External perimeter
Every public IP, port, service, certificate, DNS record. Discover what is exposed, what is misconfigured, what would let an attacker in.
pentest · network
Test the path from internet to crown jewels.
External perimeter testing (every IP, port, service, cert) and internal network testing (AD enumeration, kerberoasting, ADCS misconfigurations, lateral movement). We deliver attack paths with screenshots, not configuration findings.
01. in scope
What we test.
External, internal, and Active Directory in scope by default. Cloud network in scope on request.
Internal lateral movement
From an assumed-breach starting point (low-privilege user account), test how far an attacker reaches. Domain, segment, crown-jewel data.
Active Directory
Kerberoasting, ASREProasting, ADCS misconfigurations, AdminSDHolder, GPO trust, delegation chains, group nesting, Entra ID hybrid issues.
Network segmentation
For PCI / HIPAA / SOC 2: verify the network boundary actually contains the scope you claimed. Test segmentation under realistic conditions.
Legacy protocols
SMBv1, LLMNR, NBT-NS, mDNS, IPv6 abuse. Plaintext credentials in transit. RDP and SSH hardening.
Jump host + admin tooling
Bastion hosts, PAM solutions, RDS/Citrix farms, ITSM platforms. Often the fast path to admin access.
02. methodology
How we test.
PTES + OSSTMM + custom AD attack chains. Assumed-breach is the default starting point for internal engagements.
- External recon + scanPassive then active. Map the perimeter. Identify exposed services and known vulnerabilities. Validate every potential finding manually.
- Internal foothold + enumerationFrom low-privilege user. Map domain, find escalation paths, identify shortest path to crown-jewel data.
- AD attack executionKerberoasting, ADCS ESC1 through ESC11, AS-REP roasting, password spray, NTLM relay. Documented end-to-end.
- Report + readoutAttack-path diagrams from foothold to objective. IAM blast-radius. Segmentation gaps. Engineer Q&A.
03. deliverables
What you walk away with.
Network pentest deliverables.
External findings report
Per-service findings with severity, exploit chain, fix steps. Asset inventory delta against your CMDB.
Internal attack-path diagrams
From foothold to crown jewels. Visual paths with technique annotations. Useful for engineering planning and board reporting.
AD hardening roadmap
Specific GPO / ADCS / delegation changes, ranked by attack risk and ops impact.
Segmentation report
Where the network actually segments and where it does not. Critical for compliance scope confirmation.
04. when
When teams hire us for this.
Common triggers for a network pentest.
Annual cadence
Your security program runs an annual external + internal pentest. We deliver attack paths, not configuration findings.
Post-merger
You acquired or merged. Two networks now connect. The combined attack surface needs mapping.
PCI DSS / HIPAA segmentation
Compliance scope depends on segmentation holding. We verify it under realistic conditions.
Insurance renewal
Your cyber-insurance broker requires recent external + internal testing for the renewal.
05. faq
Questions before the call.
Common questions for this engagement type. See main pentest FAQ for shared questions.
Assumed-breach or no foothold?
Both. External pentest starts with no foothold. Internal pentest starts assumed-breach (low-privilege user account) — far more realistic for budget vs coverage.
How does this differ from infra audit?
Network pentest goes deeper on exploitation (kerberoasting, ADCS, lateral movement). Infra audit covers broader configuration review. Often run together.
Can you skip Active Directory?
Yes if AD is not in your environment (cloud-only orgs without hybrid). For most enterprises, AD is where lateral movement happens and skipping it leaves the most important coverage out.
Test the network?
60-minute scoping call covers external surface, internal access, and AD scope. Free.