Network penetration testing is one of the most widely purchased cybersecurity services in the UK, but it remains poorly understood by many of the organisations that commission it. Decision-makers who approve the budget often have limited visibility into what the testing actually involves, what findings look like in practice, and how the results should inform their security posture.
Understanding the process helps you ask better questions, set realistic expectations, and get more value from the engagement. Here is what happens during a well-run network penetration test.
Scoping and Pre-Engagement
The engagement begins before the tester touches a single system. Scoping defines the boundaries which IP ranges, which segments, which systems are in scope, and which are explicitly excluded. Getting this right matters. Too narrow a scope produces a limited view of your risk. Too broad, and the time budget is diluted across systems that are not business-critical.
Rules of engagement are agreed upfront: testing hours, out-of-scope actions, emergency contact procedures, and how to handle sensitive data encountered during testing. A reputable firm handles all of this formally, with written authorisation, before work begins.
Reconnaissance and Discovery
Testing begins with discovery. The tester maps the in-scope network identifying live hosts, open ports, running services, and operating system versions. This builds a picture of the attack surface before any exploitation is attempted.
Internal network penetration testing typically includes Active Directory enumeration mapping domain structure, identifying users, groups, and privileged accounts, and looking for obvious misconfigurations before moving to active exploitation.
Vulnerability Identification
Once the environment is mapped, the tester identifies vulnerabilities. This combines automated scanning with manual investigation. The scanner flags known CVEs against the services in use. Manual analysis explores configuration issues, credential weaknesses, and logic flaws that the scanner cannot detect.
Common findings at this stage include unpatched services, default credentials on network devices, SMB signing disabled, weak password policies, and excessive service account permissions. None of these require sophisticated exploitation techniques they reflect configuration and patching discipline.
Exploitation and Post-Exploitation
Exploitation validates whether identified vulnerabilities are actually exploitable in your environment. The tester attempts to use findings to gain access, escalate privileges, or move laterally within the network. The goal is to demonstrate realistic business impact, not just to flag theoretical vulnerabilities.
Post-exploitation activities show what an attacker could do from a compromised position. Domain compromise, access to sensitive file shares, access to backup infrastructure, or the ability to disable security tooling all represent different levels of impact. The report should be specific about what was achieved and what it means.
Reporting and Remediation
The deliverable is a written report covering all identified vulnerabilities, their severity, evidence of exploitation where achieved, and remediation guidance. A good report distinguishes between critical findings that need immediate attention and lower-severity issues that can be addressed in the next patch cycle.
Reputable firms offer a retest to verify that remediations have been implemented correctly. This closes the loop and gives you confidence that the identified issues are genuinely resolved.
If you are thinking about commissioning a test, getting a penetration test quote from a CREST-certified firm is the right starting point. The certification matters: it means the testers and the firm have been independently assessed against industry standards.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“A well-run network penetration test gives you a realistic view of what an attacker could achieve in your environment. The value comes from the depth of the manual investigation, not just the scan results. Clients should expect to see proof-of-concept exploitation, not just a list of CVEs.”