Penetration testing comes in two flavors: testing from inside your network or attacking from the outside. The choice between internal and external assessments shapes what vulnerabilities you'll uncover and how much you'll spend.
What Is External Penetration Testing?
External penetration testing simulates an attacker who has zero access to your network—they're working from the internet, targeting your public-facing systems. A tester will scan your web applications, email servers, VPNs, firewalls, and any other assets visible to the world.
This approach finds the holes an actual cybercriminal would exploit first. Think exposed databases, weak SSL/TLS configurations, unpatched web applications, or social engineering weak points. External assessments typically cost $5,000–$15,000 for a small organization and $20,000–$50,000+ for enterprise scope, depending on complexity and number of targets.
Timeline is usually 1–2 weeks of testing, plus another week for reporting.
What Is Internal Penetration Testing?
Internal penetration testing assumes an attacker already has a foothold inside your network—maybe they've phished an employee or compromised a contractor. The tester works from inside your corporate network, checking what damage they could do once past the perimeter.
This reveals lateral movement risks, privilege escalation paths, unencrypted data, weak Active Directory configurations, and misconfigured internal systems. It's where you often find the high-severity findings that directly threaten your most critical assets.
Internal tests typically cost $8,000–$20,000 for mid-market organizations, with timelines of 1–2 weeks plus reporting.
Which One Should You Choose?
Choose external testing if:
- You've never had a penetration test before
- Your business relies heavily on internet-facing applications or APIs
- You're preparing for compliance audits (PCI-DSS, SOC 2)
- You have limited security budget and must prioritize one assessment
Choose internal testing if:
- You already know your external posture is reasonably secure
- Your biggest risk is insider threats or compromised endpoints
- You store sensitive data internally (customer databases, intellectual property)
- You want to validate your incident response procedures
Consider both if:
- You're a mid-size or larger organization with complex infrastructure
- You handle regulated data (healthcare, financial, legal)
- You have a dedicated security team ready to remediate findings
- Your annual security budget exceeds $50,000
Key Differences at a Glance
| Factor | External | Internal | |--------|----------|----------| | Access point | Internet-facing systems | Inside corporate network | | Focus | Perimeter defenses, public exploits | Lateral movement, privilege escalation | | Typical cost | $5K–$50K | $8K–$20K | | Timeline | 1–2 weeks | 1–2 weeks | | Best for | First-time assessments, compliance | Post-breach scenarios, insider risk |
Scoping Your Assessment
Before hiring a penetration testing firm, define scope clearly:
- Target systems: List specific IP ranges, domains, applications, or infrastructure you want tested
- Testing window: Agree on dates and times (avoid critical business periods)
- Rules of engagement: Clarify whether testers can use social engineering, disable systems, or access production databases
- Out-of-scope items: Specify what's off-limits (third-party platforms, physical locations, specific departments)
- Deliverables: Confirm you're getting a written report with findings, severity ratings, and remediation guidance
A poorly scoped assessment wastes money. A tester given 40 IP ranges might only scratch the surface; one given 3–5 specific high-risk applications might find critical issues worth millions in prevention.
Finding the Right Firm
Look for testers with relevant certifications: OSCP (Offensive Security Certified Professional), GPEN (GIAC Penetration Tester), or CEH (Certified Ethical Hacker) are solid indicators of technical depth. Ask for references from organizations similar in size and industry to yours.
Expect to pay more for experienced firms—they usually deliver clearer findings and actionable remediation steps. Budget penetration testing firms ($3K–$8K) cut corners on documentation and depth.
You can compare vetted penetration testing and vulnerability assessment providers side-by-side on Mercoly, which helps you evaluate pricing, methodologies, and certifications without endless vendor calls.
Timeline and Remediation
Plan for follow-up work. After you receive your report, allocate 2–4 weeks for your team to patch and remediate findings, then schedule a re-test in 4–8 weeks to confirm fixes. High-risk vulnerabilities should be addressed within days, not months.
Frequently Asked Questions
Q: Can one assessment replace the other? No. External and internal tests target different attack surfaces. An external test won't reveal what happens after compromise; an internal test won't validate your public-facing defenses. Most security frameworks recommend both.
Q: How often should we run penetration tests? Annual testing is standard, but high-risk organizations (finance, healthcare, critical infrastructure) should test twice yearly or after major changes. After penetration tests, run quarterly vulnerability scans as a lighter-weight check.
Q: What's the difference between penetration testing and vulnerability scanning? Scanning finds potential issues automatically; testing verifies which ones are actually exploitable and chained together to cause real damage. Scanning costs $2K–$5K annually; testing is deeper and more expensive but more actionable.
Start by understanding your biggest risk surface, then book an assessment that matches your maturity level and budget.