Network Penetration Testing: External and Internal Infrastructure

Network penetration testing assesses the infrastructure beneath your applications — the exposed services, edge appliances, segmentation and privilege paths that an attacker uses to gain a foothold and move through your environment. Matproof Sentinel maps your network attack surface, tests it from both the external perimeter and an assumed-breach internal position, and proves which weaknesses are genuinely exploitable. You get an audit-ready report mapped to ISO 27001, NIS2 and DORA. Free 3-minute scan, full report from €149.

Run free network scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why network-layer testing still matters in a cloud-first world

Even cloud-native organisations run on networks: VPCs and security groups, VPN and identity gateways, internal services that trust each other implicitly, and the management interfaces that quietly accumulate at the edges. Network penetration testing answers two questions applications cannot: what can an attacker reach and exploit at the infrastructure layer from outside, and how far can they move once they are inside. The external dimension finds exposed services, vulnerable edge appliances (the repeat cause of high-profile breaches), and misconfigured cloud network controls. The internal dimension assumes a breach has already happened — a phished credential, a compromised host — and measures lateral movement, privilege escalation, and whether your segmentation actually contains an intruder or merely looks like it does on a diagram. NIS2 Art. 21 and DORA Art. 24 both expect infrastructure-level technical testing, and cyber-insurers increasingly require evidence that segmentation and privileged access have been tested, not just designed.

Edge appliances (VPN, firewall, file-transfer, mail) remain a top initial-access vector — known-CVE RCEs are weaponised within days; network testing confirms whether yours are reachable and exploitable.
Network segmentation is frequently aspirational: a test from an assumed-breach position reveals whether a compromised host can actually reach your crown-jewel systems, or is genuinely contained.
Privilege escalation and lateral movement — weak service accounts, reused credentials, over-permissive trust between internal services — turn a single foothold into a full compromise.
Cloud network controls drift: over-broad security groups, exposed management ports and forgotten peering routes are common and are exactly what infrastructure testing surfaces.
NIS2 Art. 21, DORA Art. 24 and ISO 27001:2022 A.8.20–A.8.22 (network security and segregation) expect tested — not merely documented — network controls.

What Matproof tests in a network penetration test

External service exposure: open ports, management interfaces, databases reachable from the internet, RDP/SSH exposure, default/weak credentials
Edge appliance vulnerabilities: VPN, firewall and file-transfer devices fingerprinted and checked for known RCE and auth-bypass CVEs
Cloud network configuration: over-permissive security groups/NSGs, exposed metadata services, misconfigured peering and routing, public storage
Segmentation validation (assumed-breach): from a foothold, what other network segments and systems can actually be reached
Lateral movement: credential reuse, exposed service accounts, SMB/LDAP/Kerberos weaknesses, pass-the-hash exposure where applicable
Privilege escalation paths from standard to administrative access on reachable hosts and services
TLS and protocol hardening (RFC 8446), weak ciphers, and exposed legacy protocols
Detection coverage: which test actions would (or would not) generate alerts, mapped to MITRE ATT&CK for your SOC
Findings risk-rated with CVSS 3.1 and mapped to ISO 27001 A.8.20–A.8.22, NIS2 Art. 21 and DORA Art. 24 for audit-ready evidence

Sample finding

High

Flat network let a low-privilege foothold reach the production database

From an assumed-breach position on a developer workstation segment, Sentinel reached the production database server directly on port 5432 — the segmentation that was supposed to isolate production from the corporate/dev network was not actually enforced at the network layer. Combined with a service account whose credentials were reused from a staging system, this provided a direct path from a single phished laptop to the production data store. Network segmentation that exists on the architecture diagram but not in the firewall rules is one of the most common and most damaging findings in internal network testing.

Fix: Enforce segmentation at the network layer: production data systems must be reachable only from explicitly authorised application subnets, never from corporate or developer segments — verify with deny-by-default rules, not allow-lists that have drifted. Rotate and uniquify the reused service-account credentials, and move to short-lived, scoped credentials where possible. Re-test the segmentation from each source segment to confirm containment. Sentinel records the before/after reachability in the report as evidence for ISO 27001 A.8.22 and DORA testing requirements.

Reference: CWE-923 Improper Restriction of Communication Channel · ISO 27001:2022 A.8.22 Segregation of Networks · MITRE ATT&CK TA0008 Lateral Movement · NIS2 Art. 21 technical measures

Network pentest: free scan vs Matproof Sentinel vs traditional consultancy

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Network penetration testing pricing

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about network penetration testing

What is network penetration testing?

Network penetration testing assesses your infrastructure — exposed services, edge appliances, cloud network configuration, segmentation and privilege paths — rather than the application logic that runs on top of it. It is typically split into an external phase (what an attacker can reach and exploit from the internet) and an internal phase (how far an attacker can move once inside).

Is network penetration testing still relevant if we're fully in the cloud?

Yes. Cloud environments are still networks: VPCs, security groups, VPN and identity gateways, and internal service trust relationships all have network-layer attack surface. Over-permissive security groups, exposed metadata services and misconfigured peering are common cloud network findings, and segmentation between workloads still needs to be tested rather than assumed.

What is the difference between network, external and internal testing?

Network testing is the infrastructure layer; it spans both external (perimeter) and internal (assumed-breach) perspectives. Our external penetration testing page focuses on the internet-facing perimeter specifically, and our internal penetration testing page focuses on lateral movement and privilege escalation once an attacker is inside. Many organisations scope a network test to include both.

How much does a network penetration test cost?

Traditional consultancy network pentests range widely with the number of hosts and IPs in scope — roughly £2,000–£6,000 for a focused external network test, more for large internal estates — over 2–4 weeks. Matproof Sentinel delivers continuous external network testing and an audit-ready report from €149 (single run) or €299/month; complex internal segmentation engagements are scoped on the Growth plan.

Go deeper — related blog articles

Test your network from the perimeter and from the inside

Run a free 3-minute external scan now, or get a full network penetration test report — exposed services, segmentation and privilege paths, proof-of-exploit per finding, mapped to ISO 27001, NIS2 and DORA — from €149.