External Pentest

Horizon3.ai® External Pentest is a new & easy way to gain an additional perspective on your environment. Unlike our internal pentests, our external pentest does not need you to set up any hosts or run any curl scripts. Instead, you will discover and authorize assets for external pentesting.

Log Into the Portal

Click here to navigate to our Portal and log in with your credentials.

Run an External Pentest

To run an external pentest you need to Discover your Assets, Authorize Domains you want to pentest and then Run an External Pentest against those authorized domains. This documentation takes you through each step. Alternatively, jump to one of the following steps to pick up where you left off or to get a refresher:

1. Getting Started

On the Pentest page, in the top right, click Run an External Pentest to open the Pentest Configuration.

2. Navigate to External Assets to create an asset group

Before you can run an external pentest, you will need to create an asset group, which is used to scope the external pentest.

3. Click Create Asset Group

On the external asset page, click create asset group in the top right to open the asset group configuration.

4. Configure your asset group

Name the asset group and list your top-level domain(s). Multiple top-level domains can be added to the configuration. Then click Next

Optionally, add your Git and AWS Accounts

To add a Git Account, select + Add Account. To add an AWS Account, type the 12-digit AWS Account ID in the box listed below. Listing these accounts allows us to confirm ownership of these accounts and run deeper enumeration of assets.

Add OSINT Information

In Advanced Configuration you can include company name(s) which will be used for Open Source Intelligence (OSINT) gathering tools and techniques to harvest company information. In Advanced Configuration you can include company name(s) which will be used for Open Source Intelligence (OSINT) gathering tools and techniques to harvest company information. You also have the option to brute force subdomains, which authorizes the system to search for well known subdomains that may not surface through OSINT discovery. We recommend leaving the Brute Force unchecked when creating your first asset group to decrease time required for the asset discovery scan. If time is not an issue, we recommend enabling Brute Force to increase the depth of the scan.

Then click Create Asset Group

You’ve created an asset group! 🎉

5. Run Asset Discovery on your new asset group

Now that you’ve created an asset group, click run asset discovery. NodeZero’s External Asset Discovery is a passive enumeration capability that leverages DNS and Open Source Intelligence (OSINT) gathering capabilities and services to find assets linked to your organization.

6. Asset Discovery is in progress

Once your asset discovery is complete you will receive an email notifying you.


You will have 72 hours after asset discovery completes to authorize and run an external pentest before you will need to rerun the asset discovery scan in case of environmental drift. Rerun asset discovery for an asset group by clicking Run Asset Discovery in the top right of your asset group page.

7. Asset Discovery has completed

Now that asset discovery has completed, navigate to External Assets.

8. Click your new asset group

Click the external assets group that you have created and discovered.

9. Review & add discovered top-level domain(s) to your configuration

During asset discovery, we identify top-level domains that could belong to your company. If you would like to pentest domains within this top-level domain, select the top-level domain(s) that you want to pentest and click Take Action to add them to the external pentest configuration. After doing so, you will need to rerun asset discovery to locate domains with the updated configuration.

10. Review & authorize discovered assets

On the domains tab you should review any sub-domains located during asset discovery and can authorize/deauthorize for the external pentest. After you have reviewed and selected the sub domains that you would like to and are legally authorized to externally pentest, click to Take Action and then Authorize for Pentest.

Assets with Warnings

Some of the discovered assets have warnings because they are hosted on third party infrastructure and therefore you may not be legally allowed to pentest these assets. View the Third Party or IP Address details or screenshots to help determine if you are legally allowed to pentest the subdomain. Here are some reasons why you might see a warning and should ensure that the asset is yours and you are authorized to pentest it.

  • Asset links to services such as Rackspace and Digital Ocean don’t provide their pentesting guidance and NodeZero cannot confirm.
  • Asset links to some unknown third-party service and you need to determine if it’s allowed or not based on your terms and conditions with the third-party service.

If you selected any assets with a warning…

This warning pops up to verify you are aware that you are authorizing assets that may fall outside of your own domain or reside on third party infrastructure . Click Authorize if you are legally allowed to pentest all the assets listed.

11. Git & AWS Accounts

The Git Accounts tab and AWS Accounts tab is also where you can view any accounts you added to the asset group configuration. To add or remove Git or AWS accounts, edit the asset group configuration by clicking the edit (pencil) button in the top right of the asset group.

12. Run an External Pentest

Now that you’ve authorized assets in your asset group you can run an external pentest. Navigate to the Pentests page or click Run External Pentest on a pop-up in the top right corner.

13. Click Run an External Pentest

Click Run an External Pentest to open the Pentest Configuration.

14. Configure your external pentest

Select a template and provide a name for your external pentest. Select the asset group with authorized assets. You may save the template to make use of our quick pentest configuration in the future.

Advanced Configuration

From the advanced configuration window, customize your external pentest and choose which advanced attack methods to run during the pentest. The default template comes recommended from Horizon3.ai®, however you have the ability to decide what to include and exclude based on your environment.

Start your external pentest

Once you have finished your configuration settings you must click the box that acknowledges you have the legal authority to conduct Horizon3.ai®’s external penetration test on the list of assets you’ve provided after selecting the box you will then run your external pentest.

Woo! External Pentest Started! 🎉

Once your external pentest starts, you will be able to see the NodeZero IP address. You will receive an email notifying you when your external pentest is complete. You can view the external pentest report alongside your internal pentest reports.

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.