External Penetration Testing: Your Internet-Facing Attack Surface, Proven
External penetration testing assesses everything an attacker can reach from the public internet without prior access — your web applications, APIs, mail and VPN gateways, exposed admin panels, cloud storage and the misconfigurations that quietly accumulate at the perimeter. Matproof Sentinel discovers your external attack surface, tests it the way an unauthenticated attacker would, and confirms each exploitable weakness with proof-of-exploit. You get an audit-ready report mapped to ISO 27001, SOC 2, NIS2 and DORA. Start with a free 3-minute external scan, or get a full report from €149.
Why the external perimeter is where most breaches actually start
The internet-facing perimeter is the part of your estate an attacker can probe 24/7 with zero authentication and zero warning — and it is also the part that drifts the fastest. A forgotten staging subdomain, an S3 bucket made public 'temporarily', an admin interface exposed after a migration, a VPN appliance running a version with a known RCE: each is a complete breach waiting to happen, and none requires the attacker to phish anyone. External penetration testing exists to find these before they are found for you. Most automated scanners enumerate the perimeter but cannot tell you which findings are actually exploitable, so teams drown in noise and miss the one issue that matters. A real external pentest discovers the full surface (including the assets you have forgotten you own), prioritises by genuine exploitability, and proves the impact. This is also the testing class most explicitly demanded by frameworks and buyers: ISO 27001:2022 A.8.8, NIS2 Art. 21 baseline measures, and almost every enterprise security questionnaire ask for evidence that the external estate is tested regularly.
- Attack-surface drift is constant: subdomains, cloud buckets, exposed dashboards and shadow IT appear faster than most teams track them — external testing starts by discovering what you actually expose, not just what you think you expose.
- Edge appliances (VPN, firewall, file-transfer, mail gateways) are repeat breach vectors — known-CVE RCEs in these devices are exploited within days of disclosure; an external pentest confirms whether yours are reachable and vulnerable.
- Unauthenticated exposure is the highest-severity class: data that can be retrieved without any login, admin panels reachable from the internet, and default credentials are full compromises, not theoretical risks.
- Scanners report thousands of perimeter 'issues' with no exploitability context — an external penetration test ranks by what an attacker can actually do and proves it, so engineering fixes the right things first.
- ISO 27001:2022 A.8.8, SOC 2 CC7.1, NIS2 Art. 21 and DORA Art. 24 all expect documented testing of internet-facing systems — external test evidence is the most commonly requested item in B2B security reviews.
What Matproof tests in an external penetration test
- Attack-surface discovery: subdomain enumeration, DNS records, exposed cloud storage (S3/GCS/Azure Blob), forgotten staging and pre-production hosts, shadow assets
- Exposed services and ports: management interfaces, databases reachable from the internet, RDP/SSH exposure, default and weak credentials
- Edge appliance CVEs: VPN, firewall and file-transfer appliances fingerprinted and checked for known remote-code-execution and authentication-bypass vulnerabilities
- Web and API entry points: OWASP Top 10 (2021) and OWASP API Top 10 (2023) testing of every internet-facing application and endpoint
- TLS and email security: TLS configuration (RFC 8446), certificate issues, SPF/DKIM/DMARC posture, open relays
- Security misconfiguration (OWASP A05:2021): missing security headers, verbose error disclosure, directory listing, exposed .git/.env and backup files
- Authentication exposure: credential-stuffing reachability, password-spray resistance, exposed SSO and admin login surfaces
- Information leakage: metadata, version disclosure, and public-facing files that reveal internal architecture to an attacker
- Findings risk-rated with CVSS 3.1 and mapped to MITRE ATT&CK (Initial Access, T1190 Exploit Public-Facing Application) and to ISO 27001 / NIS2 / DORA controls
Sample finding
Exposed .env file leaked production database credentials
During external attack-surface discovery, Sentinel retrieved a publicly accessible .env file at the web root (https://app.example.com/.env) — left behind by a deployment misconfiguration. The file contained live production database credentials, a third-party payment API secret and the application's JWT signing key. With the JWT signing key alone, an attacker can forge authentication tokens for any user, including administrators. This is OWASP A05:2021 Security Misconfiguration, requires no authentication to exploit, and is exactly the kind of perimeter exposure that an external penetration test is designed to catch before an attacker's automated crawler does.
Fix: Immediately rotate every credential disclosed (database password, payment API secret, JWT signing key) — assume they are compromised. Remove the .env file from the web-served directory and add deployment checks that block dotfiles and secret files from being served. Configure the web server to deny requests for .env, .git and backup file patterns. Add a CI gate and an external monitoring scan (Sentinel does this continuously) so re-exposure is caught within minutes, not months. Sentinel re-tests the path after remediation and records the verification for your audit evidence.
Reference: OWASP A05:2021 Security Misconfiguration · CWE-312 Cleartext Storage of Sensitive Information · MITRE ATT&CK T1552.001 Credentials in Files · ISO 27001:2022 A.8.9 Configuration Management
External pentest: free scan vs Matproof Sentinel vs traditional consultancy
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
External penetration testing pricing
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about external penetration testing
What is external penetration testing?
External penetration testing assesses the security of your internet-facing systems from the perspective of an unauthenticated attacker on the public internet. It covers your web applications, APIs, mail and VPN gateways, exposed services, cloud storage and the misconfigurations that accumulate at the perimeter. The goal is to find — and prove — what an attacker could compromise with no prior access, before they do.
What is the difference between external and internal penetration testing?
External testing starts from the public internet with no access and targets your perimeter. Internal testing assumes an attacker is already inside the network — a phished employee, a compromised laptop, a malicious insider — and measures how far they can move laterally and escalate privileges from there. Both matter: external testing reduces the chance of initial compromise; internal testing limits the damage if compromise happens anyway. See our internal penetration testing page for the assumed-breach perspective.
How much does an external penetration test cost?
Traditional consultancy external network pentests in the UK typically run £2,000–£6,000 depending on the number of in-scope hosts and IPs, and take 2–4 weeks to schedule and deliver. Matproof Sentinel delivers an audit-ready external pentest report from €149 (single run), or €299/month for continuous external monitoring. Because the perimeter drifts constantly, continuous external testing usually delivers far better value than an annual snapshot — see our penetration testing cost guide.
How often should external penetration testing be done?
Annually is the compliance floor, but the external perimeter changes far more often than once a year — new subdomains, cloud resources and appliance updates appear weekly. Best practice is continuous external attack-surface monitoring with a deeper test at least annually and after any significant infrastructure change. Continuous testing is also what catches the 'temporary' exposure that would otherwise sit open for months.
Does an external penetration test satisfy ISO 27001, SOC 2, NIS2 or DORA?
External testing is a core component of the evidence those frameworks expect, but rarely the whole picture. ISO 27001 A.8.8 and SOC 2 CC7.1 expect testing of internet-facing systems plus a documented remediation process; NIS2 Art. 21 and DORA Art. 24 expect regular technical testing of critical systems. The Sentinel external pentest report maps findings directly to these controls, and most organisations combine external testing with web-application and (where relevant) internal testing for full coverage.
Go deeper — related blog articles
Map and test your external attack surface
Run a free 3-minute external attack-surface scan now, or get a full external penetration test report — proof-of-exploit per finding, mapped to ISO 27001, SOC 2, NIS2 and DORA — from €149.
Run free external scan