Internal and external network pen tests are not different intensities of the same thing. They model different threat actors, find different bugs, and require different access. Confusing them is the most common scoping mistake at the network layer.
External network pen test
Threat model: the attacker on the internet who knows your IP range.
Goal: identify and exploit anything exposed to the public internet — VPN endpoints, mail servers, public web admin panels, exposed databases, forgotten staging environments, third-party SaaS misconfigurations on your domain.
Typical findings:
- Outdated VPN with known CVE (Fortinet, Pulse, Citrix have all delivered these recently).
- SMTP open relay on a forgotten mail gateway.
- Exchange Outlook Web Access on internet with no MFA enforcement.
- Cloud storage buckets readable to
AllUsers. - Subdomain takeover via dangling DNS CNAME to a deprovisioned SaaS.
- RDP open on port 3389 because someone forgot to close it after a quick-fix.
Scope size: typically a /24 to a /20 of public IPs, plus the registered domains.
Engagement length: 5–10 days for SME, 10–20 days for an enterprise.
Internal network pen test
Threat model: the attacker who has already gotten in. Phished employee, malicious insider, compromised vendor laptop, ransomware staging.
Goal: from a network foothold, escalate to Domain Admin and full data exfiltration. Often called "assumed-breach".
Typical findings:
- LLMNR / NBT-NS / mDNS poisoning yields Net-NTLMv2 hashes — crackable to plaintext domain credentials.
- Kerberoasting on service-principal accounts with weak passwords.
- ASREPRoasting on accounts with
DONT_REQ_PREAUTH. - SMB Signing not required → relay attacks to admin shares.
- Unconstrained delegation → Domain Admin via printer-coercion.
- Stale local admin password on the workstation gold-image, reused everywhere.
- Legacy file shares with HR data readable to
Domain Users.
Access required: a network drop, a domain-joined laptop, or a VPN account for a low-privileged user. Some clients prefer an "assumed-breach" with a pre-installed agent.
Engagement length: 8–15 days. Larger AD forests need more.
Which to run first
If you have never tested either, run external first — it is the surface the internet is poking at every minute. Once you are confident there, move to internal — because the Verizon Data Breach Investigations Report shows that once an attacker is in, lateral movement is fast.
If you are subject to RBI CSF, SEBI CSCRF or similar, you usually need both on an annual cadence. A combined engagement is cheaper than two sequential ones if the test team is the same.
Why scanner-only fails for internal networks especially
Internal AD attack chains are by construction not detectable by scanners. They involve combining a misconfiguration on host A with a permission on user B with a delegation on service C to reach Domain Admin. Three findings, each individually low-severity in a scanner output, combine into Critical via a 12-step BloodHound path. Without a human who reads BloodHound paths, you do not get that finding.
"How much of my AD forest do you want to test?" — for most Indian enterprises, sampling 10–15% of users, all admin tiers, all critical-server VLANs is the sweet spot. A 100%-coverage internal test on a 5000-user forest is a 30-day engagement that few buyers actually want to pay for.
For a scope, see network & infrastructure VAPT.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.