Why should not only the network perimeter be tested, but also the internal network?

In contrast to a penetration test that only examines externally accessible systems, a test focusing solely on systems reachable within the company’s internal network assumes that access to the internal network has already been obtained. In many cases, this does not require exploiting technical vulnerabilities or gaining physical access to the network, as real attackers may also conduct social engineering attacks against employees to achieve this goal. Additionally, internal networks often have insufficient precautions in place because they are presumed to be accessible only to trusted individuals. It can have catastrophic consequences if mere penetration of the internal network bypasses all security measures.

Therefore, in most cases, it is advisable to conduct penetration tests on both externally and internally reachable systems within the IT infrastructure. Often, a test that directly considers both perspectives is the most suitable approach.