Blog & Articles

Internal vs External Penetration Testing: What Each Covers and When You Need Both

by Rebecca Sutton
by Rebecca Sutton

Internal vs external penetration testing addresses two distinct questions. An external penetration test simulates an attacker who has no prior access, probing your public-facing systems from the internet. An internal penetration test simulates what happens once someone is already inside your network. Both tests matter, but they uncover different weaknesses and require different approaches.

What does an external penetration test cover?

External testing targets everything your organisation exposes to the internet. That includes websites and web applications, VPN gateways, email servers, firewalls, DNS infrastructure, and any other service with a public IP address. The tester starts with no credentials and no insider knowledge. They gather publicly available information first, then scan for open ports and vulnerabilities in the services they find.

Common findings from an external test include:

  • Outdated software on internet-facing servers
  • Weak or absent authentication on admin panels and remote access portals
  • Misconfigured firewalls that expose services which should not be public
  • SSL/TLS misconfigurations and certificate issues
  • Exploitable vulnerabilities in web applications

The core question is simple: can an attacker on the internet break through your perimeter? If yes, the test maps exactly how.

What does an internal penetration test cover?

An internal test starts from inside the network. The tester receives a standard, low-privilege user account and connects either on-site or through VPN. This mirrors a realistic worst case: an attacker who phished a member of staff, bought credentials from a data breach, or piggybacked on access from a third-party supplier.

From that starting point, the tester attempts to:

  • Move laterally across the network to reach sensitive systems
  • Escalate privileges, often by exploiting Active Directory misconfigurations
  • Access confidential data, backups, or management consoles
  • Demonstrate how far a real attacker could get before detection

The most frequent findings in internal tests are shared or weak passwords and poor network segmentation. One compromised machine can often reach every other system because no meaningful separation exists. Active Directory misconfigurations that hand out elevated rights inadvertently are also a consistent finding across organisations of every size.

How internal vs external penetration testing compare

Aspect External test Internal test
Starting position No access, outside the network Low-privilege access, inside the network
Simulates Outside attacker probing your perimeter Insider threat or post-breach attacker
Scope Public-facing systems and perimeter Internal network, servers, workstations, AD
Key findings Perimeter holes, exposed services Lateral movement paths, privilege escalation
Typical duration Two to three weeks Three to five days (access phase)

Which should your organisation commission first?

Running an external test first is the most common sequence, and it is a reasonable starting point. Your perimeter is where outside attackers begin. If there is an exploitable path through your firewall or a VPN service running vulnerable software, fixing that before examining what happens once someone is inside makes sense.

However, external testing alone creates a false sense of coverage. Credential theft and phishing are the most common routes into organisations, not direct exploitation of public-facing systems. An attacker who buys stolen credentials bypasses your perimeter entirely and lands straight in your internal network. An internal test would have found the misconfigurations waiting for them.

Looking at this from a threat model: most initial access in real-world attacks comes from phishing and credential theft, not from technical exploitation of public systems. External testing addresses one attack category. Internal testing addresses what follows. Together, they give you a complete picture of your exposure.

The practical position: both tests address different risks and work best run together or in close sequence. If budget limits you to one test and you have never been assessed, start externally. If you have already secured your perimeter, or you want to understand insider threat exposure, commission an internal test instead.

Organisations subject to PCI DSS, ISO 27001, or HIPAA will typically need evidence of both. UK businesses pursuing Cyber Essentials Plus will encounter a technical audit that overlaps with external testing. A full penetration test is a more thorough exercise than the Plus audit alone.

If you want to scope either type of engagement, Aardwolf Security conducts both internal and external network penetration tests for UK organisations. Get in touch for a scoped quote based on your infrastructure.

What access does an internal penetration tester need?

For an internal engagement, the tester needs:

  • Network connectivity, either physical access on-site or split-tunnel-disabled VPN
  • A standard, low-privilege domain user account with no elevated rights
  • A scoping agreement covering the network ranges in scope

The starting position is deliberately realistic. Handing the tester domain admin credentials from the outset would answer a completely different question. The test models what a real attacker achieves from a single compromised account, which is the relevant scenario for most organisations.

Some engagements also use an assumed breach variant. Here the tester gets a slightly elevated starting position to focus on what an attacker does after initial access, rather than spending engagement time replicating how they got there. This is useful when an organisation already knows its perimeter is solid and wants to test internal resilience specifically.

How often should you run each type of test?

The broad guidance: external testing every six to twelve months, internal testing at least annually. Significant infrastructure changes should trigger testing outside the normal cycle. So should new public-facing services, major shifts to remote working, or any suspected compromise.

Organisations that have never had either type of test are in a more exposed position than those who have tested only externally. Both gaps carry real risk. Regular testing confirms that the controls you have put in place hold up against someone actively trying to defeat them.

FAQ: Internal vs external penetration testing

Can an external test find internal vulnerabilities?

Not directly. An external test can identify a path into your network. But what an attacker could do once inside requires a separate internal engagement. The two tests are complementary, not interchangeable.

Is an internal test more expensive than an external test?

Internal tests often cost more because the scope is broader. Rather than a defined list of public-facing hosts, the tester is assessing an entire internal network. Costs vary by network size and assessment depth. Scoping the engagement accurately before you commit is the best way to avoid surprises.

What is the difference between an internal test and a vulnerability scan?

Vulnerability scanning runs automated tools and produces a list of known weaknesses. Penetration testing goes further: a human tester actively exploits those weaknesses to demonstrate real-world impact. Some vulnerabilities look severe in a scan but cannot be chained into a meaningful attack. Others scan as low risk but prove critical in combination. Testing tells you what actually works, not just what theoretically might.

Does Cyber Essentials require penetration testing?

Cyber Essentials itself does not mandate penetration testing. Cyber Essentials Plus includes a technical audit with some overlap, but a full penetration test is a more thorough exercise. Many organisations run both to provide a stronger security assurance baseline, particularly where contracts or procurement require it.

Should I run both tests simultaneously?

It is possible to run external and internal engagements at the same time. More commonly, they are sequenced: external first, then internal. Using the external findings helps sharpen the internal scope. Coordinating timing with your provider avoids one engagement creating noise that complicates the other.

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

Penetration Test Frequency: When Annual Testing Isn’t Enough

Cyber Essentials and Penetration Testing: What Your Business Actually Needs

What Is a Vulnerability Assessment? A Plain English Guide

Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Penetration Test Cost UK: Why the Cheapest Quote Usually Costs More

Which Type of Penetration Test Does Your Business Actually Need?

What to Budget for a Penetration Test in the UK: A Buyer’s Guide

What Is Penetration Testing? How It Works and Why It Matters

Claude Fable 5: Why Anthropic Put Its Most Powerful AI Behind Guardrails

Fast16 Malware: The Pre-Stuxnet Tool Built to Sabotage Nuclear Weapon Simulations