Cybersecurity, Incident Response, Penetration Testing, Red Teaming

The Limitations of External Penetration Testing (And What to Do About Them)

Table of Contents

Core argument 

Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access.

Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure? 

So, why do businesses specifically exclude their most critical systems from the testing scope, especially when those systems are part of the very exploitation path attackers use? 

 Key angles across the series: 

  • The real-world difference between “can we break in” vs “will we detect and respond when they do” 
  • What cannot be seen is not understood 
  • Why annual tests create 364 days of unknown vulnerability and exposure 
  • The problem with “safe” testing that avoids business disruption 

What is an External Penetration Test?

An external penetration test simulates a cyberattack from outside an organisation’s network to identify vulnerabilities in internet-facing systems such as websites, servers and remote access services.

Security experts attempt to safely exploit weaknesses to assess risk and provide remediation guidance, helping organisations reduce exposure to real-world attacks originating from the internet.

The Monday Morning Question 

Let’s put this into business context. The annual penetration test report arrives.  

  • Twenty pages, executive summary up front.  
  • “Low risk” findings only.  
  • A handful of configuration tweaks recommended.  

Nothing critical. All good.   You feel relieved. £10,000 well spent. Board update will be straight-forward. The auditors will be satisfied.   Here’s what the report doesn’t tell you: You have no idea if you’d detect a real breach. 

The Comfortable Fiction of Scheduled Security 

Let me tell you about a business last year. They’d received clean pen test results for three consecutive years and just completed the latest one.   Security was “validated” annually for ISO 27001. They were confident with minor follow ups. 

An inquisitive new COO posed a question – “Does that really reflect a real-world attack though?”  The CISO reached out. We ran a purple team exercise, a cooperative test, not known to others took place, where attackers and defenders work together to improve detection.  

Within four hours, we had: 

  • Compromised a user account via a credential stuffing attack (their MFA wasn’t enforced on a legacy VPN) 
  • We found an unpatched development AWS instance with storage services and recovered keys  
  • We moved laterally to a domain controller, without detection 
  • We exfiltrated unclassified data which transpired was sensitive  
  • We established persistent access through three different backdoors 
  • We deepfaked the Chief People Officer’s email account with a new employee benefits email to all staff, we got a 23% click through rate and 47 email addresses and contact details.  

The security endpoint and SIEM solutions detected nothing unusual.  

  1. One alert fired during the email campaign but it was classified as only medium severity.  
  1. The SOC team was monitoring dashboards that were showing green while we methodically progressed. 

Situation Analysis

None of the techniques we used were sophisticated. All real-world. No zero-days. No advanced malware. Just patient, methodical exploitation of common misconfigurations and gaps in visibility with some standard automations. 

The previous pen tests had all been “clean” because those tests never asked the critical question: “If we bypass your prevention, will you notice?” 

Related article: Continuous Security Validation: Why Security Investments Fail Under Real Attack Conditions

What do External Penetration Tests Actually Test?

Traditional penetration testing focuses on “can we get in” rather than “will you notice when someone does?”.  

Some look at how far an exploitation path progression but this needs to be correlated against monitoring services.

This creates a dangerous gap: 

  • What external penetration tests validate: Presence of vulnerabilities and exploitation pathways 
  • What they rarely validate: Detection capabilities, monitoring and response effectiveness, correlation processes, recovery procedures 

The Bad Actors know these gaps exist and actively target them: 

  • 68% of organisations rely primarily on annual penetration testing for security validation 
  • Less than 20% test their security operations ability to detect real attack techniques 
  • 12% have validated their incident response plan under realistic breach conditions (having an IR plan on paper does not prepare you for the real thing!)
  • Average dwell time for breaches: 194 days 
  • Persistence is now a primary attack breach head in 24% of attacks 

Put another way, if your Organisation tests for vulnerabilities once a year, but real attackers maintain access for seven months on average, how do you know they are there? 

Attack vectors against large UK companies through 2025 all confirmed persistence and presence was established at least 12 months previously.  

You’ve been breached, can you answer these questions?

The most common questions initially asked of us in the event of a detected breach are: 

  1. How did they access our network? 
  2. Are they still here? 
  3. What have they taken? 

External penetration testing would only seek to validate part of question 1. These are patient, informed (from research) and motivated adversaries who don’t operate to your schedule. 

 

Next in the Series

If your penetration testing happens once a year, and the average attacker remains undetected for over six months, then for most of the year your organisation is operating on assumption, not evidence. And assumption is not security.

In the next article I’ll break down five ways penetration tests can unintentionally create false confidence, from scope exclusions and pre-announced testing to the fundamental gap between finding vulnerabilities and validating detection.

Frequently Asked Questions: External Penetration Testing

Author: Matt Lovell
Share:
Author: Matt Lovell
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. £20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
How to spot a deepfake [Real Examples]: 10 Visual and Audio Signs Everyone Should Know in 2026
96% of deepfakes online are used maliciously. They’re being used to impersonate CEOs, pressure employees into urgent actions and manipulate financial transactions, all with AI-generated videos or voice notes that feel shockingly real. In our recent CloudGuard webinar “The Art of Deception: Fight Back Against the Fakes,” our analysts broke...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.