Network Level - External Vulnerability Assessment & Penetration Testing

Test Objective 

The test assesses the security of the organization’s systems from Internet based attacks.

Audit Serve’s Internet Vulnerability Assessment & Penetration Testing Methodology
Step 1: Network Mapping and Discovery
  • Technical information provided by the client
  • Use publically available information such as ARIN WHOIS Search to verify IP ranges provided by the client
  • Use QualysGuard tool licensed by Audit Serve to identify intermediary network devices
Step 2: Target Identification and Service Discovery
  • Use port scanner to scan all RCP/UDP ports for all IP addresses
  • Use QualysGuard tool licensed by Audit Serve to provide additional verification of open ports and to identify services which are available
  • Audit Serve performs additional manual tests to identify available services to intruders
Step 3: Vulnerability Identification, Analysis and Risk Validation
  • Use QualysGuard tool licensed by Audit Serve to identify known security vulnerabilities and poor system configuration
  • Perform analysis of vulnerabilities and determine whether they are false positives based on validation of system configuration
  • Conduct interviews with client to discuss use of technology where vulnerabilities discovered to determine residual risk
Step 4: Active Exploitation
  • Use exploitation components of the QualysGuard tool licensed by Audit Serve
  • Run password cracking tools to disclose accounts
Step 5: Remedial Advisory
  • Provide guidance on remedial action to reduce risk of vulnerabilities identified to acceptable levels
Audit Serve’s Internet Vulnerability Assessment & Penetration Report
Our penetration test report contains two parts:
  • An executive summary intended for senior management which highlights the findings and action items from the penetration test
  • Detailed findings and action items that describe the vulnerabilities discovered, its impact and how to fix each one
Common Usage of the Service
  • Many organizations are required to conduct independent penetration tests by various government regulatory agencies.
  • One of the key control requirements of a SSAE 16 (formally SAS 70) is to perform independent penetration testing.
  • Most organizations’ Sarbanes-Oxley IT General Controls require annual independent penetration testing.
Contact Mitch Levine at or call (203) 972-3567 to (203) 972-3367 to start the penetration test of your organization.

Cost of Service


1 – 3 IP Addresses
4 – 7 IP Addresses
8 – 15 IP Addresses
16 – 35 IP Addresses
One Time Scan & report w/o rerun option
One Time Scan & report with rerun
Quarterly Scan & report
Quarterly Scan & report with rerun


The rerun option allows for a subsequent scan to be run after the organization completes the remediation of issues identified during the initial scan.  If the rerun option is selected, the initial deliverable will be a report of issues.  After the rerun is performed, the final report will be issued. 

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.