Service

NETWORK
penetration testing.

External and internal network penetration testing built around real attacker tradecraft — Active Directory exploitation, lateral movement, firewall bypass, and PCI-DSS segmentation validation. Every engagement is led by an OSCP-certified operator, never a scanner.

NET

Test your network like a real adversary would.

Network penetration testing simulates the techniques a determined external or internal attacker would use against your infrastructure — not a checklist of CVEs against an asset inventory. We exploit chains, not single findings, and document every step of the attack path.

Whether you need to satisfy an annual PCI-DSS requirement, prepare for a SOC 2 audit, or genuinely understand your blast radius after an assumed breach, our network testing produces evidence — not noise.

Engagement types.

External network penetration test

Simulates an unauthenticated attacker on the public internet. We enumerate your perimeter, identify exposed services, exploit misconfiguration and unpatched CVEs, and document any path that leads from the internet to internal access.

Internal network penetration test

Run from inside your network — either via a deployed virtual appliance, VPN access, or a credentialed host. We model an attacker who has phished a low-privileged user and document how far we get.

Assumed-breach assessment

Start with a low-privilege user account or a compromised endpoint and measure how quickly an attacker can reach Domain Admin, crown-jewel data, or your cloud control plane. The most realistic test of your actual detection and response capabilities.

PCI-DSS segmentation testing

Targeted validation of segmentation controls between the Cardholder Data Environment (CDE) and the rest of your network, satisfying PCI-DSS v4.0 requirement 11.4.5.

What we test.

Perimeter & exposure

  • Public IP and subdomain enumeration, including shadow assets
  • Port scanning, service fingerprinting, version detection
  • Exposed admin interfaces, dev environments, leaked credentials
  • VPN, RDP, SSH brute-force resilience and MFA validation
  • Firewall rule analysis and bypass (fragmentation, source spoofing)

Active Directory attacks

  • Kerberoasting and AS-REP roasting
  • NTLM relay (LLMNR/NBT-NS, IPv6 mitm6, PetitPotam)
  • ACL abuse, Resource-Based Constrained Delegation, ADCS ESC1–ESC8
  • BloodHound attack-path mapping and Domain Admin chains
  • Group Policy abuse, LAPS misconfiguration, GPP cpassword
  • Forest trust attacks and cross-domain compromise

Lateral movement & persistence

  • Pass-the-Hash, Pass-the-Ticket, OverPass-the-Hash
  • WMI, WinRM, PsExec, and DCOM lateral movement
  • Credential extraction from LSASS, SAM, NTDS.dit
  • Living-off-the-land techniques to evade EDR

Unpatched systems & misconfigurations

  • Known CVE exploitation with confirmed PoCs
  • Default credentials on appliances and management interfaces
  • Weak SSL/TLS configurations, expired certificates
  • SMB signing, LDAP signing, channel binding gaps

Our methodology.

Network testing follows a phased approach informed by PTES, NIST SP 800-115, and the MITRE ATT&CK framework:

  1. Scoping & rules of engagement. Define IP ranges, time windows, escalation contacts, and any out-of-scope systems. Letter of Authorization signed before testing.
  2. Reconnaissance. Passive OSINT, active enumeration, asset discovery, service fingerprinting. We map what’s actually exposed — including shadow IT.
  3. Vulnerability identification. Targeted scanning to inform manual testing, never as a substitute. False positives are filtered out before exploitation begins.
  4. Exploitation. Manual exploitation of identified weaknesses. Every successful attack is documented with commands, screenshots, and host evidence.
  5. Post-exploitation. Credential harvesting, lateral movement, persistence, privilege escalation — mapped against MITRE ATT&CK techniques.
  6. Reporting & retest. Executive summary, attack path diagrams, prioritized remediation roadmap, and a free retest within 30 days.

Tools & tradecraft.

NmapBloodHoundImpacketCrackMapExecNetExecResponderMimikatzRubeusCertifySharpHoundMetasploitCobalt StrikeSliverCustom payloads

For PCI-DSS segmentation tests we also use targeted scripts to validate every documented control. Cobalt Strike is used only for red team engagements, never on standard network tests.

Compliance alignment.

  • PCI-DSS v4.0 requirement 11.4.2 (external pen test), 11.4.3 (internal), 11.4.5 (segmentation)
  • ISO/IEC 27001:2022 Annex A 8.8
  • SOC 2 Type II CC7.1 (system monitoring) and CC7.2 (anomaly detection)
  • HIPAA Security Rule § 164.308(a)(8) periodic technical evaluation
  • UK Cyber Essentials Plus external testing component
  • NIS2 directive technical and organizational measures (TOMs)
  • FedRAMP moderate baseline penetration testing

What you receive.

  • Executive summary — risk posture and headline findings for the board
  • Full technical report — every finding with reproduction steps, CVSS v3.1 scoring, MITRE ATT&CK mapping
  • Attack path diagrams — visual walkthrough of how an attacker reached crown-jewel systems
  • BloodHound graph export for ongoing AD hardening
  • Asset inventory delta — what we found that wasn’t in your CMDB
  • Prioritized remediation roadmap with effort estimates
  • Free retest within 30 days — verify fixes, issue clean attestation

Frequently asked questions.

What is the difference between external and internal network penetration testing?

External testing simulates an unauthenticated attacker on the public internet probing your perimeter. Internal testing simulates an attacker who has gained a foothold inside your corporate network — focusing on lateral movement, privilege escalation, and reaching sensitive systems.

How long does network penetration testing take?

A typical external network pen test runs 3–5 days. Internal tests usually run 5–7 days depending on the size of the Active Directory environment and number of subnets in scope. Larger enterprise networks take 7–10 days.

Do you test our Active Directory environment?

Yes. Active Directory testing is a core part of every internal pen test — Kerberoasting, AS-REP roasting, ACL abuse, DC sync, golden ticket detection, LAPS misconfiguration, and trust relationship attacks across forests.

Can you validate PCI-DSS network segmentation?

Yes. PCI-DSS requirement 11.4.5 mandates segmentation validation at least annually. We test every CDE boundary control and document any traversal paths discovered, with evidence ready for your QSA.

Will the test impact production systems?

We use non-disruptive techniques by default and clear destructive testing (denial-of-service, mass exploitation, brute-force at scale) with you in advance. A designated point of contact is on standby for the duration of every engagement.

Related services.

Schedule your next test

BOOK A NETWORK
scoping call.

Free 30-minute call to scope the engagement. Tailored proposal within 24 hours. NDA and Letter of Authorization available on request.

Book Free Scoping Call →All Services