Insights
What an infrastructure penetration test actually looks for
Infrastructure testing splits into two jobs that get spoken about as one. They answer different questions, they find different things, and if you only buy one of them you should at least know which question you have left unanswered.
External: what can be reached from outside
An external test looks at everything of yours that faces the internet. Servers, firewalls, VPN endpoints, mail, remote access, anything with a public address.
The first part of the job is finding out what that actually is, and this is regularly the most valuable part of the engagement. Most organisations do not have an accurate picture of their own external footprint. Things get stood up for a project and never taken down. A supplier configures something and nobody writes it down. A test environment gets a public address because it was easier. A domain from a rebrand three years ago still resolves to something.
I have found more genuinely serious issues on assets clients had forgotten they owned than on the ones they asked me to look at. You cannot patch what you do not know exists, and you cannot monitor it either.
Once the surface is mapped, the work is the usual: what is exposed that should not be, what is running that is out of date, what is misconfigured, what is reachable that should be behind the VPN, and whether any of it can be turned into access.
Internal: assume they are already in
An internal test asks a different question. It assumes an attacker already has a foothold, and works out what they could do with it.
People sometimes push back on this. If they are already inside, have we not lost anyway. No. Getting a foothold is the easy part, and it is the part you have the least control over, because it usually depends on one person clicking one link. What matters is what happens next. Whether that foothold is a nuisance or a catastrophe is decided entirely by your internal posture.
The gap between the two is normally the widest gap in the whole assessment. Organisations spend heavily on the perimeter and then run flat internal networks where any authenticated user can reach everything.
Active Directory is usually the whole story
If you run Windows, your internal test is largely an Active Directory test, because AD is what an attacker will go for and it is where the path to everything else runs.
The chain is depressingly consistent. Name resolution protocols that are still enabled and will happily answer a question nobody asked. Relay those responses to a service that does not require signing. Collect credentials. Use those credentials to enumerate the directory, which any user can do by design. Find the account with more rights than anybody realised, or the service account with a weak password and a service principal name attached, or the nested group membership that quietly grants administrative access to a hundred people.
None of that involves a single exploit or a single CVE. Every step uses the system exactly as designed. That is the point, and it is why patching alone does not get you there.
Configuration beats patching
Patching matters and it is not where the findings come from. Most organisations patch reasonably well now, because patching is a solved process with tooling behind it.
Configuration is where it falls apart. The account created for a migration in 2019 that still has domain admin. The share that was opened up for one team and never closed. The certificate template with settings that let any user request a certificate as anybody else. The local administrator password that is identical on four hundred machines, which turns one compromised laptop into all of them.
These are not vulnerabilities in the sense of something to install a patch for. They are decisions, usually sensible ones at the time, that nobody revisited.
Segmentation, or the lack of it
The other recurring theme is flatness. A user workstation should not be able to open a management interface on a server. A guest network should not reach anything. The finance systems should not be one hop from reception.
Segmentation is unglamorous, it is a genuine amount of work, and it is the single control that most reliably turns a total compromise into a contained incident.
What good looks like
An accurate inventory of what you expose. Internal networks that assume compromise rather than trust. Credentials that are not reused across tiers. Administrative access that is scarce and reviewed. Segmentation that means a foothold in one place is not a foothold everywhere.
None of that is exciting. All of it is what separates a bad week from a bad year.

