866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Prepare for an External Penetration Test: A Straight-Forward Guide for Business Leaders Blog Feature
Josh Tomkiel

By: Josh Tomkiel

Print/Save as PDF

How to Prepare for an External Penetration Test: A Straight-Forward Guide for Business Leaders

Penetration Testing

Published: Jun 24, 2025

Anytime you're scrolling through cybersecurity news, you’re likely to come across another headline about a data breach featuring quotes from the latest targeted company explaining why their customers’ personal information is now floating around the dark web. And then that familiar knot in your stomach creeps in asking the same question: "Could this happen to us?" 

If you're a business owner, IT manager, or in any way responsible for your company's cybersecurity, you've probably been wrestling with this fear for months, if not years. Maybe you've heard colleagues mention penetration testing, your insurance company has dropped hints about security assessments, or perhaps your board is asking pointed questions about cybersecurity preparedness that you're not quite ready to answer. 

At Schellman, we speak with business leaders like you every day who know they need some kind of security testing but aren't sure where to start. They've heard about external penetration testing and want to jump right in, but here's what most people don't realize: the companies that get the most value from their first external penetration test are the ones who prepare properly beforehand. 

Proper preparation maximizes your investment in penetration testing. By the end of this article, you'll understand exactly what an external penetration test involves, why preparation matters so much, and the specific steps you should take before scheduling your first assessment. This way, you’ll walk away with the practical guidance you need to make smart decisions about your cybersecurity strategy. 

What Is an External Penetration Test? 

An external penetration test simulates a real attack on your internet-facing systems. Automated vulnerability scans identify obvious problems like missing patches or default passwords, whereas external penetration testing involves security experts manually testing your systems, attempting creative approaches that automated tools would miss entirely. We position ourselves outside your network just like an actual attacker would and attempt to breach your defenses using the same tools and techniques that hackers use. We look for ways to gain unauthorized access to your systems, reach sensitive data, or disrupt your operations.  

The difference is that we're working for you. When we find vulnerabilities, we document them carefully and show you exactly how to fix them. We stop short of actively impacting system availability. No denial of service or DoS testing is included in scope. If we discover an issue that could potentially cause a system to go down, we document it and let you know rather than test further to verify that type of vulnerability.  

While it's uncommon for services or systems to experience disruption during an external network penetration test, there's always a small chance that a system could respond negatively to our testing activities. We can provide off-hours testing if needed, but 99% of our assessments occur during business hours with no disruption to system availability.  

Why Is an External Penetration Test Worth Your Time and Money? 

You might have invested in firewalls, antivirus or the latest endpoint detection and response software, and solid employee training—which are all great measures. But attackers don't care about your good intentions and cybercriminals constantly evolve their tactics. They're searching for that one configuration mistake, single unpatched system, or overlooked vulnerability that provides access to your environment.  

An external penetration test gives you a hacker's perspective on your defenses. Instead of wondering whether your security measures actually work, you’ll watch them be tested by professionals who think like attackers do. External penetration tests deliver technical findings and equally as valuable, genuine peace of mind. 

Many of our clients tell us they finally sleep better after seeing their defenses tested by professionals because they gain the confidence to tell customers, partners, and stakeholders that they have proactively validated their security measures. Good security leads to good business. Plus, practically speaking, many insurance policies, compliance requirements, and customer contracts now require regular security testing. An external penetration test often satisfies multiple requirements at once. 

The Three-Step Preparation Process That Actually Works 

Now that you better understand what external pen tests are and why they are important, let’s dive into strategies to prepare. Based on hundreds of external penetration tests, we've identified three preparation steps that separate companies who get tremendous value from those who don't:

Step 1: Know What You Actually Own (Asset Management) 

This step sounds obvious until you really think about it: how many internet-facing systems does your company actually have? If you're like most business leaders, your first instinct is to count the big stuff: your main website, email server, maybe a customer portal. However, what we typically find when we dig deeper is that most companies have 2 to 3 times more exposed systems than they realize.

Common examples include forgotten development servers that were never shut down, legacy applications someone set up years ago for a project, or a subdomain that marketing created for a campaign you barely remember. Every single one of these represents a potential entry point for attackers. 

Here's a simple exercise: grab whoever manages your IT and spends 30 minutes listing every system, website, and service your company exposes to the internet. Include everything, even if it seems insignificant. Then access your cloud provider (e.g., AWS, Azure, Google Cloud, etc.) and review all security groups or firewall rules that allow access to 0.0.0.0/0 to see all your internet-facing cloud resources. I guarantee you'll be surprised by the findings. 

This matters greatly for penetration testing because we can only test what is in scope. If you don't know about a forgotten server, we can't include it in our assessment, and if that server becomes your weakest link, all the testing in the world won't help. Your scope should include everything you expose to the internet that you directly control. This means applications running in your environment and network infrastructure you actively manage. Third-party services like Okta, Workday, Salesforce or other SaaS integrations aren't included since you don't control those systems directly. 

Scope determines pricing, and larger attack surfaces generally provide more value from external penetration testing. If you only have a single web server with ports 80 and 443 exposed, your attack surface is quite limited, and you might actually gain more value from a web application penetration test at that point. But if you have multiple internet-facing systems under your control, external network testing becomes much more valuable. It’s also the easiest pen test to execute first, coming in close second to an authenticated web app pen test. 

The good news is if you're feeling overwhelmed by this step, it's exactly the kind of reconnaissance work we can help with. We use both automated tools and manual techniques to discover systems associated with your organization. Sometimes that discovery process alone provides huge value to our clients, but it is not perfect. The best path forward is to know your asset inventory prior to the engagement. 

Step 2: Handle the Easy Stuff First (Vulnerability Scanning) 

I'm going to level with you: fix the obvious problems before you pay for expert testing. Vulnerability scanners automatically identify common, well-known vulnerabilities like missing security patches, default passwords, or commonly misconfigured services. These tools excel at catching the "low hanging fruit" that attackers love to exploit, though they are limited to the plugins/signatures for issues they know to search for. 

Why pay thousands for an expert-level pen test to find issues that a cheaper scan could identify? Handling these issues first lets the penetration test focus on sophisticated vulnerabilities that require human creativity and expertise to discover. Many of our clients prefer to have us handle vulnerability scanning as well, which you should ensure happens before your penetration test. 

Step 3: Now You're Ready for the Real Test 

With your asset inventory complete and the obvious vulnerabilities addressed, you're finally ready to get maximum value from an external penetration test. What makes this type of assessment so valuable is that we use the same tools and techniques that real attackers use, but as a collaborative partner. You'll know our source IP addresses, when testing begins and ends, and your security teams should definitely be aware that testing is happening. This prevents them from wasting time on incident response procedures when they see our legitimate testing activity. 

During the assessment, we manually test every system in scope, creatively exploiting the unique combination of technologies and configurations in your environment, not just running automated tools, though we use those too. For example, maybe your web application has solid authentication, but we discover a way to combine a minor information disclosure bug with a social engineering technique to gain administrative access. Or perhaps your email server is perfectly configured, but there's an obscure interaction between your DNS settings and your backup systems that creates an attack path. 

These vulnerabilities only show up during manual testing. Automated tools miss them completely, but these represent the exact creative attack paths that sophisticated hackers excel at finding. When we finish, you'll receive a detailed report that includes verified vulnerabilities, exploitation methods, risk assessments, and step-by-step remediation guidance. Every finding gets verified, so no false positives waste your team's time. 

What to Expect: Setting Realistic Goals 

If this is your first external penetration test and you've never done vulnerability scanning or security assessments before, you should expect some eye-opening findings. The first assessment typically uncovers more issues than subsequent tests. This isn't a failure; it's exactly why you're being proactive about security. The number of findings depends heavily on your attack surface. If you only have two internet-facing systems, the chance of high-risk discoveries is limited simply because there's less to exploit. But configuration mistakes can happen anywhere, and even small environments can have serious vulnerabilities. 

Remember, security isn't a one-time fix. Configuration changes, new deployments, and system updates can accidentally expose new attack vectors. That management interface you thought was private? A configuration change might have made it accessible from the internet with default credentials. This is why successful companies treat security testing as an ongoing partnership, not a one-time event. We include retesting at no additional cost. You have 30 days to address the findings you want to fix, then we'll retest those issues and provide an updated report with a customer-facing attestation letter. 

Timeline and Planning: Start Early 

You should begin the engagement process at least four weeks before you need results. While we can sometimes accommodate rush requests, contract negotiations, legal reviews, and getting proper approvals take time. Administrative delays shouldn't derail your security timeline. Most external pen tests take about a week, give or take, to complete, with this timeline depending on how many systems you have exposed to the internet. 

How often you should repeat testing depends on your drivers. Compliance requirements will specify their own cadence. For general security hygiene, annual testing works for most organizations, though you should consider additional testing when you add new internet-facing systems or make significant infrastructure changes. 

Getting Started with Your External Penetration Test: Practical Next Steps 

Every business leader who has successfully implemented security testing started exactly where you are right now: concerned about their company's security but unsure about the next steps. The difference between success and endless worrying is taking action. With proper preparation, your external penetration test will deliver the confidence and concrete guidance you need along with helping meet specific compliance requirements and customer requests. Start with asset management by spending a few hours this week cataloging your internet-facing systems. You don't need enterprise-grade tools; a simple spreadsheet will do. The goal is to know what you own and be ready to provide that list when you engage with a testing provider. 

Stop letting cybersecurity anxiety paralyze your decision-making. The threats are real, and the stakes are high, but you don't have to figure this out alone. If you're ready to move forward with an external penetration test but feel overwhelmed by the technical details, that's exactly why companies like Schellman exist. We can guide you through the entire process, from initial asset discovery through final report delivery, and beyond. Contact us today and we’ll get back to you shortly. 

In the meantime, discover additional penetration test insights and tips in these helpful resources:  

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.