Network penetration testing is a controlled simulation of attacks on an organisation’s network infrastructure, conducted in two stages — automated vulnerability scanning followed by manual verification by certified penetration testers. Virtline verifies the security and resilience of a corporate network against unauthorised access from both outside and inside, delivering a report with CVSS v3.1 risk assessment and CISA KEV mapping, with remediation recommendations. Certified to ISO/IEC 27001:2023 by TÜV NORD (certificate AC090 121/2469/6137/2026, valid until 02.2029).
Network penetration testing — IT and OT infrastructure security verification
Network penetration testing is a security analysis method designed to verify the effectiveness of controls in defined segments of an organisation’s network. Our engineers verify the security and resilience of corporate networks against unauthorised interference — whether originating from outside or from within the organisation.
We deliver three types of tests: External Network Pentest — attack from the Internet perspective targeting exposed services and edge devices; Internal Network Pentest — simulation of an insider threat or a compromised host on the LAN; Wireless Network Pentest — verification of Wi-Fi, WPA3, WPA2-Enterprise and segment isolation security. Every test concludes with a detailed report in Executive + Technical format, listing all identified findings with CVSS v3.1 scores, CISA KEV mapping and remediation recommendations. Retesting after remediation is available on request.
Automated network scanning — what we verify
The first stage of the test relies on enterprise-grade scanning tools that cover IPv4, IPv6 and hybrid environments. We use Nessus Pro and Qualys VMDR for vulnerability scanning, Nmap for topology mapping and port discovery, and Rapid7 InsightVM for correlating findings with CISA KEV.
Vulnerability scanning in IPv4, IPv6 and hybrid network environments (Nessus Pro, Qualys VMDR).
Unauthenticated vulnerability detection — external attacker perspective, CVSS v3.1 scoring.
Misconfiguration detection — system configuration errors and incorrect security settings.
Outdated software — detection of unsupported components with mapping to the CISA KEV catalogue.
Default passwords and guest accounts — identification of vendor credentials left in place.
Password strength testing through controlled brute-force attacks (Metasploit, Hydra).
Network device scanning — firewalls, routers, switches (Juniper, Check Point, Cisco), printers, NAS, OT/SCADA devices.
CVSS v3.1 risk assessment across five severity levels — critical, high, medium, low, informational.
Benefits of network penetration testing
Identification of weak points in network infrastructure before an incident occurs.
Internal and external threat detection before a real attack takes place.
Security posture review for network devices and firewall infrastructure.
Protection of sensitive data and integrity of business-critical systems.
Regulatory compliance — NIS2 Art. 21, ISO 27001 A.8.29, DORA Art. 25 — audit-ready documentation.
Organisational awareness of the current security posture with a verifiable report for auditors.
How does a network penetration test work — 2 stages
We conduct tests in two stages: first we automatically scan the infrastructure using enterprise-grade tools, then our engineers manually verify the results and deepen the analysis with network-specific tests.
1. Automated vulnerability scanning — we use Nessus Pro, Qualys VMDR and Rapid7 InsightVM to map the environment, detect known vulnerabilities (CVE), identify unsupported software and configuration errors. Nmap is used for TCP/UDP port scanning and service version detection. Results are classified with CVSS v3.1 scores — from Critical (9.0–10.0) to Informational. Critical vulnerabilities are correlated with the CISA KEV catalogue, highlighting actively exploited weaknesses.
2. Manual penetration testing — engineers verify scan results, eliminate false positives and conduct network-specific tests. We use Metasploit Framework and Cobalt Strike for controlled exploitation (grey-box conditions). Network traffic is analysed via Wireshark and Burp Suite. Every finding is described with reproduction steps and a remediation recommendation.
Scope of manual network penetration testing
In the manual testing phase the engineer acts as a real-world attacker — from reconnaissance through to exploitation attempts. Our standard activities include:
- System identification via available network services (HTTP/S, SMTP, FTP, Telnet, RDP, SSH).
- Reconnaissance of computers and network devices reachable from the internet — External Network Pentest.
- Internal Network Pentest — simulation of an insider threat: lateral movement, privilege escalation, VLAN traversal.
- Wireless Network Pentest — WPA3, WPA2-Enterprise, EAP security, Wi-Fi client isolation, rogue AP detection.
- OS and software detection — operating system and application version fingerprinting (Nmap -sV).
- Exploitation using TCP and UDP port scanners plus Metasploit Framework and Cobalt Strike.
- Network topology analysis as seen from the internet and from inside LAN/DMZ segments.
- Intrusion simulation based on scan results, Metasploit exploits and Cobalt Strike techniques.
- Resilience assessment against destructive attacks using Wireshark and Burp Suite.
- Firewall rule analysis — verification of rules, policies and traffic filtering effectiveness (Check Point, Juniper, Cisco).
- System integrity assessment and possibility of unauthorised data access.
- OT/SCADA tests — Modbus, DNP3, BACnet — for clients with industrial or energy infrastructure.
When to order a network penetration test
Network tests are particularly recommended when infrastructure or regulatory changes require confirmation of the security level:
After changes to network topology or migration to a new location
Before an ISO 27001, NIS2, DORA or PCI DSS certification audit
After replacing network devices — firewall, router, switch
Following a security incident in the infrastructure
When integrating on-premises environments with public cloud (OT/IT convergence)
Periodically — at least once a year or after every significant infrastructure change
For whom — sectors covered by network penetration testing
We conduct tests for organisations in regulated sectors and critical infrastructure, where NIS2, DORA or sector-specific regulations require verification of network resilience:
- Critical infrastructure (NIS2) — operators of essential services: energy, water supply, transport.
- Banking and finance (DORA Art. 25) — financial institutions subject to DORA and national financial supervisory requirements.
- Healthcare — hospitals, laboratory networks, PACS/RIS systems, DICOM infrastructure.
- Energy and OT networks — electrical substations, SCADA systems, ICS protocols (Modbus, DNP3).
- Manufacturing and industry — converged OT/IT networks, production lines, MES/SCADA systems.
- E-commerce and retail — PCI DSS-regulated online shops, B2B platforms with sensitive customer data.
- Public administration — IT systems of public-sector entities subject to national cybersecurity frameworks.
- Telecommunications — network operators, hosting providers and data centres.
- Logistics and transport — TMS, WMS, EDI systems — particularly exposed to ransomware attacks.
- Education and research — academic networks, research repositories, university systems.
Frequently asked questions — network penetration testing
What is the difference between a network penetration test and a vulnerability scan?
A vulnerability scan (Nessus Pro, Qualys VMDR) identifies potential weaknesses from a database of known vulnerabilities (CVE). A network penetration test combines automated scanning with manual verification — the engineer eliminates false positives, assesses real business risk with CVSS v3.1 scoring and verifies whether the found vulnerabilities can lead to actual system compromise. Results are correlated with the CISA KEV catalogue to highlight actively exploited vulnerabilities.
How much does a network penetration test cost?
Cost depends on the scope, network size and test model. Indicative ranges: small scope (up to 50 hosts, External Pentest) — from €1,900 net; medium scope (50–200 hosts, External + Internal) — €3,500–€5,900 net; large scope (over 200 hosts, External + Internal + Wireless + OT) — €7,000–€9,500 net. Precise pricing is prepared after an initial consultation and scope definition.
How long does a network penetration test take?
A typical project takes 2 to 4 weeks — including reconnaissance, scanning, manual testing and report preparation. A small office network (up to 50 nodes, External Pentest) can be assessed in 3–5 business days. A corporate network with multiple branches, VLAN segmentation, cloud integration and OT/SCADA scope typically requires 2–4 weeks. The schedule and maintenance windows are agreed before the project starts.
Are tests safe for production infrastructure?
Yes — we conduct tests in grey-box mode, in coordination with the client’s IT team. Before starting, we jointly define IP ranges, maintenance windows and excluded systems. Aggressive scanning (brute-force, stress test) is carried out only after written agreement and within dedicated maintenance windows or on a staging environment. We coordinate continuously with network administrators to minimise availability risks.
Do you provide retesting after remediation?
Yes. After the client’s IT team remediates identified vulnerabilities, we conduct a retest to verify the effectiveness of the implemented fixes. The retest covers all critical and high findings from the original report. Results are documented as a supplement to the final report — this document is accepted by ISO 27001 auditors and regulatory authorities as evidence of vulnerability remediation.
Is the report suitable for auditors?
Yes. The network penetration test report consists of two parts: Executive Summary — risk overview for management and CISO, without technical jargon; and Technical Report — full list of vulnerabilities with CVSS v3.1 scores, CISA KEV mapping, reproduction steps and remediation recommendations. The report is accepted by ISO 27001 auditors, data protection supervisory authorities, financial regulators and NIS2/DORA auditors.
Which regulations do you support?
Network penetration testing supports compliance with: NIS2 Art. 21 — network security testing requirement for essential and important entities; ISO/IEC 27001:2022 A.8.29 — security testing in development and operational processes; DORA Art. 25 — ICT security testing for financial institutions (including TLPT for significant entities); GDPR Art. 32 — technical measures to ensure processing security. The report serves as accepted evidence of due diligence during external audits.
Do tests cover network devices such as firewalls and switches?
Yes. We scan firewalls, routers and switches from vendors including Juniper, Check Point and Cisco, as well as printers and NAS devices. We verify firewall rules, management port configuration, default credentials and firmware versions. For clients with OT infrastructure, we conduct ICS device tests — Modbus, DNP3, BACnet. Each finding is described with a CVSS v3.1 score.
Why Virtline for network penetration testing
Virtline is a team of cybersecurity specialists with experience in internal and external network testing — from small office environments to distributed corporate networks with cloud integration and OT/SCADA segments. Every project starts with an initial consultation in which we agree the scope, network segments to be tested, permitted working hours and attack scenarios with the client. We do not use templates — the scope is tailored to the specifics of the environment and the industry.
Tests are conducted by a dedicated team of at least two engineers, enabling mutual verification of findings and elimination of false positives. We use enterprise-grade tools: Nessus Pro, Qualys VMDR, Rapid7 InsightVM, Metasploit Framework, Cobalt Strike, Wireshark, Burp Suite and Nmap. Every finding is described with a CVSS v3.1 score and — for actively exploited vulnerabilities — with CISA KEV catalogue mapping. After the test, we review the report with the client’s technical team and conduct retesting after vulnerability remediation. Our test results are accepted by ISO 27001 auditors, data protection officers and financial sector regulators.
Order a network penetration test and confirm your infrastructure’s resilience against real-world threats.
ISO/IEC 27001:2023 Certification
Virtline certified by TÜV NORD
Virtline holds the ISO/IEC 27001:2023-08 certificate issued by TÜV NORD. Certificate number: AC090 121/2469/6137/2026, valid until 02.2029.
Talk to a Virtline expert
We will scope your project, propose an architecture and prepare a fixed quote within 5 working days. No obligations, no junior reps — you talk to engineers from day one.