CVE
Critical RCE
Found in OSINT
Internet-facing
All exposed assets tested
OSINT
Recon performed pre-exploitation
Real attacker
Simulated threat actor perspective
Written report
Findings and remediation steps
OSINT & Attack Surface Enumeration
We map your external attack surface using passive and active reconnaissance: DNS enumeration, certificate transparency logs, Shodan, LinkedIn, job postings, and code repositories to build a complete picture of what is visible about your organization to an external attacker. This phase often reveals forgotten assets and exposed information that internal teams are unaware of.
External Infrastructure Vulnerability Testing
We probe internet-facing servers, firewalls, VPNs, remote access solutions, and network devices for known vulnerabilities, default credentials, outdated software, and misconfigurations. We go beyond automated scanning with manual verification of every finding to eliminate false positives and confirm real exploitability.
Web Application & API Testing
External-facing web applications and APIs are probed for the OWASP Top 10 vulnerabilities, authentication weaknesses, and business logic flaws. We test login portals, password reset flows, API authentication, and any functionality accessible without authentication.
Email Security Testing
We test your email infrastructure for SPF, DKIM, and DMARC configuration weaknesses that enable domain spoofing. We also test email gateway bypass techniques and verify that phishing simulations cannot be trivially blocked by simple header analysis.
Remote Access & VPN Testing
VPN concentrators, remote desktop gateways, and Citrix environments are common targets for external attackers. We test for known vulnerabilities in your remote access infrastructure, weak authentication configurations, and split-tunneling issues that could allow an attacker to bridge from a remote connection into your internal network.
External Attack Surface Report
Findings are documented with screenshots, exploitation steps, business impact, and CVSS severity ratings. We include an executive-level attack surface summary showing which external-facing systems represent the highest risk, and a prioritized remediation roadmap.
What Makes Us Different From Others
- Attacker Perspective We approach your external surface exactly as a real attacker would: starting from public information and working inward. This reveals risks that inside-out security reviews miss.
- Manual Verification of All Findings Every finding is manually verified before inclusion in the report. We never include unconfirmed automated scanner output.
- Full Attack Chain Demonstration Where multiple external findings chain together into a complete compromise path, we demonstrate the full chain rather than reporting individual issues in isolation.
- OSINT Coverage We include open-source intelligence gathering as part of every external engagement: LinkedIn employee enumeration, code repository scanning, domain history: because real attackers use this information.
- Remediation Prioritized by Exposure Findings are prioritized based on internet reachability and ease of exploitation, so your team focuses on what matters most first.
- Retesting Included We verify that firewall rules, patch deployments, and configuration changes have closed the identified vulnerabilities.
garrisonOne's external test found our legacy VPN concentrator running firmware from 2019 with a known unauthenticated RCE vulnerability. It was internet-facing and we had completely forgotten it was there. They found it in hour one of OSINT. We patched immediately and decommissioned the device within a week. That finding alone justified the entire engagement.
Client results
See how we have helped
Retail
E-Commerce — PCI DSS Penetration Test
Pre-PCI DSS audit penetration test uncovered critical vulnerabilities in the payment processing environment. All findings remediated before the QSA assessment.
Critical
Findings remediated
PCI DSS
Audit passed
0
Post-test failures
Manufacturing
Distributor — Network Security Assessment
Full network penetration test and security assessment for a regional distributor ahead of cyber insurance renewal. Coverage secured at preferred rates.
Network
Fully assessed
Insurance
Coverage secured
CMMC
Readiness achieved
Industry focus
Industries we serve
Related Services: Penetration Testing | Network Penetration Testing | Internal Network Testing | Web App Penetration Testing
Frequently asked questions
What does external penetration testing cover?
External penetration testing covers all internet-facing assets associated with your organization: web applications, APIs, VPN concentrators, remote access gateways, mail servers, DNS infrastructure, internet-facing databases, and any other service accessible from the public internet. We also include OSINT collection to identify exposed information about your organization that attackers could use.
What information do you need to start external testing?
At minimum, we need the IP ranges or domain names that are in scope for testing. For a more focused engagement, a list of known external-facing applications and services is helpful. We also conduct our own enumeration to identify assets you may not be aware of.
Do you test from a completely external perspective or with credentials?
Standard external testing is conducted with no prior access: simulating an anonymous attacker. We can also conduct external testing from an authenticated perspective (simulating a user who has obtained credentials through phishing) to test what a partially compromised account can do from outside the network.
How is external testing different from a vulnerability scan?
A vulnerability scan identifies known vulnerabilities using automated tools. External penetration testing adds manual exploitation verification, OSINT collection, chained attack path analysis, and testing for vulnerabilities that automated tools cannot find: business logic flaws, authentication bypass paths, and configuration issues specific to how your services are deployed.
What is OSINT and why does it matter for external testing?
Open-source intelligence (OSINT) is publicly available information about your organization. Attackers use it to identify employees to target in phishing campaigns, understand your technology stack, find exposed credentials in data breaches, and discover forgotten assets. We include OSINT collection in external testing to show you what attackers can learn about you before they even start technical scanning.
How long does external penetration testing take?
An external penetration test typically takes one to two weeks depending on the number of in-scope assets and applications. We provide a clear timeline during scoping.
Do you test email security as part of external testing?
Yes. We test SPF, DKIM, and DMARC configurations that prevent domain spoofing, and identify email security weaknesses that could be exploited in phishing campaigns targeting your employees or clients.
How often should external penetration testing be done?
Most organizations conduct external penetration testing annually at minimum. PCI DSS requires external testing annually and after significant changes. Organizations undergoing rapid infrastructure changes: new applic