Get in touch

Manual external network penetration testing

Senior engineers attack your internet-facing perimeter the way a real adversary would — to find what’s exposed, prove what’s exploitable, and close the path before someone else walks it.

Get in touch

Trusted by

Sound familiar?

Unknown exposure

You’re not sure what’s actually exposed to the internet.

Assets get spun up, DNS records linger, services drift open. You have an asset list — but no confidence it matches what an attacker can reach right now.

Shadow IT

Teams stand up services without telling security.

A forgotten staging box, an open admin panel, a dev VPN left running. The dangerous host is usually the one nobody remembers — and confirming it’s reachable and exploitable is hands-on work, not a line in a report.

Cyber-insurance

Your insurer wants proof, not a self-assessment.

Renewal or a new policy now hinges on evidence that your perimeter has been independently tested. You need a real pentest report underwriters accept — not another questionnaire.

Vendor assessment

A customer is assessing you as a supplier.

Their security team wants an independent test of your external footprint before they’ll sign or renew. The deal stalls until you hand over a report that holds up to their review.

Post-M&A

You just inherited someone else’s perimeter.

An acquisition or merger doubled your attack surface overnight — unfamiliar hosts, unknown configs, undocumented exposure. You need to know what came with the deal before an attacker maps it for you.

Scan ≠ test

Your external scan came back "clean."

An automated scan flags missing patches and weak TLS — it doesn’t chain a misconfigured service into actual access. You don’t know if a clean report means you’re safe, or just unscanned where it matters.

The cost of inaction

73%

of breaches involve external actors — and most start with a single weakness exposed to the internet: an open service, a weak credential, an unpatched edge device.

~15 min

is how fast a newly exposed internet-facing service is typically found and probed by automated adversary scanning.

1 host

is all it takes. Your perimeter is only as strong as its weakest reachable asset — and you only have to miss one.

What you should test

Deep manual testing of everything an attacker can reach from the outside — and everything you forgot was reachable.

Black-box

Unauthenticated external attacker simulation, starting from nothing but your domain or IP ranges. We discover what’s reachable before we attack it.

Grey-box

Same attack, accelerated. You share known assets, ranges, and context so we spend the engagement exploiting depth instead of re-discovering scope.

Vulnerability classes to hunt

  • Exposed admin interfaces
  • Default & weak credentials
  • Credential stuffing / password spraying
  • VPN gateway flaws
  • RDP exposure
  • Exposed databases
  • CVE exploitation on edge devices
  • Unpatched perimeter services
  • SSL/TLS misconfiguration
  • Subdomain takeover
  • DNS misconfiguration
  • SPF / DKIM / DMARC weaknesses
  • Mail relay abuse
  • Exposed management ports
  • Insecure remote access
  • Misconfigured firewalls
  • Cloud storage exposure
  • Exposed APIs
  • Leaked secrets / API keys
  • Information disclosure
  • Directory & service enumeration
  • Authentication bypass
  • Web app entry points
  • Known-exploit chaining
  • Insecure file shares
  • Anonymous access
  • Lateral pivot opportunities
  • Internal foothold from external entry
  • Logic & access-control flaws on exposed apps

Attack surface to cover

  • Internet-facing hosts
  • IP ranges
  • Web servers
  • Web applications
  • Public APIs
  • VPN gateways
  • Remote access portals
  • Mail servers
  • DNS infrastructure
  • Subdomains
  • Forgotten / orphaned assets
  • Staging & dev environments left exposed
  • Admin panels
  • Management interfaces
  • Firewalls & edge devices
  • Cloud endpoints
  • Object storage buckets
  • CDN / proxy layers
  • Load balancers
  • Third-party-hosted assets
  • Externally reachable services
  • Open ports
  • Network perimeter as a whole
  • Newly acquired (M&A) assets

What manual actually means

Most security work stops at finding a vulnerability. We treat that as the starting point.

Example: Exposed VPN / Edge Device

Level 1 — Surface

Detect & flag

Typical result for scanners, freelancers, bug bounty

A generic, checklist-driven test flags an outdated VPN appliance with a known CVE. Listed as "High". Nothing more.

Level 2 — Standard

Confirm & report

Typical result for most pentest vendors

A typical pentester actually exploits the CVE to prove access to the device, attaches a screenshot, files the finding — and stops there, without going past the perimeter.

Level 3 — Deep

Chain & impact

Typical result for XRAY CyberSecurity

Exploit the edge device to land a foothold on the perimeter, extract cached credentials, reuse them against the VPN and mail portal, pivot into the internal network, escalate to a privileged account — and demonstrate the path from a single internet-facing box to your internal systems and data.

Example: Subdomain Takeover

Level 1 — Surface

Detect & flag

Typical result for scanners, freelancers, bug bounty

A checklist test notes a dangling DNS record pointing to a deprovisioned service. Marked "Low / informational".

Level 2 — Standard

Confirm & report

Typical result for most pentest vendors

A typical pentester actually claims the subdomain to prove the takeover works, screenshots it, files the finding — and takes it no further.

Level 3 — Deep

Chain & impact

Typical result for XRAY CyberSecurity

Claim the abandoned subdomain on your trusted domain, stand up a convincing login page there, target your employees with it, harvest corporate credentials, reuse them against your exposed VPN, and gain authenticated access to the perimeter — demonstrating how one forgotten DNS record becomes a foothold inside.

Custom chains

Every perimeter has its own attack chain

Your internet-facing footprint has its own — built from forgotten hosts, edge devices, exposed services, and the trust between them.

Sometimes the chain leads inside. Sometimes a hardened control breaks it midway — and we report exactly where, and why.

Either way: you see what an attacker actually sees.

Not sure what’s actually exposed on your perimeter? Let’s map it out.

A senior pentester (not a sales rep) will get back to you with an honest read on what would actually be worth testing.

Get in touch Book a call
Case studies

From real engagements

A few engagements that show what working with us looks like — at scale, over years, across industries.

Manufacturing · FMCG

Multiple penetration testing engagements for a global food & beverage company in 120+ markets.

Blackbox and Greybox testing across multiple IT services — guaranteeing high protection for consumers, employees, contractors and shareholders while satisfying group-level compliance controls.

Read case study
B2B SaaS · LMS

Comprehensive web application pentest backing ISO 27001 certification for a corporate LMS platform.

Blackbox & Graybox testing aligned with OWASP — followed by remediation re-test and a final report that validated security posture for the ISO 27001 audit.

Read case study
View all case studies

What you'll receive

Five deliverables — built for the people who'll actually use them: your engineers, your C-level, your auditors, and your insurers.

Sample of XRAY Cybersecurity deliverables: Technical Report, Executive Summary, Retest Report, with Security Certificate on top

Want to see what these actually look like?

Get a sample report

Real structure, real findings, real format. The same documents your team and your auditors will see.

Interim Urgent Report

When we find Critical, you find out today.

If we discover a Critical-severity vulnerability mid-engagement that needs immediate attention, you get an alert with reproduction steps and recommended actions. We keep testing, you start remediating in parallel. No waiting until the final report.

For Your engineering team, your CTO

Technical Report

Prioritized findings your engineers can act on the same day.

Every vulnerability with reproduction steps, proof-of-concept exploitation, business impact, and a prioritized remediation roadmap. No false-positives. No filler. Built so your developers know exactly what to fix and in what order.

For Your engineers, your CTO, your security team

Executive Summary

What the board and investors actually need to know.

A business-language report covering the security posture of your perimeter, the risks identified, their potential business impact, and the path to remediation. Written for CEOs, boards, investors, and Enterprise procurement teams — not engineers.

For Your CEO, your board, investors, M&A counterparties, and your customers

Retest Report

Verified evidence that the fixes actually work.

After your team remediates the findings, we re-test each one and confirm the fixes hold under the same exploitation attempts. The updated report is your proof that the vulnerabilities are actually closed — not just patched on paper.

For Your auditors, your Enterprise customers

Security Certificate

A public-facing artifact you can share with customers and prospects.

After remediation and retest, we issue an official certificate confirming your external perimeter passed deep manual penetration testing. Use it on your website, in security questionnaires, in Enterprise sales conversations — the artifact your prospects and procurement teams want to see.

For Your sales team, your marketing, your Enterprise prospects

How we deliver on your goals

Industry-standard methodologies, executed by senior engineers.

Standards

Methodologies we follow

  • OWASP
  • PTES
  • NIST SP 800-115
  • MITRE ATT&CK

Compliance pentest requirements we satisfy

  • SOC 2
  • ISO 27001
  • GDPR
  • HIPAA
  • PCI DSS

The principles behind it

Manual hacking

Scanners run only as a baseline. Every finding is hand-built and verified by a senior engineer — exploited and chained manually, with your perimeter's context in mind.

Cyclical, not linear

Each finding feeds the next. New access reveals new attack surface. We loop back, dig deeper, and chain — until we reach the deepest impact your architecture allows.

Business impact, not a bug list

A list of CVEs doesn't tell you what an attacker would actually do to your business. We translate every finding into a real-world scenario — what gets compromised, who loses what, and how the chain unfolds.

Senior engineers only

No juniors learning on your environment, no outsourced backfill, no swapping engineers mid-engagement. Every engagement is run by senior offensive engineers with deep external infrastructure and adversary-simulation experience.

Quality over speed

We're not a conveyor optimizing for throughput. We take fewer engagements at a time and go deep on each — that's the trade-off.

Do no harm

All testing happens under signed Rules of Engagement. High-risk actions on production are coordinated with you in advance. Critical findings trigger an immediate alert — no surprises, no broken environments.

Actionable findings, zero false-positives

Every finding is verified, prioritized, and documented with reproduction steps and remediation guidance. Your engineers know exactly what to fix first — and they don't waste a day on noise.

Engineer-to-engineer communication

Direct access to our engineers throughout the engagement. No sales translators, no project managers gatekeeping technical detail.

Hacking as a craft

We hire engineers who hack on their own time — for research, for CTFs, for the love of the craft. Our team treats every engagement as a challenge to solve, not a ticket to close.

From your first message to your final certificate

A structured engagement built around your team — with senior engineers, direct communication, and zero surprises.

  1. First conversation

    What happens
    • You reach out — by call, form, or email, whichever you prefer
    • A senior engineer (not a sales rep) gets back to you
    • We define your goals and scope of the engagement together
    • We give you an honest read on whether we're the right fit, and what would actually be worth testing
    You receive A clear answer on direction — and whether we're a match — before anything is signed.

  2. Scoping & proposal

    What happens
    • A technical session with your team to understand your perimeter, your asset inventory, and your high-value targets
    • We walk you through a sample report so you know exactly what the deliverables look like
    • You get a detailed proposal: scope, approach, timeline, price
    You receive A full proposal and a sample report you can review with your CTO, CISO, CEO, and procurement before deciding.

  3. Kick-off

    What happens
    • Contract and NDA signed
    • Rules of Engagement signed — clear boundaries on what we test, when, and how
    • Access provisioning and documentation handoff
    • A senior engineering team is assigned to your engagement and briefed
    You receive Signed engagement contract, Rules of Engagement document, kickoff meeting summary.

  4. Reconnaissance & threat modeling

    What happens
    • Passive intelligence gathering on your public surface
    • Perimeter mapping — what is exposed, where the highest-risk surfaces are, and what was forgotten
    • Threat model: what's worth attacking, and how an external adversary would actually approach your perimeter
    • A direct engineer-to-engineer communication channel is set up for the duration of the engagement
    You receive Anything urgent that surfaces during this stage is flagged to you immediately. Otherwise, this stage feeds directly into the testing that follows.

  5. Active exploitation

    What happens
    • Manual hacking, vulnerability discovery, exploitation
    • Attack chain construction across multiple findings
    • Impact assessment for every finding before any aggressive exploitation on live systems
    • Continuous loop: each new access reveals new attack surface, and we go deeper
    You receive If we find a critical attack path that is easy to exploit and demands immediate action, you get an Interim Urgent Report — an alert with reproduction steps and recommended response. We keep testing, you start remediating in parallel.

  6. Primary report delivery

    What happens
    • Findings consolidated, verified, and documented
    • Technical Report and Executive Summary written
    • Remediation roadmap prioritized
    You receive A Technical Report (for your engineers) and an Executive Summary (for your board, Enterprise customers, and auditors).

  7. Debrief call

    What happens
    • Walkthrough of findings with your engineering team
    • Walkthrough of business impact with your leadership
    • Q&A on remediation priorities — what to fix first and why
    You receive A prioritized remediation roadmap and direct answers to your team's questions.

  8. Remediation support

    What happens
    • Support for your developers throughout the fix cycle
    • Clarification on attack vectors and remediation approaches
    • Pace depends on your team — we don't push and we don't drag
    You receive Technical guidance throughout remediation, scoped to your engagement.

  9. Retest & final certificate

    What happens
    • Each remediated finding is re-tested against the original exploitation
    • Verification that the fix holds — not just patched on paper
    • Updated reports and security certificate issued
    You receive A Retest Report, an updated Technical Report, and your Security Certificate.

Recognized by the industry

Top-rated on industry platforms

  • Top Clutch — Application Security Company 2026
  • Clutch Fall Champion 2025
  • Top Clutch — Penetration Testing 2026
  • Top Penetration Testing 2024 Award

Our engineers hold certifications including

  • OSCP+
  • CRTL
  • BSCP
  • OSEP
  • CEH
  • PNPT

In their own words

Enterprise · 3rd-Party Audit
XRAY CyberSecurity delivered a comprehensive, well-structured report with practical recommendations tailored to strengthening our application security. We received two reports — a detailed Technical and a separate Executive — which allowed us to quickly present results to leadership and build an action plan. Their readiness to communicate directly with our vendors significantly accelerated remediation.
Iryna Grynchii Cybersecurity Manager · Danone Full review on Clutch →
SaaS · Email Platform
XRAY CyberSecurity provided penetration testing for our products built on different technologies. We were able to discover vulnerabilities, fix them, and receive confirmation through retesting that they were mitigated. Communicating with their team felt more like working with coworkers than an external vendor — they were professional, knowledgeable, and gave us valuable advice.
Oleg Bida Information Security Manager Full review on Clutch →
SaaS · LMS Platform
XRAY CyberSecurity conducted gray-box penetration testing following OWASP methodologies. Their thorough manual analysis identified vulnerabilities worth attention, and their detailed technical and executive reports — followed by a retest validating our remediation — allowed us to proceed with ISO 27001 certification.
Alex Slubskyi CTO · Davintoo Full review on Clutch →
SaaS · Logistics Platform
XRAY CyberSecurity conducted thorough assessments across our web applications and cloud environments, simulating real-world attack scenarios. Their detailed reports provided clear, actionable insights that significantly improved our security posture, and their ability to communicate complex findings in an understandable way was invaluable to our team.
Taras Komenda CEO · MINT Innovations Full review on LinkedIn →
Application
The work was done quickly and professionally. XRAY CyberSecurity's specialists highlighted our vulnerable points, enabling us to improve our software quality. We received a report with detailed penetration scenarios and both technical and organizational recommendations for remediation and prevention.
Oleg Khavruk IT Director · Nash Format Full review on Forbes →
5/5 on Clutch read all reviews

Ready to test your perimeter?

Get in touch Book a call

Frequently asked questions

How do you define the perimeter — do we give you a list, or do you find it?

Both. If you have an asset inventory we start there, but we don’t trust it as complete — discovering forgotten and shadow assets is part of the job. The most dangerous host is usually the one missing from your list, and we report scope drift back to you as a finding in its own right.

How is this different from a vulnerability scan?

A scan tells you a service is potentially vulnerable; we prove whether it’s actually exploitable and what it gives an attacker. We chain a misconfiguration on one host into access on another — the work a scanner can’t do. You get exploited paths and business impact, not a list of CVEs to triage on your own.

Will testing impact our production environment?

No, and that’s by design. Every engagement runs under signed Rules of Engagement defining exactly what we test and how. High-risk actions — anything that could affect availability of a live service — are coordinated and only executed with your explicit approval.

Will you trigger our cloud provider’s or ISP’s abuse policies?

We account for this up front. For major cloud platforms we follow their testing rules and, where required, coordinate authorization before testing hosted assets. We won’t put your account or hosting at risk to run a test.

How do you handle confidentiality, our data, and legal accountability?

Every engagement starts with a signed NDA and a contract with full corporate liability. Findings and any data accessed are stored encrypted, accessed only by the assigned engineers, and deleted after the engagement closes per the retention period in your contract. We carry professional indemnity insurance — if something goes wrong, you have a company to hold accountable.

Should we coordinate with our SOC / monitoring team during testing?

Your call. We can run "dark" to test whether your team detects us, or coordinate notifications so testing doesn’t trigger an unnecessary incident response. We discuss this in the kickoff and adapt to what you want to measure.

How much effort does this require from our team?

Less than most expect. Setup is concentrated in the first days — confirming scope, ranges, and authorizations. After that your involvement is occasional clarifying questions. The real time investment is on your side during remediation, which runs on your timeline.

What if you don’t find a way in?

It’s rare, but it happens — and a clean result from a senior team is a meaningful one. You still receive the full deliverables: a report documenting the depth of testing, the methodology applied, and every asset covered — the same artifact your insurer, auditor, or customer needs.

Are there hidden fees? Is retesting included?

The proposal price is the price you pay — fixed, in the contract, tied to agreed scope. Retesting after you remediate is included, with an updated report and Security Certificate. The only thing that changes the price is you expanding scope mid-engagement, and we agree any change in writing before work begins.

Let's talk.

Tell us about the task you're looking to solve.

Or book a 20-min call directly