PSA · External
Perimeter Security Assessment & Penetration Testing
Find the weaknesses in your perimeter before hackers do. External vulnerability assessment, manual validation, and benign exploitation of internet-facing networks, systems, sites, and applications — with actionable remediation.
The hacker's perspective
The PSA is the engagement that auditors, regulators, and customers ask about by name. It tests what an external attacker — with no credentials and no insider help — can actually do to your perimeter. It's required for PCI-DSS, expected under HIPAA, OCIE, NERC CIP, and SOC 2, and routinely demanded by enterprise procurement before signing a contract.
Illumant's PSA goes well beyond running a scanner and reformatting the output. We combine modern tooling with manual exploitation by senior testers who maintain active research practices — including published zero-day discoveries against major vendors. The deliverable is what you'd want if your CEO asked the question themselves.
Methodology
Reconnaissance
Domain, subdomain, ASN, and shadow-IT discovery. Public document and metadata analysis. Credential exposure review against breach corpora. We build the same picture an attacker would.
Enumeration & scanning
Service, version, and technology enumeration across all in-scope perimeter assets using best-of-breed open-source and commercial tools — never just one scanner.
Manual validation
Every machine-flagged finding is validated by hand. False positives are eliminated before they reach your report; false negatives are the reason this step exists.
Exploitation
Benign exploitation of validated vulnerabilities — including custom-built exploits where appropriate — to determine real-world severity and chained impact, not just CVSS.
Reporting
Executive summary, technical detail, prioritized remediation, benchmark vs. industry, and a working call to walk your team through findings.
Free retest
Within six months of the initial engagement we retest closed findings at no additional charge.
Highlights
- Manual penetration testing using custom-built and known exploits
- Continuous research participation — BlackHat, DEFCON, SANS, hacker forums
- Manual testing identifies vulnerabilities scanners miss
- Overt or covert engagement options
- Industry-leading open-source and commercial discovery tools
- Manual validation eliminates false positives
- Severity classification and prioritized remediation
- Benchmark analysis vs. industry peers
- Free retesting within six months
Typical targets
- Public websites (marketing & corporate)
- Web applications (non-credentialed surface)
- APIs and webhooks exposed to the internet
- Internet-facing systems and services
- Network protocols (DNS, SMTP, FTP, SSH, RDP, VPN gateways)
- Email infrastructure (SPF, DKIM, DMARC, BEC exposure)
- DNS infrastructure and subdomain takeover surface
- VPN concentrators, MFT, and remote-access portals
Why it matters
Zero-day discovery
Illumant has published zero-days against major vendors — we're not a CVE-checklist shop.
Real exploitation
We chain low-severity findings into high-impact paths. Auditors do not.
Clean signal
Manual validation means the report you hand to leadership has no noise — every finding is real.
Pairs well with
External coverage you should consider alongside.
BVEA
Blind Visibility and Exposure Analysis
See what attackers see — without giving them anything.
DDOS
Distributed Denial of Service Assessment
Understand how your services hold up under volumetric attack.
WASA
Web Application Security Assessment
OWASP-aligned testing of the apps your business runs on.
BBPen
Advanced Black Box Penetration Testing
Care for a game of capture-the-flag?
SocEng
Social Engineering
Test employee awareness of cyber-security threats.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.