ACSC alignment

Findings mapped to Essential Eight controls for practical remediation sequencing.

Faster remediation

Priority-ordered findings mean your team works on what matters first.

Common questions

External pen test questions answered.

Unsure about scope, timing, or what the engagement involves? Contact us and we'll walk you through the process before committing to anything.

Talk to a specialist →

What is external penetration testing?
External penetration testing assesses your internet-facing systems from an attacker's perspective. Our testers use the same techniques as real threat actors — OSINT, vulnerability chaining, and targeted exploitation — to find and demonstrate genuine attack paths before they're used against you.
How is this different from a vulnerability scan?
Automated scanners produce a list of potential vulnerabilities. External penetration testing goes further: our testers manually chain findings together to build real attack scenarios, demonstrate exploitability, and rule out false positives. The result is a report your team can act on, not a spreadsheet of alerts.
How long does an external test take?
Most external penetration tests complete within five to ten business days, depending on the size of your attack surface. We agree on scope and timeline before work begins, with a written quote provided within the week.
Do we need to tell our staff or IT team?
We work directly with your IT team or managed service provider throughout the engagement. Depending on scope, we may agree to notify certain staff or test without prior notice to simulate a more realistic attack scenario.
What is included in the deliverable?
A written report covering your external attack surface map, risk-rated vulnerability findings, OSINT results, exploitation evidence, remediation guidance, Essential Eight alignment notes, and an executive summary. All remediated findings are eligible for a free 30-day retest.

See what the internet can see.

Clear scope, transparent pricing, and findings your team can act on. A written quote within one week of the initial conversation.

Scope an external test →View all pen testing →