Network Penetration Testing
CREST-accredited external and internal network penetration testing, across routers, switches, servers, endpoints, firewalls, email servers, and exposed systems.
Network penetration testing simulates how a capable attacker would move through your infrastructure, from the public internet at the perimeter, through any toehold that exists, and into the internal systems that hold the data and operational capability that matter.
Vantage Point delivers network engagements in two complementary forms. External tests focus on perimeter-exposed services, asking "what can be done from outside the firewall?". Internal tests focus on the worst-case scenario most organisations should be testing for, "if an attacker is already inside, what is the path to domain admin, to crown-jewel data, and to operational impact?".
Both engagement types follow a disciplined methodology, reconnaissance, enumeration, exploitation, post-exploitation, lateral movement, and impact analysis, under Rules of Engagement that protect operations while keeping the test realistic.
What's at stake.
The perimeter is more porous than most diagrams show
Cloud migrations, VPN appliances, shadow IT, and SaaS integrations all create exposure outside the textbook perimeter. Network testing is what catches it.
Internal movement is where damage actually scales
Once inside, most networks present a flat blast radius. A single workstation compromise frequently becomes domain admin in hours, and the controls to stop that path were never tested.
PCI DSS and ISO 27001 ask for it explicitly
Both standards require periodic network penetration testing as a control. Most regional regulators expect the same for critical-information infrastructure.
What we test.
External & perimeter
Systems exposed to the public internet, intentional and accidental.
- Exposed services and systems
- Firewall and routing controls
- Email infrastructure (SPF, DKIM, DMARC, gateway)
- DNS infrastructure and subdomain takeover
- Configuration weaknesses and weak protocols
- VPN gateways and remote-access services
Internal & lateral
The worst-case scenario most organisations should be testing for, assumed breach, working inwards from an internal foothold.
- Access control flaws
- Network segmentation testing
- Privilege escalation paths
- Lateral movement opportunities
- Endpoint and EDR effectiveness
- Internal service exposure
The flaws engagements like this consistently surface.
Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.
Unpatched perimeter services
Internet-facing services running versions with known RCE; legacy VPN gateways with public exploits; management interfaces published to the internet.
Flat internal networks
Workstation subnets that can talk freely to production servers; no segmentation between corporate and OT; PCI scope undefined in practice.
Weak protocols
SMBv1, NTLM, LLMNR/NBNS poisoning surface, telnet on management interfaces, deprecated TLS still accepted.
Credential reuse
Local admin password reused across thousands of endpoints, service-account passwords shared with regular users, credentials cached in Group Policy preferences.
Missing egress controls
Workload subnets able to reach the internet freely, no DNS filtering, no controls on outbound on ports other than 80/443.
Detection blind spots
No SIEM coverage on critical segments, EDR exclusions covering common attacker tooling paths, alerting on commodity malware only.
How we run the engagement.
Reconnaissance
Open-source intelligence and surface enumeration.
Scanning & enumeration
Service discovery and version mapping.
Exploitation
Manual exploitation of identified weaknesses.
Post-exploitation
Privilege escalation, lateral movement, impact analysis.
Reporting & debrief
Risk-ranked findings with reproduction and remediation.
Mapped to recognised baselines.
Common buyer questions.
External or internal, which should we start with? +
For most organisations, the highest-value engagement is an internal / assumed-breach test, because that mirrors the post-phishing reality. External tests are still important and usually run annually; internal tests reveal where most damage actually scales.
Will this disrupt production? +
External testing is generally non-disruptive. Internal testing under assumed-breach is designed not to impact business operations, with abort criteria defined upfront. We never run intentionally destructive techniques unless explicitly scoped.
Can you validate our segmentation for PCI DSS? +
Yes, segmentation testing is a defined service. PCI DSS v4.0 requires it at least every 12 months for organisations using segmentation to reduce scope; we structure the engagement to produce the evidence the QSA needs.
Do you provide retesting? +
Yes. Every engagement includes a retest cycle on remediated findings so fixes are validated before the report is closed.
Test Your Defences Against Adversarial Expertise
Talk to a CREST-accredited consultant about your next penetration testing engagement.