External and internal, end to end.

Most attacks on your network come down to two questions: what can someone reach from the outside, and how far can they get once they are in. We test both.

External infrastructure

Everything an attacker can reach from the internet. We work through your public-facing estate from the outside in, hunting for the exposed service, weak credential or forgotten host that hands them a first foothold.

  • Perimeter hosts and firewalls
  • VPNs and remote access
  • Mail, web and exposed services
  • Public IP ranges and cloud edge

Internal infrastructure

What happens once someone is inside. Starting from a foothold on your network, a plugged-in laptop, a phished user or a rogue insider, we show how far that foothold reaches towards your servers, your domain and the data that matters.

  • Active Directory and domain escalation
  • Lateral movement
  • Workstation and server hardening
  • Reach to sensitive data

Wherever it runs, we test it.

Your servers might sit in a rack you own, in a datacentre you rent, or in a cloud account you spun up last week. We test them wherever they live.

Your own kit

On-premises servers and network gear in your own comms room or office. We test the estate you own and manage, end to end.

Third-party datacentre

Colocation or fully managed hosting. We test your kit wherever it sits, and help you line up the provider sign-off that testing needs.

Cloud

AWS, Azure and Google Cloud. We test the services and identity you expose, and, where it is in scope, the account configuration an attacker abuses after getting in.

Proving your segmentation actually holds.

Segmentation is only as strong as the rules behind it. We test the boundaries you depend on from both sides, and show you where a flat network or a stale firewall rule quietly undoes them.

  • Cardholder data environment separation for PCI DSS
  • Firewall and VLAN rulesets, tested from both sides
  • Flat-network blast radius: what one compromised host can reach
  • Segregation between corporate, guest and sensitive estates

How an infrastructure test runs.

Every infrastructure engagement follows the same clear phases, so you always know what is happening and why.

  1. 01

    Scope and rules of engagement

    We agree the estate in scope, the testing window and the rules of engagement, and line up any datacentre or cloud provider authorisation before we touch anything.

  2. 02

    Recon and discovery

    We map your real attack surface: live hosts, open ports, exposed services and the software behind them, external and internal.

  3. 03

    Vulnerability identification

    We find the weaknesses that matter, missing patches, weak configuration, default and reused credentials, and separate the real from the noise.

  4. 04

    Exploitation

    We prove impact by hand, safely exploiting what we find rather than handing you a list of maybes.

  5. 05

    Post-exploitation and lateral movement

    We escalate, move laterally and show how far a foothold reaches towards your domain and data, without disrupting production.

  6. 06

    Report and retest

    You get an executive and technical report within 48 hours, then a free retest of critical and high findings once you have fixed them.*

What you get.

No jargon-filled PDF that sits in a drawer. You get evidence your board understands and fixes your engineers can act on.

  • A senior, CREST-certified tester on the work from start to finish
  • Executive and technical report within 48 hours of testing finishing
  • Every finding rated by CVSS and by real business impact
  • Clear, prioritised remediation your team can act on
  • Reproducible proof of concept for each issue, never a scanner dump
  • A free retest of critical and high findings within 30 days*

* The free retest covers critical and high findings within 30 days, one retest per engagement, delivered remotely and excluding on-site costs. Applies to UK-based engagements only. See our terms for full details.

Infrastructure testing, answered.

Straight answers to what clients ask most about infrastructure engagements.

What is the difference between external and internal infrastructure testing?

External testing looks at everything an attacker can reach from the internet: your public IP ranges, VPNs, mail, remote access and anything else exposed at the perimeter. Internal testing starts from a foothold inside the network, a plugged-in laptop, a phished user or a rogue insider, and shows how far an attacker can push from there towards your servers, your domain and your data. Most organisations need both, because they answer different questions.

Do you test cloud infrastructure like AWS, Azure and Google Cloud?

Yes. We test infrastructure wherever it runs, including AWS, Azure and Google Cloud. That covers the services and identity you expose to the internet, and, where it is in scope, a look at the configuration and permissions inside your cloud accounts that an attacker would abuse after getting a foothold. We agree the exact boundaries with you up front so the testing stays within your provider rules.

Can you test kit hosted in a third-party datacentre?

Yes. Whether your servers sit in your own comms room, in colocation or in a fully managed datacentre, we can test them. The one thing we need is authorisation: where a third party owns or hosts the kit, they usually have to sign off the testing window and scope alongside you. We will tell you exactly what that involves and help you get it in place before anything starts.

Do you test network segmentation and PCI cardholder data environments?

Yes. We routinely test whether the boundaries you rely on actually hold, for example that a flat office network cannot reach a sensitive server estate, or that your cardholder data environment is properly separated for PCI DSS. We check firewall and VLAN rules from both sides, confirm what can genuinely cross the boundary, and show you where segmentation is weaker than the diagram suggests.

How long does an infrastructure penetration test take?

It depends on the size of the estate in scope, the number of live hosts and how much of it is external versus internal. A small external test can be a couple of days; a larger internal or combined engagement runs longer. We scope it with you on a free call and give you a fixed number of testing days up front, so there are no surprises on either time or cost.

How often should we test our infrastructure?

At least once a year is the common baseline, and it is what most compliance frameworks and cyber insurers expect. You should also test after any significant change: a new internet-facing service, a cloud migration, a merger or a large network redesign. Between tests, managed vulnerability scanning keeps watch so new issues surface in days rather than at the next annual test.

Ready to scope your infrastructure test?

Tell us what your estate looks like and what you are worried about. We will come back within one working day with a suggested approach and a fixed-price scope, with no sales theatre.

Book a scoping call