The first step an organization should consider when building cyber resilience should be an assessment of externally accessible infrastructure. This will often be the first element a potential attacker will enumerate in order to find exploitable weaknesses.

A penetration test of external infrastructure is the counterpart to a penetration test of internal infrastructure. Often, these tests are performed in succession of each other, in order to obtain a better picture of the overall security level. It also provides the penetration tester with a better understanding of an organization’s infrastructure, which in turn creates a penetration test with more sophisticated attacks.


A penetration test of the external infrastructure provides organizations with an up-to-date overview of the external accessible IT infrastructure, including any vulnerabilities that exist in the setup. The goal of the penetration test is to discover and disclose any publicly known vulnerabilities in the externally accessibly hosts (clients, servers, IoT and/or network devices). This is done by primarily using automated tools that will scan the infrastructure in order to detect any weaknesses.

Organizations will often find that undocumented hosts (also known as shadow IT), will exist in their infrastructure. These hosts are especially prone to cyber security attacks because they are not documented and part of an organizations patch management process.


A penetration test of internal infrastructure might sound like a long and pricy engagement, but this is rarely the case for most medium-sized organizations. Depending on the number of externally accessible hosts, the test usually requires only 2 days of testing.

The deliverable consists of a single commercial-grade report that will contain a non-technical section for the C-suite members of the organization, as well as a technical section that will provide in-dept details regarding the vulnerabilities that were observed. Lastly, all vulnerabilities will be manually scored with a risk-assessment (CVSS or Low/Medium/High/Critical), in order to assist the organization with the priority of remediating each one.