Quality Results, Performance, and Consultants

The primary goal of a network penetration test is to determine if an attacker can gain access to sensitive data or systems through the target network.  This type of test involves evaluating the attack surface for potential vulnerabilities and, where applicable, leveraging those vulnerabilities to gain control of systems or access to data.  Network Penetration Tests are commonly used for internal and regulatory compliance.


External Vs. Internal

First, it can be an external test, internal test, or a combination of both.  An external test is from the perspective of an outsider examining the external network ranges of the target organization.  An internal test is from the perspective of an intruder who has gained some level of access to the internal network.

Network Penetration Test Variations

A normal (vanilla) network penetration test may include external ranges, internal ranges, or both.  External testing is performed as an attacker on the Internet, while the internal often performed from a compromised user perspective. 


In addition to a vanilla network penetration test, below are several common variations that you may need to meet your objectives:


business documents on office table with smart phone and laptop computer and graph financial with social network diagram and three colleagues discussing data in the background

Assumed Compromise

This is the most common form of an internal penetration test and also the most efficient at evaluating the risk to an organization. The penetration testing team begins this test with at least two sets of test user credentials that are modeled off regular users. These are used to evaluate the potential risk if a user were to get malware, such as if they fell for a phishing attack.
Get a Quote
business documents on office table with smart phone and digital tablet and stylus and two colleagues discussing data in the background

Controls Testing

This type of test is often categorized as purple-teaming.  It is a collaborative test between the attack team (i.e. the red team) and the security operations team (i.e. the blue team), and it typically targets specific security controls. The purpose of this type of test is to determine if certain controls are configured and performing correctly.
Learn More
Security concept Lock on digital screen, illustration

Red Team Exercise

A red team exercise is a longer-term adversarial engagement that is considered the no-holds bared of penetration testing. Physical access and social engineering attacks are in scope, and stealth is often a key factor to success.  This type operation serves to closely simulate a determined attacker attempting to gain access and exfiltrate key data.
Get a Quote

Network Segmentation

A network segmentation test is often incorporated with an internal gray box penetration test when one or more sensitive networks are under review. This is a common requirement for assessing the cardholder data environment (CDE) to comply with PCI DSS, but it may be valuable for assessing any network hosting sensitive data.
Get a Quote


Penetration testing is scoped by overall effort, which is time-boxed.  In combined internal + external penetration tests, the scoping is done separately, but the reporting effort is combined, thus saving the client some of the cost over scoping the exercises separately.


The Process

Have more questions about Network Penetration Testing?