Infrastructure Penetration Test

The aim of an Infrastructure (or network) penetration test is to discover vulnerabilities that could be used by an adversary to gain unauthorised access to the network and systems.

This assessment helps organisations gauge whether the security controls in place are sufficient to protect your organisation, specific systems and sensitive information from attacks.

Our specialists assume the position of an external attacker and look to exploit vulnerabilities and system misconfigurations to gain access to the organisation's network over the internet and assess the impact of gaining such access.

You are provided with a detailed report containing practical and actionable recommendations for resolving all vulnerabilities identified in the test.

Key Benefits

  • Discover and eliminate vulnerabilities to help you secure your network environment and decrease the likelihood and impact of a cyber breach

  • Recognise previously undiscovered security issues that pose a threat to your organisation

  • Define your own security standard and maintain that standard through regular testing
  • Give clients, partners, suppliers and stakeholders the confidence that you have a strong cyber security posture

  • Focus efforts and budget on the most important security issues by tackling the most critical issues first identified in the penetration testing report

Our Infrastructure Penetration Test Approach


1. Passive Information Gathering

Passive information gathering consists of extensive querying of public information sources to discover details that may have been unintentionally leaked about the environment, organisation and infrastructure.

These queries are passive, and involve no direct probing of the target system.

2. Target Identification

Security Alliance penetration testers begin the practical testing by determining the live hosts within the defined target environment.

Target network ranges and host addresses are determined from any provided host lists and network diagrams, and from discussions with the client technical contact, as appropriate.

3. Target Enumeration

Having identified the 'live' hosts, Security Alliance consultants attempt to use them to extract further information about that network.

4. Vulnerability Identification

Having enumerated the hosts and developed an understanding of how each host interacts with both the remote user and the remainder of the target environment, the penetration testers proceed to identify the vulnerabilities that are likely to exist on each host.

5. Vulnerability Analysis

The output from automated scanners is analysed to identify only the confirmed vulnerabilities.

In addition, based on the fingerprints of the Operating System and Software identified in the previous phase, the penetration testers access vulnerability databases to obtain details of vulnerabilities affecting the specific platform.

6. Vulnerability Exploitation

This phase attempts to exploit identified vulnerabilities on the host. This phase is conducted only when you request for us to perform exploits against the services running on the servers.

The exploitation phase involves attempts to execute publicly available exploits and does not include creation of new payloads/exploits. Successful exploitation of vulnerabilities may serve to indicate the ease at which those vulnerabilities can be exploited.

What happens next

We'll schedule a preliminary phone call to learn about your challenges

You'll outline your needs and highlight any relevant applications in a scoping questionnaire

We'll review the results and send a detailed proposal outlining the service and pricing

You'll let us know when to proceed

We'll schedule a convenient start date and begin gathering the required technical information in advance


Our Accreditations

      Crest Star                         Cyber Essentials Certification       G-Cloud Supplier

Contact Us

Frequently Asked Questions


What types of systems have you performed penetration testing on?

Testing the network layer (firewalls, web servers, email servers, FTP servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers); wireless systems; internal workstations, printers, fax machines. We have performed tests and security assessments for organisations from a range of sectors including:

  • Financial services
  • Insurance
  • Retail
  • E-commerce
  • IT service providers
  • Oil & gas
  • Government
  • Global consultancy and audit firms


What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is performed using an automated scanner which allows for detection of platform specific issues. It recognises patterns, signatures, and payloads that match a pre-defined set of vulnerabilities. They are not "context-aware", nor do they understand critical business functions or important security controls like authentication and authorisation.

Dependency only on vulnerability scans may result in missing critical security flaws, and insecure configurations which can only be identified by an expert. A penetration test leverages knowledge given by vulnerability scans to analyse, and make decisions on what exploits and attack paths can be taken.

For example: In a recent engagement vulnerability scans reported a specific issue on 100’s of a customer’s webservers. The penetration testing team then investigated this issue, identified the conditions under which such vulnerabilities can be exploited and isolated five servers where a successful exploit could be carried out.

Most vulnerability scanners are configured to perform "safe checks" for buffer overflows, and sometimes may even lower risk ratings while reporting such issues.

A penetration testing exercise would however be able to clearly identify if the buffer overflow can be performed without any damage to the targeted systems.

Why do you ask for IP addresses for this engagement?

Or…Shouldn't you be able to find all this information for yourself and identify our systems and their vulnerabilities?

We conduct ethical hacking exercises. This means we are bound by law, ethics and a code of conduct from our industry body (CREST). We therefore do not carry out certain activities that hackers would. Providing this information also allows us to provide a comprehensive test in a shorter time-frame resulting in an affordable test for you.

Time is a less critical factor for a cyber criminal. Attackers will often take months or even years to prepare for an attack on an organisation. A real-life hacker would spend a considerable length of time performing reconnaissance to gain access to sensitive information about your people, processes and systems.

Instead we start the simulation from the point at which your adversary has already completed preliminary reconnaissance.

What if my administrators detect your attacks and block the IPs?

Firstly, it is a positive outcome if system administrators or security operations personnel detect our attacks promptly.

To enable us test efficiently and cost effectively, we request that our IP addresses are not blocked even when an attack is detected.

During a security test, we try a large number of attacks in a very short time. This could trigger a large number of alerts in your IDS and catch the attention of the administrators. Please remember that in practice, an attacker might try these attacks slowly, over a longer period of time, and slip beneath the radar.

Bespoke security testing

Minimising Cyber Security Risks

Our Security Testing Programmes help clients identify and mitigate against the vulnerabilities within their infrastructure, processes and people. We design and conduct rigorous investigative engagements that locate and fortify weaknesses within technology, code and human behaviour.

We offer a broad range of standalone and managed security testing services, as part of both point-in-time projects and ongoing, integrated programmes.