IG2 IG3

Perform Periodic External Penetration Tests

Control Group: 18. Penetration Testing

Asset Type: Network

Security Function: Identify

Description

Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Define penetration testing scope and rules of engagement

6

Engage qualified penetration testing team

7

Review findings and prioritize remediation

8

Validate remediation through retesting

Tool Recommendations

HackerOne Forrester Wave Leader, Bug Bounty Platforms 2024

Continuous security testing platform with bug bounty programs, managed pentesting, and vulnerability disclosure

HackerOne · Program-based subscription

Synack Forrester Wave Leader, Penetration Testing Services 2024

Crowdsourced security testing platform with vetted researchers, AI-enhanced pentesting, and continuous assessment

Synack · Asset-based subscription

Cobalt Forrester Wave Strong Performer, Penetration Testing 2024

Pentest as a Service platform with vetted pentesters, programmatic testing, and findings management

Cobalt · Credit-based subscription

Bishop Fox Cosmos Forrester Wave Leader, Penetration Testing Services 2024

Continuous attack surface management and offensive security platform combining automated scanning with expert-led pentesting

Bishop Fox · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Internet-Facing Vulnerability Exploited by External Attacker

Confidentiality

An attacker exploits a misconfigured external-facing service that would have been identified through an external penetration test, gaining initial access to the enterprise network.

Sensitive Information Exposed via OSINT Reconnaissance

Confidentiality

Publicly available information such as exposed credentials, internal documents, or infrastructure details is leveraged by an attacker because no external penetration test with reconnaissance phase identified the exposure.

Perimeter Defense Bypassed Through Undiscovered Attack Path

Integrity

An attacker discovers an overlooked external entry point such as an old VPN endpoint or forgotten subdomain that perimeter security controls do not cover, because no external penetration test mapped the full attack surface.

Vulnerabilities (When Safeguard Absent)

External Attack Surface Not Tested

Without periodic external penetration testing, internet-facing systems, services, and configurations are not evaluated from an attacker's perspective, leaving exploitable weaknesses in the perimeter undiscovered.

No External Reconnaissance to Identify Information Exposure

Absence of external testing with reconnaissance means publicly exposed enterprise information such as leaked credentials, misconfigured services, and OSINT data is not identified or remediated.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Record	Penetration test report and executive summary	Per engagement
Record	Remediation tracking and retest validation results	Post-engagement
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Penetration Testing Policy

Control 18

Related Safeguards in Control 18

18.1 Establish and Maintain a Penetration Testing Program

18.3 Remediate Penetration Test Findings

18.4 Validate Security Measures

18.5 Perform Periodic Internal Penetration Tests