A penetration test (commonly known as a pentest) is a security assessment which simulates the malicious activities of real-world attackers to identify security holes in your business’s systems or applications. The aim of conducting a pen test is to understand what vulnerabilities are in your business systems, how they could be exploited, and what the business impacts would be if an attacker was successful.
One of the first types of penetration test organisations usually perform is the external pen test. External penetration testing (also known as external network penetration testing) is a security assessment of an organisation’s perimeter systems. Your perimeter comprises all those systems which are directly reachable from the internet. By nature, they are the most exposed systems as they are out in the open and are therefore the most easily and regularly attacked.
The aim of an external pentest is to find ways to compromise your accessible (external) systems and services, gain access to sensitive information, and discover methods an attacker could use to attack your clients or users. In a quality external pentest, the security professional(s) conducting the assessment will replicate the activities of real hackers, including executing exploits to attempt to gain control of systems. They will also test the extent of any weaknesses discovered to see how far a malicious attacker could burrow into your network and what the business impact of a successful attack would be.
External penetration testing usually tests from the perspective of an attacker with no prior access to your systems or networks. This is different to another common type, the internal penetration test. Internal penetration testing instead tests the scenario where an attacker already has a foothold on a compromised machine or is physically in the building. It usually makes sense though to first cover off the fundamentals and consider internal testing only after both regular vulnerability scanning and external penetration testing are being performed.