External infrastructure penetration testing from Core Sentinel shows you exactly what an attacker sees when they look at your organisation from the internet — and whether your perimeter can withstand a real, targeted attack. Every test is performed manually by a senior, certified tester. No junior bench. No scan-and-send.
Your perimeter is under attack 24/7
Your internet-facing infrastructure — web servers, VPNs, firewalls, mail servers, cloud endpoints and remote-access gateways — is the first thing an attacker sees, and it’s under constant automated scanning around the clock. A single unpatched VPN appliance, a misconfigured firewall rule, or one exposed admin panel can hand an attacker the foothold they need to breach your entire network.
A Core Sentinel external infrastructure penetration test simulates a real-world attacker operating from the internet, with no insider knowledge, attempting to identify and exploit weaknesses in your publicly accessible systems — before someone with worse intentions does.
We find the assets you forgot you had
The biggest risk on most perimeters isn’t the server you know about — it’s the one you don’t. Forgotten subdomains, infrastructure inherited through a merger or acquisition, shadow IT spun up outside official process, deprecated services left running. Attackers find these through open-source intelligence, and so do we.
We begin every engagement the way a real attacker does: with thorough OSINT and reconnaissance to map your complete external footprint — not just the IP list you hand us. WHOIS and DNS history, certificate transparency logs, subdomain enumeration, ASN lookups, exposed-credential and breach data, and search-engine intelligence. The result is the true attack surface, including the assets that never made it onto any official inventory.
Senior-only testing — beyond the scanner
Plenty of “penetration tests” are really just an automated vulnerability scan with the logo changed. That’s not what you get from us. A scanner tells you a port is open and a version looks old. A senior tester determines whether it’s actually exploitable, chains individually low-risk issues into a real attack path, and proves the business impact — without the false positives and inflated noise that waste your team’s time.
Every Core Sentinel engagement is performed by a senior, OSCE- and OSCP-certified tester with decades of hands-on experience. Manual validation is where the real findings come from, and it’s the single biggest factor in the quality of what you receive.
What we test for
Our methodology systematically maps and tests your entire internet-facing perimeter, with particular attention to the highest-risk categories we see in current engagements:
- VPN & remote-access appliances — unpatched or misconfigured VPNs, SSH gateways and SSL portals are among the most exploited perimeter entry points today.
- Exposed services & open ports — databases, file shares, management interfaces and administrative panels that shouldn’t be reachable from the internet.
- Cloud exposure — misconfigured storage (S3 buckets, Azure Blob), exposed management consoles, and cloud metadata reachable through the perimeter.
- DNS & subdomain weaknesses — zone-transfer controls, subdomain enumeration and subdomain takeover.
- Mail security misconfiguration — SPF, DKIM and DMARC gaps that enable spoofing and strengthen phishing attacks against your people.
- Weak TLS & cryptographic configuration on public services.
- Information leakage — servers disclosing internal structure, technology versions, or employee details that fuel targeted attacks.
- Known-exploited vulnerabilities (KEV) — we prioritise the CVEs that are actually being exploited in the wild, aligned to current threat-actor behaviour and vendor advisories.
Advanced techniques, applied by hand
Where it adds value, we go well beyond a port scan. We perform deep asset discovery to surface shadow IT and forgotten infrastructure. We manually validate and exploit findings to confirm real-world impact rather than reporting theoretical risk. We chain low-severity issues into demonstrable attack paths. And we handle evidence properly — raw logs, timestamps and hashes — so that every finding stands up to scrutiny and nothing in your report can be waved away as a false positive.
What you receive
Our reports are written to be read — by your technical team and your executives. Every finding includes a clear risk rating (CVSS v3.1), a plain-English explanation of business impact, a validated proof of concept, and a specific, prioritised remediation. Findings are ordered so you can direct scarce security resources at what matters most first.
Once you’ve remediated, we re-test to confirm your risk is genuinely closed. And when we’re satisfied the risks are closed, we provide a signed letter of attestation — ready for your clients, auditors and compliance needs, including PCI DSS and APRA CPS 234.
Who we work with
We test external infrastructure for organisations across banking, finance, government, defence, health and education — sectors where a perimeter breach isn’t just an IT problem, it’s a business and regulatory one. Whether you’re meeting a compliance requirement, assuring a new environment, or simply want to know what an attacker can really see, we tailor the engagement to your actual exposure.
Find out what the internet can see
Talk to a senior tester about your external infrastructure — no sales engineers, no junior hand-off. Get a quote or call 1300 859 443.
