Network Vulnerability Assessment: Scanning Infrastructure for Weaknesses

External Network Assessment

External assessment evaluates every internet-facing system for exploitable vulnerabilities: unpatched services, exposed management interfaces, weak encryption, default credentials, and information disclosure. This is your perimeter—the attack surface visible to anyone on the internet. PCI DSS requires quarterly external ASV scanning of all systems in the cardholder data environment.

Internal Network Assessment

Internal assessment evaluates the systems behind your firewall: servers, workstations, network devices, Active Directory, and internal applications. Internal vulnerabilities enable lateral movement after initial compromise—which is how most breaches escalate from initial access to full compromise.

Credentialed vs Non-Credentialed Scanning

Non-credentialed scans test from an unauthenticated perspective—identifying externally visible vulnerabilities. Credentialed scans authenticate to target systems and evaluate configurations, installed software, and internal settings with much greater accuracy and far fewer false positives. Always use credentialed scanning for internal assessments.

From Scan to Fix

Network assessment findings typically include missing patches (apply vendor updates), service misconfigurations (harden to CIS Benchmarks), exposed services (restrict access through firewall rules), and weak credentials (enforce password policies). Penetrify's network vulnerability assessment combines automated scanning for broad infrastructure coverage with manual penetration testing that validates whether scan findings are genuinely exploitable.