It's narrow in scope than a full internal test. But...external test...done from the perspective of the attacker that doesn't have much knowledge of your internal system, nor existing access to it (else..the attacker would be launching from the inside).
Scan of all public IPs of your network(s).
Scan of all ports that are open/forwarded...and full fingerprinting of what is listening...and then full auditing of what is listening, and...then simulated attacks on it, spraying, bruteforce, various exploit tools, see what patching it still needs, or if any locking down of services has been done. And see what can be found/discovered...by various attacks.
And...a more thorough one will include a full phishing simulation against all staff (because..that is also external..email)...see which staff "click on links".
Staff on social media...info shared.
Staffs email addresses....pwned list...compare those passwords against current internal ones.
Staff have company data on BYOD phones? Those get included.
Mobile laptop fleet? That too!
Remote access?
On prem mail server?
VPNs?
RDG (remote desktop gateway)?
ANYthing sticking out of the firewall?
ANY cloud services? M365? Google Workplace? SaaS hosted programs? Those get included too!
Credentials, security of passwords, MFA..MFA methods, etc.
Offsite backup?
Basically....ANYthing company related that steps outside of the main office.
A very in depth look.....
A list of vulerabilities/weaknesses found...any data found....
A list of..."You need to improve THIS, THAT, and THE OTHER.
And...you come up with a POAM (plan of action and milestones)