Key Takeaways
- External network pentest tests internet-facing assets (firewalls, public web servers, VPN, mail, RDP) from an attacker's external perspective. Annual minimum for any internet-connected business.
- Internal network pentest simulates a foothold scenario: assume an attacker is already on the LAN (compromised laptop, malicious insider). Tests segmentation, AD, lateral movement, privilege escalation.
- Both serve different threat models and both belong in a mature programme. Internal pentest is where most Indian enterprises find the highest-severity findings.
- Typical scope: external 10-50 IPs / 1-2 weeks, internal 100-500 IPs / 2-3 weeks. Pricing INR 1L-3.5L per engagement depending on scope and depth.
- Methodology alignment: NIST SP 800-115, PTES, OSSTMM. Findings mapped to CVSS v3.1 and CWE. Reports accepted by ISO 27001, SOC 2, PCI DSS, RBI auditors.
Why Indian Enterprises Need Both Internal and External Network Pentests
Network penetration testing has two distinct flavours: external (testing from outside your network perimeter, simulating a remote attacker) and internal (testing from inside the network, simulating a compromised endpoint or malicious insider). Both serve different threat models and both belong in a mature cyber programme. Most Indian enterprises we engage with run external annually and internal every 12-18 months, with internal frequency increasing when scope or threat profile changes.
External network pentests answer the question: "What can an attacker on the internet do to us?" They focus on internet-exposed assets: firewalls, public web servers, VPN concentrators, mail servers, RDP/SSH gateways, cloud workloads with public IPs. The typical attack surface is smaller than internal but the consequence of a finding is direct: a public RCE on a firewall is a complete perimeter breach.
Internal network pentests answer the question: "If an attacker gets a foothold (phishing, malicious USB, compromised vendor laptop), how far can they go?" The scope is dramatically larger: Active Directory, file shares, internal applications, databases, jump servers, backup systems, OT/SCADA where present. Internal pentest is where most Indian enterprises find the highest-severity findings, particularly Active Directory privilege escalation paths.
External Network Pentest Methodology
External network pentest follows a structured methodology aligned with NIST SP 800-115, PTES (Penetration Testing Execution Standard) and OSSTMM. The phases:
Phase 1: Reconnaissance and Asset Discovery
Passive reconnaissance: WHOIS, DNS, certificate transparency logs, subdomain enumeration, Shodan/Censys footprinting, GitHub leaks, OSINT on company assets. Active reconnaissance: port scanning all in-scope IPs (TCP all ports, UDP common ports), service version detection, OS fingerprinting. Output: complete external asset inventory with documented attack surface.
Phase 2: Vulnerability Identification
Authenticated and unauthenticated vulnerability scanning of identified services using Nessus, OpenVAS, Nuclei combined with manual verification. Identify CVEs, misconfigurations, weak crypto, expired certificates, exposed admin interfaces, default credentials. Output: prioritised vulnerability list with CVSS v3.1 scores.
Phase 3: Exploitation
Manual exploitation of identified vulnerabilities to confirm exploitability and assess real-world impact. Focus on remote code execution, authentication bypass, sensitive data exposure, weak credentials enabling lateral access. Document proof-of-concept with screenshots or videos. NOT included: destructive exploitation, denial-of-service unless explicitly scoped.
Phase 4: Post-Exploitation (Limited)
Where exploitation succeeds, limited post-exploitation to demonstrate impact: privilege escalation, sensitive data access, credential harvesting. Stops short of pivoting into internal network (that is internal pentest scope). Documented to show business impact, not to do harm.
Phase 5: Reporting and Retest
Executive summary plus technical findings report with: per-finding CVSS scores, CWE mapping, reproduction steps, business impact, remediation guidance. Free retest within 90 days to verify fixes. Reports accepted by ISO 27001, SOC 2, PCI DSS Requirement 11.4 and RBI Cyber Security Framework auditors.
Need a Pentest Engagement?
Codesecure runs manual + AI-augmented VAPT for Indian businesses: web, API, mobile, network, cloud, AD, IoT, source code. Named OSCP/CEH/CISSP consultants, ISO/IEC 27001:2022 certified delivery, free retest within 90 days.
See Pentest Services →Internal Network Pentest Methodology
Internal network pentest assumes the attacker has already established a foothold (compromised endpoint, malicious insider, breached vendor connection) and tests how far they can go. The scope is dramatically larger than external, and the methodology emphasises lateral movement and privilege escalation.
Foothold Setup
Codesecure consultant connects to internal network via: VPN with assigned credentials (most common), physical visit with provisioned laptop, or pre-deployed Codesecure assessment appliance (for distributed networks). Starting position simulates a junior employee laptop (low privilege, standard user account, AD-joined). Documented as the scenario.
Network Mapping and Service Enumeration
Active discovery of internal hosts, services, share folders, internal web applications, databases, jump servers, network devices. Port scanning of internal subnets within scope. Identify potentially valuable targets: domain controllers, file servers, code repositories, build systems, backup servers, OT/SCADA gateways.
Active Directory Attack Path Discovery
This is where most internal pentests find the highest-severity issues. BloodHound and PowerView for AD enumeration: misconfigured GPOs, Kerberoastable accounts, AS-REP roastable accounts, weak ACLs, unconstrained delegation, password reuse, dormant accounts with privileges, shadow admin groups. Manual review of attack paths to Domain Admin or to specific high-value targets (CFO mailbox, HR records, source code repository).
Privilege Escalation and Lateral Movement
Exploitation of identified AD attack paths: Kerberoasting, Pass-the-Hash, Pass-the-Ticket, NTLM relay, GPO abuse, ACL exploitation, credential dumping via mimikatz on compromised hosts. Document the full attack chain from initial foothold to target compromise. NOT included: persistence implants, real malware deployment, real-world data exfiltration (we use canary documents).
Network Segmentation Validation
Test claimed segmentation boundaries: can the user VLAN reach the database VLAN, the OT/SCADA network, the PCI cardholder data environment (CDE)? Segmentation failure is a frequent PCI DSS Req 11.4.5 audit finding. For PCI environments, this is a hard scope item.
Reporting and Remediation Roadmap
Internal pentest reports include: attack path diagrams (BloodHound exports, kill chain visualisation), severity-prioritised findings, AD hardening roadmap, segmentation findings, sensitive data access findings, recommendations mapped to NIST 800-53 AC family, MITRE ATT&CK techniques referenced. Free retest within 90 days.
Scoping and Pricing for Indian Enterprises
External Network Pentest
Small scope (10-25 public IPs, single firewall, no complex DMZ): 1-2 weeks, INR 1L-1.5L. Standard scope (25-100 IPs, multiple subnets, DMZ, public cloud): 2-3 weeks, INR 1.5L-2.5L. Large scope (100-500 IPs, multi-region, multi-cloud, M&A scenarios): 3-4 weeks, INR 2.5L-4L+.
Internal Network Pentest
Small scope (single office, 100-300 internal IPs, single AD domain): 2-3 weeks, INR 1.5L-2.5L. Standard scope (multi-site, 300-1000 IPs, single forest with multiple domains): 3-4 weeks, INR 2.5L-3.5L. Large scope (multi-region enterprise, 1000+ IPs, multi-forest, OT/SCADA included): 4-6 weeks, INR 3.5L-6L+.
Combined External + Internal
Most Indian enterprises run combined engagements. Pricing 1.5-1.7x of either alone (not 2x) due to shared scoping and reporting work. Typical Indian SMB combined engagement: 3-4 weeks, INR 3L-4L total. Mid-market combined: 4-6 weeks, INR 4L-7L.
Compliance Alignment for Network Pentest
Network pentest findings map to multiple compliance frameworks. Make sure your pentest report is structured to satisfy the audit you actually face:
ISO/IEC 27001:2022 Annex A.8.8 (technical vulnerability management), A.8.29 (security testing in development and acceptance). Pentest is the most common evidence for these controls during ISO 27001 audits.
SOC 2 Common Criteria CC7.1 (system monitoring) and CC7.4 (incident handling) expect at minimum annual pentest of in-scope systems. CPAs reviewing SOC 2 Type 2 ask for pentest reports as part of evidence sampling.
PCI DSS v4.0 Requirement 11.4 mandates penetration testing of the cardholder data environment: external and internal pentest at least annually and after significant changes. Requirement 11.4.5 specifically requires segmentation testing where segmentation is used to reduce PCI scope.
RBI Cyber Security Framework and RBI Master Direction on Digital Payment Security Controls reference penetration testing for regulated entities (banks, NBFCs, payment aggregators, gateways). Frequency: at least annually, often more frequent for high-impact entities.
DPDP Act 2023 Section 8(5) reasonable security safeguards expectation. Pentest provides direct evidence that your business has tested controls against realistic threats, supporting your due-diligence posture in case of breach notification.
Frequently Asked Questions
Do we need both internal and external network pentests every year?
External: yes annually, minimum. Internet-facing assets change frequently and the threat landscape evolves. Internal: typically every 12-18 months unless scope changes (new network segment, major AD redesign, M&A integration). PCI DSS Req 11.4 mandates both at least annually for in-scope systems. Most Indian enterprises run combined engagements once per year.
What is the typical timeline and cost for a network pentest in India?
External: 1-3 weeks, INR 1L-2.5L for typical Indian SMB scope. Internal: 2-4 weeks, INR 1.5L-3.5L. Combined external + internal: 3-4 weeks, INR 3L-4L total. Larger or multi-region enterprises run 4-6 weeks at INR 4L-7L+. Pricing scales with IP count, segmentation complexity and depth of AD assessment.
What is the difference between vulnerability scanning and network pentesting?
Vulnerability scanning is automated detection of known CVEs and misconfigurations using tools like Nessus, OpenVAS, Qualys. Pentest is manual exploitation that confirms exploitability, chains vulnerabilities into attack paths, finds business-logic issues scanners cannot, and assesses real-world impact. Pentest reports are accepted by auditors; raw vulnerability scan reports usually are not. Scans should run continuously between annual pentests.
Can we do internal network pentest remotely or do you need on-site?
Most internal pentests run remotely now. Codesecure consultant connects via VPN with provisioned credentials simulating a junior employee laptop. Pre-deployed Codesecure assessment appliance works for distributed networks. On-site is sometimes preferred for OT/SCADA-heavy environments, manufacturing plants, or where VPN policy restricts third-party access. Both produce equivalent quality output.
Will the pentest cause downtime or data loss?
Standard pentest methodology is non-disruptive. We use rate-limited probes, exclude destructive techniques, avoid denial-of-service. Network devices are tested in monitoring mode for exploit attempts. Sensitive systems (production databases, payment processing) are scoped with explicit boundaries. Risk of accidental disruption is low but non-zero; we coordinate maintenance windows for the most sensitive tests.
Do you provide a remediation roadmap or just a list of findings?
Both. Every Codesecure network pentest report includes prioritised remediation guidance per finding plus a 30-60-90 day remediation roadmap aligned to severity. We also offer post-engagement remediation consulting and a free retest within 90 days to verify fixes. Many clients use the retest as the formal evidence for audit closure.
Will the pentest report satisfy ISO 27001, SOC 2, PCI DSS and RBI auditors?
Yes. Codesecure pentest reports are aligned with NIST SP 800-115, PTES, OSSTMM and CVSS v3.1. Findings map to CWE, MITRE ATT&CK and the specific control families relevant to each audit. Indian and global auditors (Big 4, mid-tier CPAs, ISO certification bodies, RBI inspectors) routinely accept our reports as evidence of pentest controls.
Get a Scoped Network Pentest Proposal in 24-48 Hours
Codesecure runs external and internal network pentests for Indian enterprises with named OSCP/CEH/CISSP consultants, ISO/IEC 27001:2022 certified delivery, NIST SP 800-115 + PTES methodology, and free retest within 90 days.
