A firewall sitting at the edge of your network feels reassuring. There’s a box, it’s got rules configured, and someone set it up at some point with good intentions and a reasonable amount of care. The trouble is that a firewall with the wrong rules doesn’t just fail to protect you, it actively convinces you that you’re safe when you’re not, which is arguably worse than having no firewall there at all, because at least then nobody would be operating under a false sense of security.
Confidence Without Verification Is a Dangerous Combination
Most businesses install a firewall once, configure it around whatever they needed at the time, and rarely revisit it unless something visibly breaks or an audit forces the question. Rules get added for a new supplier, a remote worker, or a piece of software that needed a specific port opened temporarily for a project that finished long ago. Years pass. Nobody removes the rules that are no longer needed, and nobody checks whether the ones still active are doing what everyone assumes they’re doing, quietly trusting a configuration that hasn’t been questioned since it was first written down. Reviewing a ruleset properly takes real effort, and effort is exactly the thing that gets deprioritised when the business is busy with everything else.
A proper external network pen testing specifically probes these accumulated rules from the outside, checking whether ports that should be closed are quietly still open to the wider internet, exactly as an opportunistic attacker scanning at random would find them.

The Rule That Was Only Meant to Be Temporary
The classic case involves a rule opened for a contractor, a supplier integration, or a one-off remote access need, which was never closed afterwards once the immediate need had passed. Sometimes it’s a rule that was too broad from day one, allowing an entire range of addresses through instead of the one specific address that actually needed access at the time. On paper, the firewall is doing its job, ticking the compliance box nobody looks at twice. In practice, it’s got a hole in it that’s been there for years, waiting patiently to be found by whoever happens to look. Even well-intentioned IT teams struggle to keep a growing ruleset tidy without a dedicated process for retiring what’s no longer needed.
William Fieldhouse has seen this exact scenario play out with alarming regularity across very different businesses.
“One client had a rule left wide open from a system migration two years earlier, and when we asked about it nobody in the building could tell us why it existed or who had approved it in the first place, which told us everything we needed to know.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That’s the real danger of firewall drift, not that the technology fails, but that nobody owns the ongoing decision-making around it once the initial setup is done. Rules accumulate the way clutter does in an office nobody tidies, each addition reasonable in isolation. Each one seemed reasonable at the time it was added. Nobody ever goes back and asks whether it’s still reasonable now, months or years later, with a different team and a different set of business needs.
Don’t Let Assumptions Guard Your Perimeter
If it’s been more than a year since anyone independently checked your firewall configuration, requesting a penetration testing quote is a sensible next step before an old, forgotten rule becomes somebody else’s opportunity to walk straight in through a door you didn’t know was open.




