Internal Network Penetration Testing

We recommend conducting internal network penetration testing at least annually, with additional tests following significant infrastructure changes, network reconfigurations, or Active Directory restructuring. Organizations with high security requirements or those in regulated industries may benefit from more frequent internal testing, typically semi-annually. Additionally, we recommend reassessing after major software upgrades, implementing new systems, or mergers and acquisitions that introduce new networks into your environment.

Vulnerability scanning uses automated tools to identify known vulnerabilities based on signature databases. While useful for regular checks, it only finds known issues, produces many false positives, and can't evaluate complex attack chains. Internal penetration testing combines automated scanning with manual testing by experienced security professionals who can identify privilege escalation paths, verify vulnerabilities in context, chain multiple weaknesses together, and demonstrate real-world attack scenarios that automated tools can't detect. This includes testing trust relationships, network segmentation effectiveness, and lateral movement techniques that scanners simply cannot evaluate.

A typical internal network penetration test for a medium-sized organization (with approximately 100-500 endpoints and a single Active Directory domain) takes about 1-2 weeks. This includes reconnaissance, scanning, manual testing, exploitation attempts, lateral movement testing, and reporting phases. The scope and complexity of your internal infrastructure are the primary factors that influence the timeline. For organizations with multiple domains, complex trust relationships, or specialized systems, additional time may be required. We'll provide a specific timeframe after our initial scoping assessment.

We design our internal network penetration tests to minimize disruption to your business operations. Most testing activities are passive or low-impact and don't affect system performance. For potentially disruptive tests, we either avoid them entirely, conduct them during scheduled maintenance windows, or use simulation techniques that validate vulnerabilities without causing actual service disruption. We maintain open communication with your technical team throughout the testing process, and can immediately pause any activities if issues arise. Unlike red team exercises, our penetration tests are overt and coordinated with your IT team.

Active Directory (AD) is the cornerstone of most corporate networks, controlling authentication and authorization for users and computers. It's a prime target for attackers because compromising AD often means complete control of the network. Our AD security assessment evaluates critical areas like privileged group memberships, delegation settings, Group Policy configurations, and trust relationships that could be exploited for privilege escalation. We use specialized tools and techniques to identify excessive permissions, dangerous delegation settings, misconfigured service accounts, and other common AD weaknesses. These issues are often invisible to vulnerability scanners but can provide attackers with paths to domain compromise.

To scope an internal network engagement we typically need: network diagrams or VLAN maps, a count of internal IP addresses and subnets, whether Active Directory is in use and how many domains, and a list of key IT assets in scope.

Our deliverables include a comprehensive penetration testing report with an executive summary for leadership, a detailed technical section for your IT and security teams, vulnerability descriptions with severity ratings, proof-of-concept details, attack path diagrams showing potential lateral movement and privilege escalation routes, business impact assessments, and step-by-step remediation guidance. For Active Directory findings, we provide specific recommendations for hardening domain controllers, improving group membership management, and implementing security controls like Protected Users and LAPS. We also offer a Letter of Attestation that can be shared with auditors to demonstrate your security due diligence, and post-remediation validation testing to verify that vulnerabilities have been properly addressed.