Network penetration testing is a controlled, authorized simulation of an attack against your network infrastructure to identify vulnerabilities that could be exploited by a real adversary. Unlike web application testing, which focuses on software-level flaws, network penetration testing targets the foundational layer of your IT environment: firewalls, routers, switches, servers, Active Directory, VPNs, wireless networks, and the protocols that connect them all.
In 2026, with hybrid work environments, cloud-connected on-premises infrastructure, and increasingly sophisticated ransomware operations, network penetration testing is more critical than ever. This guide covers everything you need to know: the difference between internal and external testing, what gets tested, the methodology, common findings, tools used, compliance requirements, preparation steps, and realistic cost ranges.
Internal vs. External Network Penetration Testing
Network penetration testing is typically divided into two distinct engagement types: external and internal. Most organizations need both, but they serve different purposes and simulate different threat scenarios.
External Network Penetration Testing
An external network penetration test simulates an attacker on the internet targeting your organization's public-facing infrastructure. The tester has no internal access and no credentials. They are working with the same information a real attacker would have: your public IP ranges, DNS records, and whatever services are exposed to the internet.
The goal is to answer a simple question: can an external attacker breach your perimeter? Testers probe internet-facing firewalls, VPN gateways, mail servers, web servers, DNS servers, and any other services exposed to the public internet. They look for misconfigurations, unpatched vulnerabilities, weak authentication, exposed management interfaces, and service-level flaws that could provide an initial foothold.
Internal Network Penetration Testing
An internal network penetration test simulates a threat actor who already has access to your internal network. This could be a malicious insider, a contractor with VPN access, or an external attacker who has already compromised a single workstation through phishing or malware.
Internal testing is typically more extensive and reveals more critical findings than external testing. Once inside the network, testers attempt to escalate privileges, move laterally between systems, compromise Active Directory, access sensitive data, and ultimately demonstrate the full impact of an internal network breach. This is where organizations discover how far an attacker can go once they get past the perimeter.
Why both matter: External testing tells you how hard it is to get in. Internal testing tells you what happens after someone gets in. Most real-world breaches involve both: an initial compromise (phishing, vulnerable VPN, stolen credentials) followed by internal lateral movement to reach high-value targets. Testing only one side gives you an incomplete picture of your risk.
What Gets Tested in a Network Penetration Test
Network penetration testing covers a broad range of infrastructure components. The specific scope depends on your environment, but here are the key areas that professional testers evaluate:
- Firewalls and perimeter devices: Rule set analysis, bypass testing, management interface exposure, default credentials, firmware vulnerabilities
- Routers and switches: Configuration review, VLAN hopping, ARP spoofing, CDP/LLDP information disclosure, management protocol security (SNMP, SSH, Telnet)
- Servers: Operating system patch levels, service configurations, file share permissions, local privilege escalation, unnecessary services running
- Active Directory: AD penetration testing is often the most critical component. Testers evaluate password policies, Kerberoasting susceptibility, AS-REP roasting, GPP password exposure, delegation misconfigurations, trust relationships, certificate services abuse, and paths from domain user to domain admin
- VPN gateways: Authentication strength, split tunneling configuration, known CVEs, credential stuffing resilience
- DNS infrastructure: Zone transfer vulnerabilities, DNS cache poisoning, DNS tunneling potential
- Mail servers: Open relay testing, SPF/DKIM/DMARC validation, credential harvesting via NTLM authentication
- Network services: SMB, RDP, SSH, FTP, LDAP, database services (MSSQL, MySQL, PostgreSQL), and any other services running on the network
- Wireless networks: WPA2/WPA3 security, rogue access point detection, guest network isolation, management interface exposure
- Network segmentation: Verifying that segmentation controls actually prevent lateral movement between network zones, especially between PCI environments, guest networks, and production systems
Network Penetration Testing Methodology
Professional network penetration testing follows a structured methodology that mirrors the tactics, techniques, and procedures (TTPs) used by real attackers. At Lorikeet, our methodology aligns with PTES, OSSTMM, and the MITRE ATT&CK framework.
Phase 1: Discovery and Enumeration
The engagement begins with mapping the network. For external tests, this means identifying live hosts, open ports, running services, and software versions across the target IP ranges. For internal tests, it includes network topology discovery, VLAN enumeration, service identification, and Active Directory reconnaissance.
This phase is methodical and thorough. Every open port is a potential entry point. Every running service is a potential vulnerability. The tester builds a comprehensive picture of the network's attack surface before moving to active testing.
Phase 2: Vulnerability Identification
With the network mapped, testers identify vulnerabilities in discovered services. This combines automated scanning with manual analysis. Testers check for missing patches, default credentials, weak configurations, known CVEs, and protocol-level weaknesses. Crucially, they verify each finding manually to eliminate false positives and determine actual exploitability.
Phase 3: Exploitation and Lateral Movement
Confirmed vulnerabilities are exploited to gain access to systems. Once initial access is achieved, testers attempt to escalate privileges locally, then move laterally across the network to compromise additional systems. In Active Directory environments, this often involves credential harvesting, pass-the-hash attacks, Kerberos ticket manipulation, and exploiting trust relationships to reach domain admin.
This phase demonstrates real-world impact. It is one thing to report that a server is missing a patch. It is another thing entirely to demonstrate that the missing patch allowed the tester to gain SYSTEM access, dump credentials, and use those credentials to compromise the domain controller.
Phase 4: Post-Exploitation and Impact Assessment
After gaining access to high-value targets, testers assess the impact. Can they access sensitive data? Can they modify financial records? Can they deploy simulated ransomware? Can they pivot to other network segments? This phase quantifies the business impact of the vulnerabilities discovered and provides the evidence leadership needs to prioritize remediation investment.
Phase 5: Reporting and Remediation
Results are documented with full attack chain details, proof-of-concept evidence, severity ratings, and remediation guidance. At Lorikeet Security, findings are delivered in real-time through our PTaaS platform, so your team can begin remediation during the engagement rather than waiting weeks for a final report.
Common Network Penetration Testing Findings
After conducting hundreds of network penetration tests, certain findings appear repeatedly across organizations of all sizes. Here are the issues we see most often:
- Weak Active Directory password policies: Password requirements that allow dictionary words, short passwords, or passwords without complexity requirements. Combined with no account lockout policy, this makes brute-force and password spraying attacks trivial.
- Kerberoastable service accounts: Service accounts with SPNs registered in Active Directory that use weak passwords. An attacker can request Kerberos service tickets for these accounts and crack them offline without triggering any alerts.
- Missing patches on critical systems: Servers and workstations running operating systems or services with known, exploitable vulnerabilities. EternalBlue (MS17-010), PrintNightmare, ZeroLogon, and similar vulnerabilities remain disturbingly common years after patches were released.
- Excessive file share permissions: Network shares accessible to all domain users containing sensitive data: financial records, HR documents, credentials, database backups, source code repositories.
- LLMNR/NBT-NS poisoning: Legacy name resolution protocols that allow an attacker on the local network to intercept authentication requests and capture NTLMv2 hashes for offline cracking.
- Default credentials: Network devices (switches, routers, printers, IoT devices, management interfaces) still configured with factory-default credentials.
- Insufficient network segmentation: Flat networks where compromise of a single workstation provides access to servers, databases, and management interfaces without any segmentation controls.
- Unencrypted protocols: Telnet, FTP, HTTP (for management interfaces), and SNMPv1/v2 transmitting credentials and sensitive data in cleartext.
The pattern: Most successful network attacks do not rely on sophisticated zero-day exploits. They exploit weak passwords, missing patches, and misconfigured services. These are preventable issues, which is exactly why regular network penetration testing matters. You cannot fix what you do not know about.
Tools Used in Network Penetration Testing
Network penetration testers use a combination of specialized tools for each phase of the engagement. Here are the primary tools and what they are used for:
- Nmap: The foundational network scanning tool. Used for host discovery, port scanning, service identification, and OS fingerprinting. Every network pentest starts with Nmap.
- Nessus / Qualys: Vulnerability scanners that identify known CVEs and misconfigurations across network services. Used as a supplement to manual testing, not a replacement.
- Metasploit Framework: The industry-standard exploitation framework. Contains modules for exploiting known vulnerabilities, generating payloads, and conducting post-exploitation activities.
- Impacket: A collection of Python tools for interacting with network protocols. Essential for Active Directory attacks including Kerberoasting, secretsdump, psexec, and SMB relay attacks.
- BloodHound: An Active Directory attack path analysis tool that maps relationships between AD objects and identifies paths from standard user accounts to domain admin. Invaluable for identifying AD misconfiguration risks.
- Responder: Used to poison LLMNR, NBT-NS, and MDNS requests on the local network to capture NTLM hashes for offline cracking.
- CrackMapExec / NetExec: A post-exploitation tool for enumerating and interacting with Windows networks. Useful for credential validation, share enumeration, and lateral movement.
- Hashcat / John the Ripper: Password cracking tools used to crack captured NTLM hashes, Kerberos tickets, and other credential material.
- Wireshark: Network protocol analyzer for inspecting network traffic, identifying cleartext protocols, and analyzing captured credentials.
- Certipy: Specialized tool for attacking Active Directory Certificate Services (AD CS), which has become one of the most common escalation paths in modern AD environments.
Compliance Requirements for Network Penetration Testing
Multiple compliance frameworks mandate or strongly recommend regular network penetration testing. Here is what the major frameworks require:
- PCI DSS v4.0: Requires external and internal network penetration testing at least annually and after any significant infrastructure changes. Requirement 11.4 specifies the testing methodology must cover the entire CDE (cardholder data environment) perimeter and critical systems.
- SOC 2: While SOC 2 does not explicitly mandate penetration testing, the CC7.1 criteria (detection of security events) and the risk assessment requirements make it a practical necessity. Auditors consistently expect to see recent pentest reports.
- ISO 27001: Annex A control A.12.6 (Technical Vulnerability Management) and A.18.2 (Information Security Reviews) support regular penetration testing as part of the ISMS.
- HIPAA: The Security Rule requires regular risk assessments, and penetration testing is the most effective way to identify technical vulnerabilities in systems handling ePHI.
- NIST CSF: The Identify and Detect functions recommend regular security assessments including penetration testing to validate the effectiveness of security controls.
Regardless of your specific compliance requirements, network penetration testing is a best practice that every organization with network infrastructure should perform regularly. Compliance should be a byproduct of good security, not the primary motivation.
How to Prepare for a Network Penetration Test
Proper preparation ensures your penetration test delivers maximum value. Here is what to have ready before the engagement begins:
- Define the scope. For external tests: provide the IP ranges and domains to be tested. For internal tests: specify the network segments, VLAN IDs, and any systems that are out of scope (critical production systems that cannot tolerate testing).
- Provide network documentation. Network diagrams, VLAN maps, IP address inventories, and firewall rule sets help testers understand the environment and focus their efforts efficiently.
- Coordinate access. For internal tests, the testing team needs physical or VPN access to the internal network. Arrange VPN credentials, shipping addresses for hardware appliances, or on-site access well before the engagement starts.
- Provide domain credentials. For internal tests, provide a standard domain user account (no admin privileges). This simulates the access an attacker would have after compromising a single employee workstation.
- Notify relevant teams. Your IT operations, security monitoring, and incident response teams should know that a penetration test is occurring. You do not want your SOC to mistake legitimate testing for an actual attack and disrupt the engagement.
- Establish communication channels. Set up a direct communication channel (Slack, Teams, or the Lorikeet PTaaS portal) between the testing team and your internal stakeholders for real-time updates and urgent findings.
- Define rules of engagement. Specify testing windows, escalation procedures for critical findings, and any restrictions (no denial-of-service testing, no testing during business hours, specific systems excluded).
Network Penetration Testing Cost
Network penetration testing costs vary based on the size of the network, the type of testing (internal, external, or both), and the depth of testing required. Here are realistic 2026 cost ranges:
- External penetration test (small scope, 1-10 public IPs): $2,500 - $7,500
- External penetration test (medium scope, 10-50 public IPs): $7,500 - $15,000
- Internal penetration test (small network, up to 250 hosts): $5,000 - $15,000
- Internal penetration test (medium network, 250-1,000 hosts): $15,000 - $30,000
- Combined internal + external test: $10,000 - $40,000
- Large enterprise networks (1,000+ hosts, multiple sites): $40,000+
At Lorikeet Security, network penetration testing starts at $2,500 for external assessments. We scope engagements based on actual network size and complexity, with transparent pricing published on our website. There are no hidden fees, no inflated enterprise quotes, and no mandatory multi-year contracts.
When evaluating cost, consider the value relative to the risk. The average ransomware payment in 2025 exceeded $1.5 million, not counting downtime, recovery costs, and reputational damage. A network penetration test that identifies the vulnerabilities ransomware operators would exploit costs a fraction of what a breach would.
Getting the most value: If budget is limited, prioritize internal testing over external. Most modern attacks begin with phishing or credential theft, which gives the attacker internal access immediately. Understanding what happens after an attacker is inside your network is typically more valuable than testing whether they can breach the perimeter from the outside.
How Often Should You Test Your Network?
At minimum, conduct a full network penetration test annually. PCI DSS requires this explicitly, and most compliance frameworks expect it. However, annual testing is the floor, not the ceiling. You should also test:
- After significant infrastructure changes (new network segments, firewall rule changes, cloud migrations, Active Directory restructuring)
- After a security incident to verify remediation effectiveness
- Before and after mergers or acquisitions to assess the acquired company's network security posture
- Quarterly for environments handling sensitive data (PCI, healthcare, financial services)
Between formal penetration tests, consider complementing with attack surface management for continuous visibility into your external network exposure and emerging vulnerabilities.
Secure Your Network Infrastructure
Get a comprehensive network penetration test from experienced security researchers. Internal, external, or both. Real-time findings, compliance-ready reports, starting at $2,500.
