Service

Network Penetration Testing

Comprehensive assessment of your network infrastructure following the Penetration Testing Execution Standard (PTES). We identify exploitable vulnerabilities across your servers, firewalls, services, and configurations before attackers do.

What We Test

Network penetration testing is suited for organizations running their own servers and services — whether on-premises, cloud-hosted, or hybrid infrastructure.

External Assessment

External Network Testing

Simulate an attacker operating from the internet with no prior access. We assess your internet-facing infrastructure: public IP ranges, exposed services, firewalls, and perimeter defenses. Uncovers what an opportunistic or targeted attacker would find before launching an intrusion.

  • Public IP and CIDR range enumeration
  • Exposed service fingerprinting
  • Perimeter firewall rule analysis
  • External vulnerability identification and exploitation

Internal Assessment

Internal Network Testing

Simulate a threat actor who has already gained initial foothold inside your network — whether through phishing, a compromised device, or an insider threat. We assess lateral movement opportunities, privilege escalation paths, and internal exposure.

  • Internal host and service discovery
  • Lateral movement opportunities
  • Privilege escalation paths
  • Active Directory and authentication weaknesses

Infrastructure

Network Services & Configuration

Review of network devices, protocols, and configurations that may introduce vulnerability. Includes network segmentation effectiveness and access control gaps.

  • Router and switch configuration review
  • Network segmentation and VLAN analysis
  • Wireless network assessment (if in scope)
  • VPN and remote access security

Scope Definition

Defined & Agreed Scope

Before testing begins, we collaboratively define the scope: IP ranges, systems in and out of scope, authorized testing hours, and escalation procedures. Nothing is tested outside the agreed scope.

  • IP range and CIDR scope documentation
  • Agreed testing windows and blackout periods
  • Out-of-scope systems explicitly listed
  • Emergency stop and escalation contacts

PTES Methodology

All network penetration tests follow the Penetration Testing Execution Standard (PTES) — a structured, repeatable methodology that ensures thorough coverage and defensible results. Seven phases, executed in sequence.

Phase 1

Pre-Engagement Interactions

Before any testing begins, we establish the rules of engagement, confirm legal authorization, document scope, and align on communication protocols. This phase protects both parties and ensures the test is legally defensible. We will schedule a video call to walk through all pre-engagement requirements.

Phase 2

Intelligence Gathering

Passive and active reconnaissance to map the target environment. We gather information about your network topology, public-facing services, DNS records, WHOIS data, and organizational details using open-source intelligence (OSINT) techniques before engaging any systems directly.

Phase 3

Threat Modeling

Based on gathered intelligence, we identify likely threat actors, map attack vectors, and prioritize high-value targets within your environment. This guides the testing effort toward the exposures most likely to be exploited in a real attack scenario.

Phase 4

Vulnerability Analysis

Systematic identification of vulnerabilities across in-scope systems using a combination of automated scanning tools and manual verification. Each finding is validated before being included in the report — no raw scanner output. CVSS scores are assigned to prioritize remediation effort.

Phase 5

Exploitation

Controlled, authorized exploitation of confirmed vulnerabilities to demonstrate real-world impact. We establish proof of access without causing damage or disruption to production systems. The goal is to show what an attacker could achieve, not to destroy.

Phase 6

Post-Exploitation

After achieving initial access, we assess the extent of damage an attacker could cause: lateral movement to adjacent systems, privilege escalation, data exfiltration opportunities, and persistence mechanisms. This phase reveals the true blast radius of a successful breach.

Phase 7

Reporting

A comprehensive written report delivered after testing. The report contains an executive summary for non-technical stakeholders, detailed technical findings with evidence, CVSS risk ratings, and specific remediation guidance for each vulnerability. We walk through findings with you in a post-test debrief.

What You Receive

Every network penetration test engagement includes a complete written report and a post-test debrief session.

Executive Summary

A non-technical overview of the engagement: what was tested, key findings, overall risk posture, and prioritized remediation recommendations for leadership and decision-makers.

Technical Findings

Detailed documentation of every vulnerability found: description, evidence (screenshots, output), CVSS v3 risk score, and affected systems. Reproducible steps for your remediation team.

Remediation Guidance

Specific, actionable remediation steps for each finding — not generic advice. Findings are prioritized by risk level so you can address critical issues first.

Retest Recommendations

Guidance on which findings warrant a verification retest after remediation, and what evidence to document to confirm issues have been resolved.

Post-Test Debrief

A video call walkthrough of findings with your technical team. We explain each vulnerability, answer questions, and provide context on remediation priorities and timelines.

Rules of Engagement Documentation

Complete documentation of the agreed scope, testing windows, systems tested, and authorization chain — records that demonstrate legally compliant testing.

Legal Authorization Required

Proof of Authority: We require proof that the client has legal authority to authorize the test before starting any assessment. This ensures we have the authority to conduct the specified tests and are indemnified from prosecution. Authorization requirements vary based on network type, including cloud-based, on-premises, and home networks. Cloud environments (AWS, Azure, GCP) have additional authorization requirements from the cloud provider. All engagements are governed by a signed Rules of Engagement (ROE) document executed before any testing begins.

If you are unsure whether you have the authority to authorize a test — for example, for a network you manage but do not own — reach out before submitting a quote request. We can help clarify what authorization documentation is needed.

Ready to Assess Your Network Security?

Every network has vulnerabilities. Find yours in a controlled engagement before an adversary finds them for you.

Request a Quote

Questions? Email jon@virtuscybersecurity.com