Loading...
Loading...
Evaluating your security controls from both outside the perimeter and inside the local network is required to achieve complete defensive visibility.
External testing targets an organization's public-facing assets to discover entry points that could allow an internet-based attacker to gain unauthorized access. The assessment simulates a rogue actor trying to bypass network firewalls, exploit web vulnerabilities, or conduct credential-stuffing attacks against exposed corporate login screens.
Explore External Testing →Internal testing starts with the assumption that the perimeter has already been breached, or that the attacker has local physical access. This engagement simulates a compromised employee workstation, a rogue contractor, or a physical intruder plugged into an office network port, seeking to escalate privileges to Active Directory Domain Administrator.
Explore Internal Testing →| Aspect | External Pentest | Internal Pentest |
|---|---|---|
| Starting Point | Outside the corporate network boundary (public internet). | Inside the corporate perimeter (connected to local LAN, AD, or VPN). |
| Target Assets | Publicly exposed assets: VPN gates, DNS servers, web portals, email gateways. | Internal networks: Active Directory, local workstations, file shares, database zones. |
| Threat Model | External actors: cybercriminals, opportunists, automated exploit bots. | Insider threats: disgruntled employees, contractors, compromised workstations. |
| Primary Goals | Breach the perimeter, bypass firewalls, and gain an initial foothold. | Escalate privileges (e.g. domain admin), harvest credentials, bypass internal network segmentations. |
| Typical Findings | Exposed admin portals, outdated web technologies, unpatched perimeter vulnerabilities. | Weak AD service account configurations, cleartext credentials in file shares, missing LLMNR/NBT-NS protections. |
Your external perimeter is targeted continuously by automated script bots scanning the internet for unpatched vulnerabilities (such as out-of-date firewalls or public-facing CVEs). An external pentest identifies these exposures before automated scrapers do, protecting the entry points to your business environments.
Modern cyber defenses must assume that a breach will eventually occur, whether through a phishing email click, a vendor compromise, or an unsecured Wi-Fi network. Internal penetration testing validates that your internal segmentation controls can contain an attacker and prevent them from reaching critical databases or domain controllers.
Regulatory frameworks like Bank Negara Malaysia's RMiT and the Payment Card Industry Data Security Standard (PCI DSS) explicitly mandate both external and internal security audits. Under RMiT, financial institutions must perform these tests annually to verify that segmented card networks and core banking zones are logically isolated and immune to lateral threat movement.
Our qualified ethical hackers can assist in scoping the correct external and internal assets to build a compliant assessment.