866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What is External Network Penetration Testing? Blog Feature
Josh Tomkiel

By: Josh Tomkiel

Print/Save as PDF

What is External Network Penetration Testing?

Penetration Testing

Published: Jun 23, 2022

Last Updated: Jan 10, 2025

 

Penetration tests (pen tests) are security assessments designed to identify an organization’s vulnerabilities and security holes by mimicking malicious actors who may target the organization. One of the first penetration tests, and the one most individuals think of when they think of a penetration test, is an external penetration test. 

 

More specifically, an external network pen test is designed to discover and exploit vulnerabilities in all your hosts that are accessible via the Internet. As highly experienced penetration testers that offer this service among others, we’re going to provide a full explanation of external network penetration testing, including methodology, timeline and cost, and where you can start ahead of yours.

 

That way, you can be sure that an external network penetration test is the right move for your firm among the other options available.

 

What is an External Network Penetration Test?

When you engage a team to perform an external network penetration test, they’ll act as an attacker on the open Internet and attempt to breach those web-facing assets you have.

Using different techniques like port scans and vulnerability scans, they’ll identify where they can push through security vulnerabilities and misconfigurations in all in-scope hosts so as to gain access to your supporting infrastructure or service.

But that's the extent of it—if the penetration testers do happen to gain access to the internal network, no further action will be taken to pivot deeper.

 

External Network Penetration Testing FAQ

What’s the Difference Between Vulnerability Scanning and an External Network Penetration Test?

While external network penetration testing does tend to include vulnerability scanning during the actual assessment in order to discover any security weaknesses that can be targeted, the primary difference between the two is that the penetration test will attempt to exploit the vulnerabilities identified.

 

What’s the Difference Between an Internal Network Penetration Test and an External Network Penetration Test?

An external network penetration tester acts as an attacker coming from an outside network and is typically done remotely, while an internal network penetration test begins from within the organization’s network.

How Long Does External Network Penetration Testing Take?

 

 

While there are many intricacies in pen test timing, typically, external network penetration testing is completed within 1 week if less than 1,000 hosts are in scope. As more hosts are added, the timeline is extended.

 

How Much Does External Network Penetration Testing Cost?

Every organization is unique and, therefore, the cost of a penetration test differs from assessment to assessment. That said, the factors that typically affect pricing include:

 

  • Scope and complexity, such as the size of the IP Address space
  • Size of your organization, including the number of live hosts
  • The experience of your external network penetration team
  • Type of test being performed, (Black Box, Grey Box, etc.—more on these in a moment)

Where to Start for Your External Network Penetration Test

Knowing all that, it's possible you're interested in understanding where your outward defenses may need shoring up. But where would you start? With your assessment type—there are two different ones that are commonly requested:

 

  • Shared Knowledge (Grey Box) Assessment:
    • You would provide a list of hosts (public IP addresses or domains) and your tester will only test against those approved in-scope hosts.
    • This is Schellman's recommended approach, as it's our opinion that a Grey Box assessment provides better value in time and overall results.
  • Zero Knowledge (Black Box) Assessment:
    • Rather than you providing a list, your tester would perform their own recon to discover all Internet-facing assets. They would then give you a list of their discovered hosts that you would need to approve before the start of any testing.
    • This method takes more time, as you'll still need to verify that the hosts identified belong to your company before active testing can begin. 

Though approved hosts for testing are ultimately up to you, we do not suggest you restrict your scope or exclude hosts from any type of pen test. 

While you may opt to engage in this just for the sake of your cybersecurity, if the pen test is for a greater compliance initiative, a wider scope is better than a narrower one. Limitations could lead to you needing another assessment so that previously excluded hosts can be included.

 

External Penetration Testing Methodology

No matter the assessment you choose, a successful external network penetration test should be mapped out in order to maximize efficiency and comprehensiveness. Though different teams will likely take different approaches, the majority will follow a similar procedure:

 

  • Pre-Engagement: Together with your team, you’ll define the objectives of the external network penetration test and the desired outcome.
  • Defining Scope: You will determine which assets you’d like to be included in the external network pen test.
  • Exploitation: The penetration team will work on identifying security weaknesses.
  • Reporting and Remediation: The pen testers will provide you with documentation of their procedures and findings of the assessment, and you’ll get started remedying any issues identified.
  • Retest: The test will be performed again on all originally identified issues to ensure that the fixes you implemented as a result of the previous external network penetration assessment are secure and working.

 

Additional Matters Concerning Your External Network Penetration Test

As you progress through this process, here are two tips to maximize your experience during an external network pen test:

 

  • Don't keep it a secret.
    • Your pen test team is there to help. Let your internal security team(s) (Security Operations Center (SOC) or Network Operations Center (NOC)) know that an external network pen test will be happening and provide them with the public IP addresses the team will be using so your people know who's poking around.
      • If you work with Schellman, these addresses will be provided via AuditSource®.
    • (For transparency's sake, there are other kinds of pen tests where your personnel are kept in the dark. External network pen testing is just not one of them.)
  • Prepare your Web Application Firewall (WAF) or Intrusion Prevention Device (IPS).
    • If you have technical security controls in place that could block your tester's traffic during testing, you should preemptively allow that traffic to pass these controls.
    • While real-world attackers have unlimited time to identify issues and come up with WAF bypasses, a pen test is limited to a specific timeframe. Help your testers help you by temporarily clearing these obstacles so that they can identify as many issues as possible within the time they have. 

You'll of course have options when choosing a pen test team. But if you're considering Schellman to do your external network pen test, here are some things you should know:

 

  • Schellman does not perform Distributed Denial of Service (DDoS) attacks. When we find vulnerabilities that result in likely Denial of Service (DoS) conditions, we typically just verify them to the best of our ability (without exploiting them).
  • Only manually verified findings will be included in our final report. With us, there will be no false positives. 

Regardless of who you work with, remember—the goal of this kind of engagement is not for your tester to be stealthy or stay undetected. Rather, it's to highlight as many of your issues as possible and provide actionable feedback within the limited timeframe available. 

 

Next Steps for Your External Network Penetration Test

An external network pen test can prove hugely beneficial when assessing your current cybersecurity defenses. Acting as a malicious attacker would be, approaching from the outside, your pen test team can help you uncover security weaknesses and determine where you're vulnerable so that you can plug any discovered gaps.

However, an external network penetration test only finds weaknesses in those external-facing hosts, and you may want to strengthen other areas as well (or instead). Check out our other content on different types of penetration tests that may suit your needs more:

 

If you have more specific questions than these pieces provide, feel free to contact us. Our team would be happy to speak with you regarding all the different kinds of pen test services we provide and answer any questions regarding your environment that you may have (as detailed through our scoping questionnaire that we would provide you to complete).

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.