Network Penetration Testing: Internal vs External Guide
Babar Khan Akhunzada
March 1, 2026
Network penetration testing is the oldest category in offensive security and the one most frequently misscoped, mislabelled, or substituted with something cheaper that doesn't actually satisfy what an auditor or security programme needs.
If you're preparing for a SOC 2 or ISO 27001 audit, evaluating whether your internal controls hold up, or simply trying to understand what "network pentest" means when a provider quotes for it this guide covers what the assessment actually involves, where the internal and external scopes differ, and what separates a real test from an automated scan.
- What Network Penetration Testing Is
- Internal vs External: What Each Covers
- Network Pentest vs Vulnerability Scan
- What the Methodology Should Cover
- Questions Teams Actually Ask
- What a Real Network Pentest Report Contains
- Get a Network Pentest Quote
What Network Penetration Testing Is
Network penetration testing is a manual security assessment of your network infrastructure the hosts, services, protocols, and trust relationships that make up your internal and perimeter network environment. A tester methodically identifies exposed services, tests their security posture, attempts to exploit vulnerabilities, and documents what level of access an attacker could gain and how far they could move within the network from that starting point.
The key word is manual. A network pentest conducted by a human tester produces findings that automated tools miss: service misconfigurations specific to your environment, exploitable combinations of individually low-risk findings, credential reuse across systems, legacy protocols still running on internal segments, and lateral movement paths that only become visible when a tester is actively working through your network rather than scanning it.
The two distinct components: Most network penetration tests cover either external infrastructure (what's exposed on the internet), internal infrastructure (what an attacker with network access can do inside your environment), or both. These are different assessments with different objectives and different finding types not the same test run from different locations.
Internal vs External: What Each Covers
| Factor | External Pentest | Internal Pentest |
|---|---|---|
| Attacker position | Unauthenticated, internet-facing | Inside the network (VPN, physical, breached perimeter) |
| Primary target | Perimeter hosts, exposed services, public IPs | Internal hosts, domain controllers, internal services |
| Key findings | Unpatched services, exposed admin panels, firewall gaps, VPN vulnerabilities | AD misconfig, lateral movement, privilege escalation, credential reuse |
| Threat it models | External attacker scanning and exploiting internet-facing infrastructure | Insider threat, compromised endpoint, attacker post-perimeter breach |
| Typical access required | None — conducted remotely from internet | VPN access or on-site, standard user credentials |
| Compliance coverage | ✓ Satisfies perimeter testing requirements | ✓ Satisfies internal network control requirements |
Which do you need? Most organisations with a real security programme run both, but the right starting point depends on your threat model. If your primary concern is an external attacker exploiting internet-facing infrastructure, start with external. If you're more concerned about what happens after a phishing attack succeeds or an endpoint is compromised which is where most actual breaches play out internal is the higher-priority assessment. For SOC 2 and ISO 27001 compliance, auditors typically want to see both in scope over a reasonable cycle, though not necessarily simultaneously.
Network Pentest vs Vulnerability Scan
This is the most commercially important distinction in network security assessments — and the one most frequently blurred by providers quoting at low price points.
Automated and signature-based
A vulnerability scanner enumerates services and matches them against a database of known CVEs and configuration signatures. It tells you what versions are running, what CVEs apply, and what configurations deviate from known-bad patterns. It runs without human judgment — the same scan, the same output, every time.
Manual and context-aware
A penetration test uses scanner output as a starting point, then applies human judgment: Which findings are actually exploitable in this environment? Which low-severity issues chain into a critical attack path? What credentials from one system work on another? What does the network look like from inside after gaining a foothold? These questions require a tester, not a tool.
No exploitation, no proof of impact
Scanners flag vulnerabilities without confirming they're exploitable in your specific environment. A CVE rated Critical might be unexploitable due to compensating controls — or an apparently low-severity misconfiguration might be the first step in a path to domain admin. A scanner can't tell the difference.
Exploitation evidence and attack paths
A pentest report shows what was actually exploited, what access was gained, and what an attacker could do from that position — with screenshots and step-by-step reproduction. This is what compliance auditors need and what your engineering team can act on. A scanner report doesn't contain any of this.
The practical test: if a provider quotes under $4,000 for a "network penetration test," they are selling you an authenticated vulnerability scan. The economics of manual testing don't work at that price point. Ask for a sample report — the difference between a real pentest report and a scan output is obvious in 60 seconds.
What the Methodology Should Cover
External network penetration testing methodology:
Reconnaissance and attack surface mapping comes first — understanding what's exposed before attempting exploitation. This covers passive OSINT (identifying infrastructure, certificate transparency, leaked credentials) and active enumeration (port scanning, service identification, SSL/TLS analysis). The objective is a complete picture of the external attack surface before a single exploit attempt is made.
Service exploitation testing evaluates each exposed service for known vulnerabilities, misconfigurations, and authentication weaknesses. VPN concentrators, remote access solutions (Citrix, RDP gateways), email infrastructure, DNS configuration, and web-facing management interfaces are all in scope.
Firewall and ACL validation tests whether your network controls are actually enforced not just configured. Firewall rules that exist in policy but aren't applied correctly are a consistent finding in external assessments.
Internal network penetration testing methodology:
Active Directory is the primary target in most Windows-based internal environments. Internal testing covers AD enumeration (user accounts, group memberships, GPO configuration, trust relationships), attack techniques against Kerberos (Kerberoasting, AS-REP roasting, pass-the-hash, pass-the-ticket), and domain privilege escalation paths. In most internal assessments, AD misconfigurations produce the highest-severity findings.
Network segmentation validation tests whether your internal network segments are actually isolated as intended. A workstation that can reach a domain controller directly, a developer machine that can access a production database, or a guest Wi-Fi that routes into the corporate network are all segmentation failures — and they're common.
Lateral movement simulation starts from a standard user position (or from a compromised foothold if escalation was achieved) and tests how far an attacker can move through the environment. Credential reuse across systems, SMB relay opportunities, and service account over-permissioning are the most frequently exploited lateral movement paths.
Credential attacks test password policy enforcement, whether accounts with weak passwords exist, and whether discovered credentials work across multiple systems. This includes both online testing (attempting authentication against services) and offline cracking of any hashes obtained during the engagement.
Questions Teams Actually Ask
"We need a network pentest for our SOC 2 audit what should be in scope?"
For SOC 2, the scope should map to the systems and infrastructure that process, store, or transmit the data your Trust Services Criteria cover. At minimum: the servers and network infrastructure that host your application and its data, the network segments those systems sit on, and any VPN or remote access infrastructure that provides access to them. If you have a hybrid environment, both the cloud infrastructure and any on-premise network components in scope for SOC 2 should be included. The practical question to ask your auditor: "Does my current pentest scope cover all systems in the SOC 2 boundary?" If the answer requires a long conversation, scope it more broadly.
"What's the difference between a network pentest and a vulnerability scan for compliance purposes?"
Compliance auditors for SOC 2 (CC4.1, CC7.1), ISO 27001 (Annex A.8.8), and PCI DSS differentiate between vulnerability scanning and penetration testing in their evidence requirements. Vulnerability scanning is an ongoing operational control; penetration testing is a periodic assessment of whether controls are actually effective against exploitation. Most audit frameworks expect both, but they serve different purposes. Submitting scan results as penetration test evidence to a rigorous auditor will produce questions at best and a non-conformance finding at worst.
"External vs internal which do we need, or do we need both?"
Both are usually needed for a complete picture, but the right starting priority depends on your threat model. If your business faces significant external threat (financial services, healthcare, high-profile targets), external testing should run annually. If your main risk scenario is a phishing attack that leads to an insider-level compromise which is the most common actual attack pattern — internal testing is the higher-value assessment. For SOC 2 Type II and ISO 27001, auditors typically want to see both across the audit period.
"What does an internal network pentest actually look like in practice?"
On day one, the tester connects to your network (via VPN or on-site) with standard user credentials no elevated access, no pre-shared vulnerability list. They begin with enumeration: mapping the network, identifying hosts and services, and building a picture of the Active Directory environment. From there, the engagement moves through privilege escalation attempts, lateral movement simulation, and documentation of what level of access was achieved at each stage. Most engagements run 3–5 days for a medium-complexity environment. You receive daily updates on significant findings and a full report within a week of completion.
What a Real Network Pentest Report Contains
Before engaging a provider, ask for a redacted sample report. A genuine network penetration test report contains:
Executive summary with business impact context. Not a list of CVEs — a narrative that explains what an attacker could have done and what the business consequence would have been. "An attacker with network access could have obtained domain administrator privileges within 4 hours, giving full control of all internal systems" is the kind of finding that produces action. A summary that lists vulnerability categories without impact context doesn't.
Attack path documentation. The sequence of steps from initial access to the highest level of privilege achieved — with screenshots at each stage. This is what makes a pentest report different from a scanner report: it shows the journey, not just the destination.
Findings with CVSS scores and exploitation evidence. Each finding scored, described, with reproduction steps and proof of exploitation (screenshots, tool output, hash dumps where appropriate). Your engineering and infrastructure team needs this to understand and reproduce the issue before they can fix it.
Active Directory-specific findings (for internal assessments). AD misconfiguration findings should identify the specific policy, group, or trust relationship involved — not just "Kerberoasting possible." The remediation guidance needs to be specific enough to act on.
Network segmentation findings. Which segments could be reached from which starting points, what traffic was possible that shouldn't have been, and what the intended vs actual segmentation model looks like.
Remediation guidance at implementation level. Specific enough that your infrastructure team can act without a follow-up call. "Disable LLMNR and NBT-NS via Group Policy using Computer Configuration > Administrative Templates > Network" rather than "disable legacy name resolution protocols."
Retest evidence. Critical and high findings verified as resolved after remediation with updated report sections. Required for SOC 2 and ISO 27001 audit evidence packages.
Get a Network Pentest Quote
Related reading:
- Penetration Testing Services
- Web Application Penetration Testing Guide
- Cloud Penetration Testing Guide
- SOC 2 Penetration Testing Requirements
- ISO 27001 Penetration Testing Requirements
- Assumed Breach Penetration Testing Guide
Network Penetration Testing, Internal Network Pentest, External Network Pentest, Active Directory Security Testing, Network Security Assessment, Vulnerability Scan vs Penetration Test, SOC 2 Network Pentest, Internal vs External Penetration Testing, AD Privilege Escalation, Lateral Movement Testing
Tags
About Babar Khan Akhunzada
Babar Khan Akhunzada is Founder of SecurityWall. He leads security strategy, offensive operations. Babar has been featured in 25-Under-25 and has been to BlackHat, OWASP, BSides premiere conferences as a speaker.