Standard Pentest Logo
Standard Pentest

Network Penetration Testing: Internal and External

Your network perimeter and internal segmentation are the foundation of every other control you operate. StandardPentest delivers automated, standardized internal and external network penetration testing aligned to NIST SP 800-115 and PTES, finding the exposed services, weak segmentation, and credential weaknesses that lead to breach. Audit-ready findings in 24 hours.

What We Test

  • External attack surface discovery (DNS, IP ranges, exposed services, forgotten subdomains)
  • Service-level vulnerabilities on web servers, mail, VPN, and remote access (RDP, SSH, SMB)
  • TLS and certificate weaknesses, including expired, weak-cipher, and misissued certificates
  • Internal segmentation testing across VLANs, subnets, and zero-trust boundaries
  • Active Directory weaknesses including Kerberoasting, ASREPRoasting, ACL abuse, and AD CS misconfigurations
  • Lateral movement paths via shared credentials, weak service accounts, and exposed management interfaces
  • Wireless network testing on request (WPA2/3 enterprise, rogue AP, captive portal bypass)
  • Detection and response gaps surfaced during testing

Our Methodology

Every network engagement runs the same four-phase workflow: external reconnaissance and asset enumeration aligned to NIST SP 800-115, automated and manual vulnerability discovery using purpose-built tooling, exploitation to confirm impact and demonstrate attack paths, and reporting that includes per-host findings and a network-wide attack-path summary. Internal testing is performed via a lightweight runner you deploy in your environment, with no agent installed on individual endpoints.

What You Get

  • An executive summary of the highest-impact attack paths from outside and inside the network
  • Per-host findings with CVSS 3.1 scoring, evidence, and reproduction steps
  • Active Directory attack-path diagrams when AD is in scope
  • Mapping to MITRE ATT&CK, NIST SP 800-115, and your applicable compliance framework
  • An attestation letter signed by our team for auditor and customer use
  • A free retest of remediated findings within 90 days

Frequently Asked Questions

Do you test internal networks remotely or onsite?

Almost always remotely via a small runner you deploy on a workstation, jump host, or VM. Onsite testing is available for environments with strict no-egress requirements but is rarely necessary.

What about Active Directory?

AD testing is a standard part of internal network engagements. We perform read-only enumeration first (BloodHound-style attack-path mapping), then move to exploitation under explicit rules of engagement. Domain admin compromise is reported but never persisted.

Will you test our production network?

Yes, with rate-limited and non-destructive techniques by default. Anything potentially disruptive (e.g., known-crash exploits, denial-of-service tests) is excluded unless explicitly scoped in writing.

How big does the IP range need to be?

Any size. We have engagements with single /32 hosts and engagements covering /16 ranges. Pricing scales with active hosts, not raw IP count.

Schedule a Pentest

Tell us your external IP ranges and rough internal size and we'll scope your test the same day.