External Network Penetration Test

External Network Penetration Test

External network penetration testing of your Internet-facing network services identifies vulnerabilities that may be exploited by an attacker.

Ensuring that your public-facing network perimeter is resilient to attackers and scripted threats is your first line of defence against both attackers and malware. These threats may target the network services that your organisation exposes on the Internet.

Vulnerabilities in your Internet-facing network services can present a significant risk to your organisation if they can be compromised by a malicious user, who may then attempt to pivot an attack onto your internal network.

Some of the more common vulnerabilities found on Internet-facing services include outdated operating systems & software, legacy encryption protocols, misconfigured VPN gateways, web servers & mail servers and administrative services being exposed to the Internet.

Am external network penetration test against your public exposed network services, also known as your external attack surface, helps you identify the vulnerabilities that may be exploited by an Internet-based attacker. Using the same techniques that would be used in a real-life cyber-attack, our penetration testing team evaluates the level of access that can be obtained to your environment from the Internet.

How a test works

Using a combination of automated and manual testing, our penetration testers will inspect your Internet-exposed services to assess if vulnerabilities are present that could allow them to be exploited by a malicious user.

Our external penetration testing service comprises the following four stages, which are representative of a real-life attack:

  • Open Source Intelligence Gathering
  • Passive Reconnaissance
  • Network Enumeration
  • Active Testing

Open Source Intelligence Gathering

The open source intelligence gathering stage is performed as a precursor to the actual penetration test and is used to provide the testing team with as much background information prior to the test starting as possible. During the OSINT phase, our team are looking for articles such as:

  • Accidental leaks of sensitive information, like through social media
  • Open ports or unsecured internet-connected devices
  • Unpatched software, such as websites running old versions of common CMS products
  • Leaked or exposed assets, such as proprietary code on pastebins

Passive Reconnaissance

During the initial stages of a real-life attack, malicious users will spend time performing reconnaissance, so that a profile or ‘footprint’ of the target organisation can be obtained. Information such as the IP addresses in use, hostnames and employee information can greatly assist an attacker in choosing an effective attack method and may help identify areas of the target organisation’s infrastructure that would render the highest impact if compromised.

Public databases and information services can contain a wealth of information that may prove useful to an attacker. Most these information sources can be freely and passively accessed and with these information sources residing in the public domain, there is no chance that the searches performed by an attacker will trigger alerts that may notify the target organisation that an attack is being planned.

During this phase of the testing, the following public information sources will be accessed to obtain further information about the target organisation:

  • RIPE Database
  • WHOIS Database
  • Domain Name Servers

Network Enumeration

Once an attacker has built a profile of the organisation through passive information gathering, they will attempt to identify ‘live’ hosts and services within the IP address range. Once an understanding of the exposed ports and services is obtained, this will give the attacker more information on potential vulnerabilities that may allow them to gain a foothold on the network and further their attack.

During this phase of the test, a full TCP and UDP port scan of all 65,535 ports will be conducted over the in-scope IP range. An ICMP scan will also be conducted, to identify which hosts would disclose their presence to an attacker who performs a simple ‘ping’ scan.

Active Testing

Based on the results of the Network Enumeration phase, a vulnerability assessment and targeted penetration test will be conducted on all Internet-exposed services. All results of the vulnerability assessment will be manually verified to ensure that no ‘false positive’ results are present.

All exposed services will be manually inspected by connecting to them and attempting to gain access through known exploits.

Engagement prerequisites

  • A signed & completed Testing Consent Form
  • List of IP addresses to be tested.
  • Ensure that any Intrusion Prevention Systems have been disabled or Hedgehog’s IP range ( to is white-listed for the duration of the test

Engagement deliverables

Engaging with Hedgehog Security for your External Infrastructure Penetration Test will provide you with the following:

Pre-engagement support

Prior to your test commencing, our penetration tester(s) will discuss the scope of work with you, so that a full understanding is obtained of what your Internet-facing network services are used for. This not only allows the test to run more efficiently but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.

During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your infrastructure or any evidence in our results that may indicate a security breach may have already taken place.


Once the penetration test has been completed, you will be provided with the following:

Comprehensive Technical Report

Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities contain a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.

Technical References

Where applicable, we provide additional reference URLs for each vulnerability, so that further information on the vulnerabilities can be obtained from reputable sources of technical information.

Risk-Based Approach with CVSS Scoring

A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.

Secure & Encrypted Test Portal

Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure test portal. Our portal is highly encrypted and is tested on a regular basis.

After Care

Once our engagement is complete and our final report has been delivered to you, our penetration testing team will remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.

We pride ourselves in partnering with our customers to provide ad-hoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.

We are committed to ensuring, that as our customer, you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.

Conference Call

Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.

A conference call is suitable for both management and technical staff and provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders and technical staff who may be tasked with applying the recommended course of action.

Free 14-Day Retest

With the testing being conducted remotely, we include a free retest of all issues identified in the report, providing they are mitigated within 14 days of the reporting being issued. This allows you time to take corrective action and ensures that your efforts have been successful in mitigating the vulnerabilities.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Cyber Security Consulting

Penetration Testing

SOC as a Service

Cyber Essentials

Vulnerability Scanning