What's in scope
- Port scan + service fingerprint on every internet-facing IP/host you authorize. Slow + stealthy by default; aggressive on request.
- TLS posture — cipher selection, cert validity, HSTS, mixed-content downgrades, expired chain anchors.
- Exposed admin panels — old phpMyAdmin, forgotten WordPress wp-admin, vendor-shipped router admin pages, IPMI / iLO / iDRAC.
- Default credentials test — against the panels we find. Read-only attempt; no dictionary spray, no brute force.
- Public-cloud bucket exposure — S3 / GCS / Azure Blob with public-read enabled. Common misconfig that leaks customer data.
- GitHub / GitLab leaked secrets — we search for your domain, your prefix, your common secret formats. Often finds keys in long-archived repos.
- Employee email exposure — check have-i-been-pwned + dehashed for past breaches involving your domain. Lets you force-reset only the accounts that need it.
- DMARC / SPF / DKIM — email-spoofing posture. Can someone forge mail from accounting@yourcompany.com?
- Out-of-scope appendix — if I find a critical exposure beyond what you authorized, it goes in the report appendix as a finding (not as live testing) so you can decide next steps.
What's NOT in scope
External-only is exactly that — nothing inside your network. No drop-box, no internal scanning, no AD enumeration, no employee phishing. Those are separate engagement types: Internal / assumed-breach, Social engineering with consent.
- No exploitation by default. If a vuln is found, the scope determines whether to verify with a controlled exploit. The default is "discovery only."
- No password spray. Default-creds test only. If you want full credential testing, that's a dedicated phase that requires explicit authorization + lockout-policy review.
- No DDoS / load testing. Never. Period.
- No social engineering of staff. External assessment is technical only; phishing is a separate written authorization.
Deliverables
- Executive summary — one page. Top 3 findings, top 3 recommendations, overall risk rating.
- Technical findings — ranked by severity. Per finding: what was found, how, why it matters, fix recommendation, evidence appendix reference.
- Evidence appendix — commands run, raw output, screenshots. Auditable trail.
- Live debrief call — 60-90 min walk-through with your team. Q&A while findings are still fresh.
- Re-test of fixes — one round included within 30 days of report delivery, free.
- The report is yours — plain PDF, no SaaS portal. You can hand it to insurers, regulators, or the next IT contractor.
Pricing
Standard external assessment: from $1,200. Single domain or /27 IP range. 1 week elapsed time. Report + debrief.
External + internal combined (most-popular package): from $2,800. See the main pentest page for the full combo.
Verified nonprofit code TCG26FREE: External-only assessment available at no cost. Scope is reasonable; report still yours.