Internal and perimeter network penetration testing: what it covers and when your company needs it

By the QuantumSec team

A network pentest assesses the security of your network infrastructure — perimeter (what faces the Internet) and internal (what sits behind the firewall) — by simulating what a real attacker would do once inside. Unlike an automated scan, it manually confirms which misconfigurations are exploitable, how far an attacker could move laterally, and which critical assets would be exposed if the perimeter fell.

What a network pentest is: perimeter vs internal

A perimeter pentest assesses systems directly exposed to the Internet: firewalls, VPNs, mail servers, published services. An internal pentest starts from inside the corporate network — simulating a malicious employee, a compromised device, or an attacker who already got past the perimeter — and assesses what it can reach from there: segmentation between departments, access controls, and above all, the path to Active Directory and the most critical assets. Most real breaches combine both: entry through the perimeter, impact through internal movement.

What vulnerabilities it looks for

  • Misconfigurations in firewalls, routers and switches: overly permissive rules, management exposed to the Internet.
  • Vulnerable or misconfigured VPNs: outdated versions, weak authentication, insecure split-tunneling.
  • Unencrypted or vulnerable legacy protocols: SMBv1, LLMNR, NBT-NS, Telnet.
  • Poor network segmentation: badly isolated VLANs, guest network with access to internal systems.
  • Lateral movement paths toward Active Directory and critical assets.
  • Default or weak credentials on network devices and management systems.
  • Services unnecessarily exposed externally.

Automated network scanning vs a real pentest

A vulnerability scanner identifies outdated software versions and known CVEs by matching signatures against a database. A real pentest goes further: it chains apparently low-risk findings into a full attack path (for example, a weak credential on a network IoT device that allows pivoting to a domain controller), manually confirms exploitability in your specific environment, and demonstrates the real impact, not just the potential one.

When does your company need a network pentest?

Before assuming a network that has never been formally audited is secure. After significant infrastructure changes: a new office, a network merger following an acquisition, a network provider migration. As part of NIS2 or the Spanish National Security Framework (ENS) compliance, which require periodic assessments. After a security incident, to confirm the entry vector is closed. And as a recurring practice — at least annually — if your network hosts critical systems, sensitive data or Active Directory.

What you receive at the end

A technical report with each finding documented, evidence, criticality (CVSS) and reproduction steps, plus an executive report aimed at management with the overall risk level and remediation priorities. It includes a closing meeting to resolve questions and, if agreed, a follow-up re-test to verify critical vulnerabilities have been fixed.

FAQ

Does an internal network pentest require physical access to my offices?

Not necessarily. It can be run remotely via a device or VPN deployed on your network, or on-site if preferred. Both approaches are common; it is agreed based on your network architecture and preferences.

How often should a network pentest be repeated?

At least once a year, and whenever there are significant infrastructure changes (new office, merger, network provider migration). If you are subject to NIS2 or the ENS, the regulation may require a specific cadence depending on your categorization.

Does an internal network pentest interfere with daily operations?

The goal is that it doesn't. An execution window is agreed, and if something poses an immediate risk to availability, it is communicated before proceeding. Most tests are passive or have low operational impact.