Skip to content

Start an External Pentest

1. Navigate to Pentests to Run an External Pentest

Once an Asset Group contains the assets authorized for pentesting, you may navigate to the Pentests page to start an external pentest.

The Pentests link is in top level navigation of the UI.

2. Click + Run a Pentest

Click + Run a Pentest to open the Pentest Configuration, select Infrastructure Attack Surface, then click External Pentest

The Run a Pentest button is next to the Create Schedule button.

Select a Test Category screen - Infrastructure Attack Surface link.

Run a Infrastructure Attack Surface Test Screen - External Pentest link.

3. Configure the External Pentest

3.1 Set a Scope for the External Pentest

Name the External Pentest, select a pentest template, and select an Asset Group with authorized assets.

Getting the IP before starting pentest should be selected if the IP needs to be whitelisted before running the test.

Due to this being an external pentest, an IP from outside the permeter network will be used to attack the network. Some users will need to whitelist this IP prior to starting the test to simulate a breach. NodeZero will email the IP to the email of the user that kicks off the test, where the user will need to add this IP to their Allowlist. After adding the IP,resume the test from the Real-Time View

External Pentest form - name section: Pentest Template, Name, and Asset Group fields. Get IP switch.

3.2 Advanced Configuration Options

Select the types of services and vulnerabilities NodeZero will attempt to enumerate and exploit. Expand each category to see the options within that category. When you're done, scroll to the next section.

Attack section: expandable categories with checkbox options.

3.3 Additional Pentest Options

Optionally, set a minimum or maximum amount of time to allow some attacks to have more time, or limit their overall run time.

Duration section: minimum duration and maximum duration switches

3.4 Review the External Pentest Configuration

Once satisfied with your pentest selections, scroll to the bottom of the page and check the box to indicate you represent and have the legal authority to conduct Horizon3.ai's External Penetration Testing on the list of authorized assets. Then click Run Pentest.

The required checkbox is above the Run Pentest button.

Getting NodeZero IP

Asset detail status - Add NodeZero IP and Start Asset Discovery button.

Running the External Pentest

Asset detail status - Preparing Pentest with Findings and Credentials sections to the right.

NodeZero can also run pentests from an authenticated perspective. Go to the Real-Time View and Inject Credentials to see the impact an attacker would have by leveraging compromised credentials!

You've started an External Pentest

NodeZero sends an email once the External Pentest completes.