Blog

How do you protect what you don't know exists? With external penetration testing. It’s how you find the "unknown unknowns" that threaten your business.

It doesn’t matter how careful you are or how sophisticated your dev team is; somewhere in your organisation's digital footprint sits a forgotten test server. Maybe it's an old marketing microsite or a legacy API endpoint that nobody remembers deploying. 

These unknown assets represent your greatest vulnerability. They aren't dangerous just because they are old. They’re dangerous because they exist outside your security consciousness entirely.

External penetration testing examines your organisation's internet-facing assets from an attacker's perspective. We identify weaknesses before someone with malicious intent discovers them.But here's what most external pentesting discussions miss. The value isn't merely in finding vulnerabilities in the systems you know about, but in discovering what you didn't realise was there to begin with - your shadow infrastructure.

The Attack Surface You Think You Have vs The One You Actually Have

Most organisations have a list of their internet-facing assets. This usually includes web servers, email gateways, and VPNs. This list represents your known attack surface.

But attackers don't look at your list. They start with a blank slate when they build their map of your organisation. They find everything connected to your brand, domains, and IP addresses. 

The gap between what you know and what they find is where breaches tend to begin.

Why Shadow IT Creates Unmanaged Risk

"Shadow IT" refers to technology used without official approval. It sounds like a rule-breaking problem, but the security risks are much deeper.

• A developer might spin up a test environment using their personal cloud account. 
• A marketing agency might launch a campaign site without speaking to IT. 
• A regional office might buy a software tool that connects to your core systems. 

It’s small things, but each of these creates a risk that sits outside your security controls.

The European Union Agency for Cybersecurity (ENISA) has highlighted shadow IT as a major factor in security incidents. The problem isn't usually malicious intent. It's just a disconnect between convenience and security.

When we conduct external penetration tests, shadow IT often provides the biggest shocks. We've discovered active database servers with default passwords, abandoned admin portals, and forgotten APIs that let anyone in without a password. 

These assets weren't hidden on purpose, just forgotten.

The Kill Chain: How External Attacks Unfold

Security researchers describe an attack using the "kill chain." This is just a sequence of steps an attacker completes to succeed. Understanding this matters because external penetration testing mimics these steps.

The external attack chain typically follows three phases: reconnaissance, scanning, and exploitation.

Phase One: Reconnaissance Through Open Source Intelligence

Before an attacker touches your systems, they gather information from public sources. This is called OSINT (Open Source Intelligence). It is remarkably effective.

What can an attacker learn without ever sending a single data packet to your network? More than you might expect.

• Domain records reveal admin email addresses.
• Job postings describe your technology stack. If you're hiring a Django developer, attackers know what software you use.
• Social media profiles of employees reveal software versions and office locations.
• Code repositories might contain accidental leaks of API keys or internal passwords.
• Certificate logs show subdomains you haven't announced publicly.

OSINT isn't glamorous, but it shapes the attack. When we begin a test, our reconnaissance finds assets the client didn't include in the scope because they didn't know they existed.

Phase Two: Scanning and Enumeration

Once reconnaissance is done, attackers start scanning. This involves directly probing your infrastructure. They want to identify running services, software versions, and potential weak spots.

Port scanning reveals which doors are open. Banner grabbing identifies the specific software behind each door. Directory searches find hidden paths on web servers.

This is where organisations often make a mistake. They think automated vulnerability scanners are enough. They aren't.

Phase Three: Exploitation and Access

Exploitation is the moment curiosity turns into a compromise. Attackers use the data they found to break in.

Exploitation might involve:

• Authentication bypass: Guessing weak passwords or using default logins.
• Software vulnerabilities: Attacking unpatched applications.
• Logical flaws: Using the app in a way the developer didn't anticipate.
• Misconfigurations: Finding settings that expose sensitive data.

The goal of external penetration testing is to complete this chain ethically. We want to show you the real-world impact before a criminal does.

External Penetration Testing vs Automated Vulnerability Scanning

Here's a distinction that causes a lot of confusion. Vulnerability scanning and penetration testing aren’t the same thing. They serve different purposes.

Vulnerability scanning is automated. 

A tool probes your systems and compares what it finds against a database of known bugs. Modern scanners are good, but they’re rigid. They test for known signatures and default settings.

Penetration testing is manual. 

A security professional thinks like an attacker. We use tools, intuition, and creativity to find weaknesses that don't fit into neat categories. Manual testing discovers logical flaws that automated tools can't understand.

The Human Advantage

Consider a secure client portal where users view private contracts. The scanner logs in, opens a document, and reports that the page loads correctly. It sees no error, so it marks it as "safe."

But a human tester looks closer. We notice a document ID number in the web address. Change that number by one digit. Suddenly, we are viewing a confidential contract belonging to a different user.

The automated tool didn't flag this because the page worked technically perfectly. The tool didn't know that User A should not see User B's file. That is a logic flaw. It requires a human to ask, "What happens if I ask for data that isn't mine?"

We aren't saying automated scanning is useless. Scanners are great for coverage. They can test thousands of systems quickly. They’re good for basic hygiene.

But scanners produce false alarms. They miss context. They can't think like an enemy. For external pentesting, manual testing is irreplaceable.

At 7ASecurity, our penetration testing services use tools to help us, but the analysis comes from experienced humans. This eliminates false alarms and gives you results you can act on.

Attack Surface Mapping: Building a Complete Picture

Effective testing begins with a complete map. We need to find every internet-facing asset you own.

Techniques for Discovering Hidden Assets

We combine multiple data sources:

• DNS records show us your configured subdomains.
• Certificate logs show us the SSL certificates you have issued. If you create a certificate for "https://www.google.com/search?q=test.yourcompany.com", it appears in these public logs.
• IP analysis identifies all addresses registered to your company.

Third-party relationships matter too. If your marketing provider hosts a site for you, that is part of your attack surface.

What Complete Visibility Changes

When you understand your actual attack surface, decisions become clearer. You can prioritise patching, shut down forgotten services, and start monitoring assets you didn't know existed.

Without this map, you’re operating blindly. In essence, you’re protecting the front door while the back window is wide open.

The Business Case for External Penetration Testing

Security spending often feels like insurance; money spent to prevent damage. But the economics of external testing are clear when you look at the cost of a breach.

Recent reports show the average breach costs millions of Euros. Fines under GDPR can be massive. And that doesn't include the damage to your reputation.

External penetration testing costs a tiny fraction of a breach. More importantly, it gives you certainty. You know your exposure because someone skilled has tested it.For organisations handling EU data, GDPR requires appropriate technical measures. External penetration testing is evidence that you’re taking this seriously. It isn't just a good idea, but a compliance activity.

Frequently Asked Questions About External Pentesting

How often should we conduct external penetration testing?

Annual testing is a good baseline. But it depends on how fast you change. If you launch new services every month, testing once a year isn't enough. 

Major infrastructure changes or new product launches should trigger a test. Never assume last year's results keep you safe today.

What's the difference between external and internal penetration testing?

• External pentesting looks at your organisation from the internet. It asks, "Can they get in?" 
• Internal penetration testing assumes the attacker is already inside. It asks, "What happens if they do get in?" 

Both are valuable, but they solve different problems.

Will penetration testing disrupt our live systems?

A well-planned test shouldn't cause disruption. At 7ASecurity, we agree on the rules before we start. We define what systems are in scope and what techniques we can use. 

We avoid dangerous attacks on production systems. The goal is to find bugs, not crash your server.

How do we prepare for an external penetration test?

Preparation is mostly about defining the scope. Tell us which domains and IP ranges belong to you. Let your team know the test is happening so they don't panic. And be ready to fix what we find. The value comes from fixing the holes, not just finding them.

Turning the Unknown Into the Secure

The challenge isn't the vulnerabilities you know about. It's the ones you've forgotten.

External penetration testing turns uncertainty into clarity. It reveals your actual attack surface. It tests your defences against real-world attacks and finds the logical flaws that scanners miss.

At 7ASecurity, we approach every external penetration test with the mindset of a determined attacker. We find what others miss because we look where others don't. We look in the shadow infrastructure and the forgotten endpoints.

Your perimeter is only as strong as its weakest point. Let us help you find it first.

See what attackers see.

Contact 7ASecurity today.