What penetration testing covers

A penetration test simulates the techniques and methods used by real-world attackers to identify exploitable vulnerabilities before they can be used against the organisation. AuditVantage conducts testing across external network perimeters, internal network environments, web applications and APIs, and cloud infrastructure — within an agreed scope and under written authorisation.

Every engagement begins with scoping to define the target systems, testing methodology, rules of engagement, and acceptable testing windows. Testing is conducted using industry-standard methodologies including OWASP, PTES, and OSSTMM, with findings assessed against CVSS and contextualised for business impact.

External network and perimeter testing

External penetration testing evaluates the security of internet-facing infrastructure — web servers, mail servers, VPN endpoints, firewalls, and cloud-hosted services — from the perspective of an external attacker with no prior access. Testing includes port scanning, service enumeration, vulnerability identification, and exploitation attempts within scope, followed by post-exploitation assessment where applicable.

Web application and API testing

Web application testing covers the OWASP Top 10 and beyond — injection vulnerabilities, broken authentication, insecure direct object references, security misconfigurations, sensitive data exposure, and business logic vulnerabilities specific to the application. API testing assesses REST and GraphQL endpoints for authentication bypass, excessive data exposure, and injection risks.

Testing can be conducted black-box (no credentials), grey-box (standard user credentials), or white-box (full access to source code and configuration) depending on the objective and scope.

Internal network testing

Internal penetration testing assumes the perspective of an attacker who has already gained an initial foothold — through phishing, a compromised endpoint, or physical access — and evaluates the ability to move laterally, escalate privileges, and reach sensitive systems or data. Testing covers Active Directory environments, network segmentation, internal application security, and credential exposure.

Cloud infrastructure testing

Cloud security assessments evaluate the configuration of AWS, Azure, or GCP environments against established benchmarks including CIS Controls and cloud provider security best practice. Testing covers IAM configuration, storage bucket exposure, network security group rules, logging and monitoring gaps, and container security where applicable.

Reporting and remediation support

Every engagement concludes with a structured findings report covering an executive summary suitable for management and board, detailed technical findings with CVSS scores, reproduction steps, and evidence, a prioritised remediation roadmap, and an indicative remediation timeline. AuditVantage provides verification retesting for critical and high findings following remediation to confirm that vulnerabilities have been addressed effectively.