What Is External Penetration Testing?
External penetration testing is how you find out what an attacker on the public internet can actually do to your business — before they do it. This guide explains what's in scope, how it works, what it costs, and why most organisations are moving from annual tests to continuous validation.
1. What is external penetration testing?
An external penetration test is an authorised, simulated cyber attack against the systems your organisation exposes to the public internet — websites, web apps, APIs, email and DNS infrastructure, VPN gateways, cloud services and any other internet-facing asset. The goal is to identify, validate and safely exploit weaknesses the way a real attacker would, then report on impact and remediation.
It's different from an internal test (which assumes the attacker is already inside your network) and from a vulnerability scan (which only lists what might be exploitable). A proper external pen test proves what is.
2. What does it cover?
A typical external scope includes:
- Public websites and marketing properties
- Web applications, customer portals and admin panels
- Public and partner-facing APIs (REST, GraphQL, SOAP)
- Authentication endpoints, SSO and identity providers
- Email infrastructure (SPF, DKIM, DMARC, spoofing)
- DNS configuration and subdomain takeover risk
- VPN, remote access and management interfaces
- Cloud-exposed storage, databases and serverless endpoints
- Leaked credentials, secrets and source code in the wild
For a breakdown of how RADAR maps these to continuous coverage, see the What we cover section on the homepage.
3. How an external pen test works
Scoping
Agree the in-scope assets, rules of engagement, testing windows and emergency contacts.
Reconnaissance
Map the external attack surface — domains, subdomains, IPs, technologies, exposed services and people.
Discovery & scanning
Identify vulnerabilities across infrastructure and applications using a mix of automated tooling and manual techniques.
Exploitation & validation
Safely prove each finding is real, chain weaknesses where possible, and measure business impact.
Reporting
Deliver a CREST-grade report with executive summary, technical detail, evidence and prioritised remediation.
Re-test
Verify fixes have closed the issue, and issue a pen test certificate on completion.
4. External vs internal pen testing
External
Simulates an unauthenticated attacker on the internet. Tests what the world can see — perimeter, public apps, APIs, exposed services.
Internal
Simulates an attacker already inside — a compromised workstation, malicious insider or breached supplier. Tests segmentation, privilege escalation and lateral movement.
Mature security programmes run both. RADAR covers external and internal continuously, not just once a year.
5. Pen testing vs vulnerability scanning
Vulnerability scanners are essential but limited — they produce long lists of potential issues with no proof of exploitability or business impact, and they generate a lot of false positives. A penetration test validates findings, chains them together, and tells you which ones a real attacker would actually use. The modern answer is to combine continuous scanning with human validation — which is exactly the model RADAR uses.
6. How often should you run one?
The minimum baseline is annually, plus after any significant change — new application release, infrastructure migration, merger or acquisition. In reality, your attack surface changes every week. A 12-month gap between tests means up to 364 days of unvalidated exposure. This is the reason continuous external testing has become the default for security-mature organisations.
7. Compliance & regulatory drivers
External penetration testing is referenced — directly or indirectly — by every major framework: ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR, NIS2, DORA and Cyber Essentials Plus. Auditors increasingly expect evidence of continuous testing, not just an annual report dated 11 months ago.
8. How much does it cost?
A traditional one-off external pen test typically ranges from £3,000 to £25,000+ depending on the size of the external estate, the number of applications, and the depth of testing. Continuous services are priced by attack surface size or via prepaid hour packs — see RADAR's pricing for current rates.
9. The shift to continuous external testing
Attackers don't wait for your annual test window. Continuous external pen testing — sometimes called PTaaS (Penetration Testing as a Service) — combines always-on automated scanning with on-demand human validation, so every finding is verified and exploitable issues are prioritised in real time. For a market overview, read our independent Top 10 Continuous Penetration Testing Platforms in 2026.
10. How to choose a provider
- CREST certification — both the company and the individual testers should be CREST-approved.
- Human validation — automation alone produces noise; insist on humans confirming findings.
- Continuous coverage — a yearly snapshot leaves you exposed for 364 days.
- Clear, actionable reporting — auditor-ready evidence and remediation guidance developers can use.
- Transparent pricing — prepaid hour packs or surface-based pricing, no surprise day rates.
FAQ
How often should you run an external pen test?
At minimum annually and after significant change. Continuous services replace the once-a-year snapshot with year-round validated findings.
Is external pen testing the same as a vulnerability scan?
No. Scans find potential issues; a pen test validates and safely exploits them to prove real impact.
How much does it cost?
One-off tests start around £3,000 for a small estate. Continuous PTaaS is priced by attack surface or hour packs.
See your external attack surface
Book a 20-minute intro with the Disruptors team and we'll walk you through what RADAR sees on your perimeter today.