IT Infrastructure Resilience Testing

IT Infrastructure Resilience Testing

Infrastructure penetration testing is a key method for identifying technical and configuration vulnerabilities in network, server, and virtualization environments. It helps organizations verify the resilience of their systems against both external and internal attacks and ensure that implemented security measures work effectively in practice.



Benefits of Infrastructure Penetration Testing

  • Identification of vulnerabilities in network architecture, servers, firewalls, and other components.

  • Verification of the effectiveness of segmentation, access policies, and detection mechanisms.

  • Prevention of successful exploitation that could lead to privilege escalation or network compromise.

  • Support in meeting regulatory requirements (DORA, NIS2, ISO/IEC 27001).

  • An objective overview of the technical resilience of the environment, including third-party components.



Key Objectives of Infrastructure Penetration Testing

  • Assess network security boundaries (external IP addresses, DMZ, VPN, publicly exposed services).

  • Test resilience against lateral movement within the internal network.

  • Identify configuration errors, outdated systems, and unpatched services.

  • Attempt access to target systems using both authenticated and unauthenticated methods.

  • Evaluate the detection and response capabilities of security tools.


Typical Attacks and Differences Between Attack Vectors

Attack or Vulnerability Name Vector Category Description
SMB Relay / LLMNR poisoning Internal network Lateral movement Exploitation of insufficient security in Windows environments.
Brute force on VPN / MFA bypass Perimeter Access weaknesses Gaining network access through insufficiently secured authentication.
Privilege escalation Server / OS Local attack Obtaining administrative privileges due to an operating system vulnerability.
Misconfigured firewall rules Network layer Configuration error Unintended open access to ports or services within the internal environment.
Outdated server software Application layer Technical vulnerability Systems without updates vulnerable to known CVEs.


What Requirements Does DORA Set for Infrastructure Penetration Testing?

The DORA regulation considers infrastructure security testing part of the mandatory “basic testing” (the lower of the two testing levels) and expects:

  • Regular penetration testing, at least once per year or after significant infrastructure changes.

  • Focus on systems supporting critical or important business functions.

  • Documentation of vulnerabilities, proposals for remediation measures, and verification of their implementation.

  • Testing of environments operated by third parties if they are part of the ICT ecosystem.



What Are the Requirements for Testing Teams?

  • Advanced knowledge of network protocols, server platform administration, and infrastructure segmentation.

  • Ability to conduct sniffing attacks, privilege escalation, and targeted detection testing.

  • DORA does not prescribe specific certifications, but requires appropriate team expertise.

  • Experience with testing hybrid environments (on-premises, cloud, virtualization, containerization).

  • Independence of the testing team from development teams, IT operations, and infrastructure vendors.

  • Comprehensive documentation of the test, including relevant forensic outputs and a report meeting regulatory and audit requirements.




Why Work with BDO?

BDO provides infrastructure penetration testing as part of a comprehensive security strategy. We help organizations identify and remediate technical weaknesses before they can be exploited by real attackers. Our approach combines manual testing, automated tools, and knowledge of real-world attack techniques.

  • Technical expertise and experience
    Our team has extensive experience testing infrastructure in banking, telecommunications, industry, and the public sector. We conduct external, internal, and hybrid penetration tests, including simulations of attacks on servers, networks, devices, and third-party infrastructure.
  • Knowledge of the regulatory framework
    BDO understands the requirements of DORA, NIS2, and related cybersecurity frameworks. We help integrate testing outputs into ICT risk management and continuous resilience improvement. The results of our tests can be effectively used during audits, inspections, and security reporting to management.
  • Independence and credibility
    As an independent consulting firm, we are not technologically or operationally connected to the operational parts of the organization. We provide objective and trustworthy results that respect technical, business, and regulatory requirements. Clients perceive us as a long-term security partner rather than just a service provider.


Certified team with expert experience
Our specialists hold certifications such as OSCP, CRTP, CEH, CCISO, CISSP, CompTIA PenTest+, BSCP, CREST CPSA, MTCNA, and CCNA, confirming their capabilities in technical testing, network reconnaissance, and advanced exploitation techniques.

CISO CISSP OSCP eCPPT PenTest RedTeam CEH CREST BURPSuite

Main contacts

Martin Hořický
Martin Hořický
Manager • CISO
i View bio
Marek Kovalčík
Partner
i View bio