Beyond the Firewall: Why Real Pen Testing Must Cover the Whole Business

When most organisations think about Penetration (PEN) testing, they think about someone trying to break into their network. Scanning ports. Probing firewalls. Exploiting unpatched software. And yes, that is absolutely part of it. But if that is all your PEN testing covers, you are leaving some very significant doors wide open.

A truly comprehensive PEN test looks at the whole business, not just the technology stack. That means examining four interconnected security domains:

• Information Security (InfoSec)
• Governance Security (GovSec)
• Physical Security (PhySec)
• Personnel Security (PerSec).

New Zealand’s two primary security frameworks the Protective Security Requirements (PSR) and the New Zealand Information Security Manual (NZISM), both recognise these requirements. The PSR explicitly organises protective security across governance, personnel, and physical security alongside information security, and the NZISM provides the technical controls baseline that sits underneath all of it. Together, they make a clear case that security is not just an IT problem, it is an organisational one.

The most sophisticated cyber-attack in the world can be rendered irrelevant if an attacker can simply walk through the front door, tail someone into a restricted area, or convince a staff member to hand over their credentials.

Here is what each domain looks like in practice — and why overlooking any one of them creates real risk.

Information Security - The Obvious One

Network, application, and system testing is the most familiar territory. Black box, grey box, white box. Red team, blue team, purple team. Testing for vulnerabilities in firewalls, web applications, endpoints, cloud configurations, and Active Directory is essential work and should absolutely form the foundation of any PEN testing programme.

The NZISM provides the detailed controls baseline against which New Zealand government agencies and increasingly, private sector organisations — are expected to operate. It covers everything from network architecture and cryptography through to patch management and access control. A well-scoped InfoSec PEN test should be validating whether those controls are working, not just whether they are documented.

But even here, scope matters. Too often, a statement of work is written narrowly — covering only what is “in scope” on the asset register, while significant attack surface is quietly excluded. Legacy systems running Windows 7, Windows 10 EOL, or older server releases are a common example. These devices cannot always be patched or hardened to the same standard as the rest of the environment, yet they often remain connected to the network because they support applications with no defined upgrade path. If they are not in scope for the PEN test, the risk is invisible until it is not.

Consumer-grade switches and Wi-Fi access points are another blind spot. Installed originally for a video conferencing setup or a temporary IT project, they frequently outlive their original purpose and end up providing permanent and unsecured network access. These devices rarely support the hardened, zero-trust configuration of enterprise infrastructure, and they often get forgotten entirely.

Physical Security - The Door That Gets Left Open

Physical security testing is one of the most underutilised elements of a PEN test, and one of the most revealing. Once an attacker has physical access to your environment, many of your technical controls become much easier to circumvent.

The PSR’s physical security stream PHYSEC sets out requirements for protecting people, information, and assets from physical threats. It covers facility security zones, access control, and the protection of ICT equipment. PEN testing in this domain validates whether those requirements are being met in practice, not just on paper.

Physical PEN testing examines whether an attacker can gain unauthorised access to your facilities, your equipment, or your cabling infrastructure. It looks at whether sensitive areas are properly secured, whether access controls are functioning as intended, and whether equipment is installed in appropriate locations.

That last point is worth dwelling on. During site assessments, we regularly discover network equipment installed in building dry risers, old utility rooms, disused toilets, and other spaces that were never designed to house IT infrastructure. In almost every case, the reason is the same: space constraints led someone to find a creative solution, and neither security nor health and safety was part of the decision. The result is equipment that is physically accessible to almost anyone, in locations that may also carry fire risk, water risk, or other hazards. A single Ethernet connection in the wrong place can provide direct access to a network segment that a firewall would otherwise never permit, and it sits entirely outside the scope of a standard NZISM-aligned technical review.

Physical testing should also consider tailgating and social engineering entry, whether an attacker could follow an employee through a secure door, or whether reception staff would challenge an unfamiliar face in a restricted area.

Governance Security - The Policy Gap

Governance security testing examines whether the organisation’s policies, processes, and controls reflect reality and whether staff understand and follow them.

The PSR’s governance security stream GOVSEC, provides the overarching framework for how organisations should manage protective security. It requires organisations to have a clear security policy, defined roles and responsibilities, and a structured approach to identifying and treating security risk. GovSec PEN testing probes whether that structure is genuinely embedded or whether it exists only as a compliance artefact.

This is not an audit in the traditional sense. GovSec testing looks at the gap between what is written down and what happens.

• Are access reviews conducted as the policy requires?
• Are joiners, movers, and leavers processed in a way that prevents orphaned accounts?
• Are third-party vendors held to the same security standards as internal staff?

Is there a clear and tested incident response process, or does it exist only as a document that no one has read?

Governance failures are often the root cause of breaches that appear, on the surface, to be technical failures. An attacker who exploits a former employee’s account that was never deprovisioned has not broken through a firewall, they have walked through a process gap.

Personnel Security - The Human Factor

Personnel security testing is perhaps the most sensitive domain, but it is also one of the most important. People are consistently the most exploited vector in modern attacks, not because staff are careless, but because social engineering is sophisticated, persistent, and highly targeted.

The PSR’s personnel security stream PERSEC sets out requirements for screening, ongoing management, and separation of staff with access to sensitive information and assets. It recognises that insider risk, whether malicious or inadvertent is a genuine and significant threat. PEN testing in this domain validates whether the controls intended to manage that risk are working.

PERSEC testing typically includes phishing simulations, vishing (voice phishing), and physical social engineering. It examines whether staff can recognise and report suspicious contacts, whether they would share sensitive information in response to a convincing pretext, and whether the organisation has the training and culture to make security awareness stick. It also covers pre-employment screening and whether there are processes in place to identify and respond to changes in personnel risk over time.

Bringing It Together

Both the PSR and the NZISM are built on the recognition that security is not a single-domain problem. The PSR explicitly structures protective security across governance, personnel, physical, and information security because those domains are interdependent, a weakness in one creates exposure in the others. The NZISM provides the technical depth, but it was never designed to stand alone.

The most hardened firewall in the world will not protect you from an attacker who can plug a device into an unsecured switch in a building dry riser. The most rigorous InfoSec programme will not catch a governance process that leaves former employees’ accounts active for months. And no technical control fully compensates for a staff member who has not been equipped to recognise a social engineering attempt.

A comprehensive PEN testing programme looks at all four domains together, because that is how attackers think. They will probe every domain to find the weakest link, and they will exploit whatever they find.

If your last PEN test only covered the network, it is worth asking: what did it not cover?

About Liverton Security

At Liverton Security, we work with New Zealand and international organisations to address security risk across the full spectrum, from technology to governance to culture.

Our product suite addresses the threat vectors most commonly exploited in contemporary attacks:

• SmartGate enforces email controls at the gateway
• MailAdvisor protects against phishing, business email compromise, and malicious attachments
• WebAdvisor ^AI identifies AI-related risks and supports your organisation's AI adoption
• SHIFT For Outlook ensures sensitive files move safely and securely between parties

Our consulting team delivers:

• Pen testing engagements aligned to OWASP, MITRE ATT&CK, PTES, and NZISM requirements
• Security maturity assessments benchmarked against ISO/IEC 27001, NIST CSF, and the PSR
• Technical debt and vulnerability exposure reviews identifying your organisation's real attack surface
• Strategic security roadmaps that translate assessment findings into prioritised, budget-aligned remediation plans

The first step is often the most important one: understanding where you actually stand before making decisions about where to invest. Our maturity assessment process is designed to provide exactly that clarity, without the noise of vendor-driven tool recommendations or compliance theatre.

If what you have read here resonates, we welcome you to have a conversation with our team.