Knowledge Webinar 2022

Everything You Want To Know About Internal Penetration Testing But Were Afraid to Ask! (Sekuro Knowledge Webinar Ep.1)

With the rise of cyber threats, it is now more imperative than ever for cybersecurity measures to be in place. Safeguarding the data and networks is of high importance to maintaining operational efficiency and trust, not just for an individual but for an organization and those in it.

How can businesses mitigate cyber security risks? What preventive measures can be taken to ensure the company is secure and alert about the risks? How can internal pen testing benefit a business? What is the difference between external and internal penetration testing?  When do we choose and use the different types? Why do we want to perform an internal pen test, what the value is, what to expect during the process? 

These are some of the questions addressed by Sekuro Principal Consultant, Riley Kidd. In this webinar, he shares his knowledge and experience of internal penetration testing and its benefits.

What Are The Differences Between Internal and External Pen Test?

External penetration testing assesses the security of the organization’s external perimeter, such as the organization’s website and mail services. It focuses on those resources that anyone on the internet can access, and in turn can compromise. This may include gaining unauthorized access to these resources. 

On the other hand, internal penetration testing assesses the security of internal networks through network checks, configurations, and vulnerability scans. This is performed from an internal perspective and businesses can use this assessment to identify any security issues which may be present within the organization.

What Are The Steps of An Internal Pen test?

Identify key information such as system location, the number of active users, and the various tools and systems used. It is also important to know if these systems can be accessed directly or indirectly.

1. Discovery

Identify key information such as system location, the number of active users, and the various tools and systems used. It is also important to know if these systems can be accessed directly or indirectly.

2. Identification

Based on the resources present, identify which subset of these resources appears to be potentially exploitable.

3. Exploitation

Exploitation occurs when unauthorised personnel has gained unwarranted access to the secured networks.

Why is it important to perform internal pen test regularly?

There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.

The internal network is often exposed to threats such as external intruders, malicious insiders, and accidental errors. By performing an internal pen test regularly, we can assess what is behind the perimeter, and understand resilience to real-world threats. At the same time, it allows us to identify the unknown unknowns.

While the frequency for an internal pen test depends on the focus area and needs of the organization, there may be value in carrying out internal pen tests more frequently if there are specific concerns or new vulnerabilities that arise. It is recommended for organizations to carry out internal pen tests annually.


No system is infallible, and every business must always be vigilant and be prepared against cyber attacks. To achieve business and operational efficiency, a proper cybersecurity system should be practiced to enable businesses to take control and mitigate threats.

Thank you Riley for imparting your knowledge and experience of internal penetration testing during the Sekuro Knowledge Webinar!

Check out this video to review the session.

Riley Kidd

Principal Consultant, Sekuro

Riley has international, technical security consultancy experience across both the European and Asia-Pacific regions, leading and building security teams to deliver technical projects and outcomes. He has enabled a variety of clients to meet their security requirements and objectives across Red Teaming and adversary simulation exercises, penetration testing, and security reviews. Riley has delivered projects and presented outcomes and findings to key stakeholders, ranging from C-suite executives and application owners to end developers. He has also created and facilitated onsite technical training across secure coding, offensive operations, security awareness, and Capture The Flag competitions.

Scroll to Top