What is the difference between external and internal infrastructure testing?
External testing looks at everything an attacker can reach from the internet: your public IP ranges, VPNs, mail, remote access and anything else exposed at the perimeter. Internal testing starts from a foothold inside the network, a plugged-in laptop, a phished user or a rogue insider, and shows how far an attacker can push from there towards your servers, your domain and your data. Most organisations need both, because they answer different questions.
Do you test cloud infrastructure like AWS, Azure and Google Cloud?
Yes. We test infrastructure wherever it runs, including AWS, Azure and Google Cloud. That covers the services and identity you expose to the internet, and, where it is in scope, a look at the configuration and permissions inside your cloud accounts that an attacker would abuse after getting a foothold. We agree the exact boundaries with you up front so the testing stays within your provider rules.
Can you test kit hosted in a third-party datacentre?
Yes. Whether your servers sit in your own comms room, in colocation or in a fully managed datacentre, we can test them. The one thing we need is authorisation: where a third party owns or hosts the kit, they usually have to sign off the testing window and scope alongside you. We will tell you exactly what that involves and help you get it in place before anything starts.
Do you test network segmentation and PCI cardholder data environments?
Yes. We routinely test whether the boundaries you rely on actually hold, for example that a flat office network cannot reach a sensitive server estate, or that your cardholder data environment is properly separated for PCI DSS. We check firewall and VLAN rules from both sides, confirm what can genuinely cross the boundary, and show you where segmentation is weaker than the diagram suggests.
How long does an infrastructure penetration test take?
It depends on the size of the estate in scope, the number of live hosts and how much of it is external versus internal. A small external test can be a couple of days; a larger internal or combined engagement runs longer. We scope it with you on a free call and give you a fixed number of testing days up front, so there are no surprises on either time or cost.
How often should we test our infrastructure?
At least once a year is the common baseline, and it is what most compliance frameworks and cyber insurers expect. You should also test after any significant change: a new internet-facing service, a cloud migration, a merger or a large network redesign. Between tests, managed vulnerability scanning keeps watch so new issues surface in days rather than at the next annual test.