A full, manual assessment of your internet-facing perimeter from the perspective of a remote threat actor with no prior access. We find what real adversaries would find, then prove what they could do with it.
Required by PCI-DSS Requirement 11.4.3, expected by SOC 2 and ISO 27001 auditors, increasingly required by cyber insurance underwriters, and the foundation of any serious external risk program.
An external penetration test simulates the perspective of a remote threat actor sitting in front of your perimeter with no inside access. Every asset that touches the internet, every login portal exposed to the world, every credential that might be reused from a past breach, every misconfigured DNS record, every legacy service nobody remembers running: all of it is in play.
Our work is not a vulnerability scan with manual review tacked on at the end. We perform passive reconnaissance, active enumeration, manual exploit validation, credential attacks, and chained exploitation. When a finding requires three weaknesses combined to produce real impact, we chain them. When a single weakness opens a door, we walk through and document what is on the other side, within the scope you authorized.
The goal is to give you a clear picture of what an actual adversary would do if they targeted your organization tomorrow, prioritized by what would hurt your business most.
Discovery and enumeration of every IP, hostname, and service that resolves to your external footprint. Open ports, exposed protocols, banner and version fingerprinting, and identification of legacy or shadow infrastructure that nobody on your team currently owns.
Web applications, login portals, marketing sites, and partner integration endpoints. We test authentication flows, session management, common web vulnerabilities, and verify that public-facing administrative interfaces are not accessible by mistake.
Password spraying and credential stuffing against Microsoft 365, VPN portals, Citrix, single sign-on, and any other login surface exposed to the world. We use techniques that respect lockout thresholds and avoid disrupting legitimate users while still surfacing realistic credential risk.
Firewalls, VPN gateways, load balancers, and other edge devices. We check for known CVEs, validate that recent critical patches are applied, and look for misconfigurations that allow bypass or unauthorized access.
Sensitive information exposed via search engines, code repositories, document metadata, paste sites, and breach data. Often the easiest path in starts here, before any vulnerability comes into play.
SPF, DKIM, DMARC configuration and the resulting phishing risk to your organization and your customers. Misconfigured email security is a common path for business email compromise and brand spoofing.
An external engagement typically takes one to two calendar weeks of active testing, plus a scoping phase before and a reporting and retest phase after. We work in tight communication with your team throughout. Critical findings are surfaced immediately on discovery, not held until the report.
The engagement follows our standard five-phase methodology: scoping, reconnaissance, exploitation and validation, reporting, and remediation support with retest.
An external penetration test supports the following audit and compliance frameworks:
Typical engagements run one to two weeks of active testing, depending on the size of the attack surface. Scoping happens a week or two before. Reporting and retest extend two to three weeks after testing ends.
No. External penetration testing is designed to be non-disruptive. We coordinate with your team on rules of engagement, avoid destructive techniques, and respect maintenance windows. Critical findings are reported immediately rather than weaponized.
Annually at minimum. After any major infrastructure change. After any merger, acquisition, or significant cloud migration. Quarterly is appropriate for organizations with rapidly changing attack surface or higher-risk profiles.
No. We test the configuration and exposure of your assets running on cloud platforms. Testing the cloud provider's infrastructure itself is something the provider must authorize and is outside the scope of an external engagement. Our Cloud Security Assessment covers your cloud-native posture.
We notify your designated emergency contact within hours, share what we found, and pause before exploiting further so your team can decide how to respond. We do not weaponize critical findings without explicit authorization.
Tell us about your perimeter, your compliance drivers, and your timeline. We will respond within one business day with a scoping call and a clear proposal.