What is internal penetration testing?

Internal penetration testing simulates an attacker who has already gained access to your network. Our testers work from inside your environment — using the same tools and techniques as real threat actors — to find privilege escalation paths, exploit Active Directory misconfigurations, and demonstrate the real blast radius of a compromised endpoint.

What is the assume-breach approach?

Assume breach starts from the premise that perimeter controls have already failed. Instead of testing whether an attacker can get in, we test what they can do once inside. This is the most realistic model for assessing your internal defences, detection capability, and incident response readiness.

Do I need to be worried about disruption?

Our testers work methodically and avoid actions that could cause service disruption. We agree on rules of engagement before testing begins, including any systems that are out of scope or require extra care. Most organisations complete an internal test with no noticeable impact on operations.

What access do the testers need?

We typically start with a standard domain user account — the same level of access a new employee would have. The goal is to find how far an attacker could escalate from that starting point. Some engagements also use an assume-breach foothold, such as a pre-compromised workstation.

What does the deliverable include?

A written report covering attack path diagrams, risk-rated findings, Active Directory health assessment, lateral movement analysis, a priority-ordered remediation roadmap, Essential Eight maturity mapping, and an executive summary. All remediated findings qualify for a free 30-day retest.

CREST-aligned internal testing

Internal Network Penetration Testing

CREST-aligned testers who simulate Active Directory attacks, lateral movement, and privilege escalation from inside your network — because most breaches involve an attacker who is already in.

The question isn't whether an attacker can get past your perimeter. It's what they can do once they're inside. We answer that question before they do.

Scope an internal test →View all pen testing →

Active Directory specialists

100% manual testing

30-day free retest

Our methodology

The assume-breach methodology

Assume breach starts from the premise that perimeter controls have already failed. We test what an attacker can do once they are inside — not whether they can get in.

This is the most realistic model for assessing your internal defences, detection capability, and the true blast radius of a compromised endpoint.

Internal Reconnaissance

Network discovery, host enumeration, service identification, and internal DNS mapping. Building the same picture a threat actor has after initial access.

Credential Attacks

Password spraying, Kerberoasting, AS-REP roasting, and LLMNR/NBT-NS poisoning to harvest domain credentials from your network traffic.

Active Directory Abuse

ACL exploitation, DCSync, pass-the-hash, pass-the-ticket, and Kerberos delegation attacks to escalate privileges within your AD environment.

Lateral Movement

Moving between systems using legitimate administrative tools and protocols to reach high-value targets and demonstrate real blast radius.

Scope

What we target

Every target area assessed with the same methodology used by real threat actors operating inside your network.

Active Directory environment

Domain controllers

File shares & NAS devices

Internal web applications

Service accounts

Network infrastructure

Workstation & server trust

Identity & access management

The attack path report

Detailed attack path diagrams showing exactly how privilege escalation was achieved. Risk-rated findings with full reproduction evidence — command output, screenshots, and request/response pairs. Active Directory health assessment included.

The remediation roadmap

Priority-ordered remediation guidance for every finding. Essential Eight maturity mapping so your team knows where each fix lands on the compliance spectrum. Free 30-day retest of all remediated findings.

Outcomes

What changes after the test

Four concrete changes every organisation should expect from a thorough internal penetration test.

Closed attack paths

Known privilege escalation routes closed and Active Directory hardened against repeat exploitation.

Board-ready reporting

Clear risk ratings and an executive summary your leadership team can present with confidence.

Essential Eight alignment

Findings mapped to Essential Eight controls for practical remediation sequencing.

Faster detection

Knowing what attackers target helps your team tune detection rules and response playbooks.

Common questions

Internal pen testing questions answered.

Not sure what's involved or whether your environment is ready? Contact us and we'll walk through the scope and methodology with you.

Talk to a specialist →

What is internal penetration testing?
Internal penetration testing simulates an attacker who has already gained access to your network. Our testers work from inside your environment — using the same tools and techniques as real threat actors — to find privilege escalation paths, exploit Active Directory misconfigurations, and demonstrate the real blast radius of a compromised endpoint.
What is the assume-breach approach?
Assume breach starts from the premise that perimeter controls have already failed. Instead of testing whether an attacker can get in, we test what they can do once inside. This is the most realistic model for assessing your internal defences, detection capability, and incident response readiness.
Do I need to be worried about disruption?
Our testers work methodically and avoid actions that could cause service disruption. We agree on rules of engagement before testing begins, including any systems that are out of scope or require extra care. Most organisations complete an internal test with no noticeable impact on operations.
What access do the testers need?
We typically start with a standard domain user account — the same level of access a new employee would have. The goal is to find how far an attacker could escalate from that starting point. Some engagements also use an assume-breach foothold, such as a pre-compromised workstation.
What does the deliverable include?
A written report covering attack path diagrams, risk-rated findings, Active Directory health assessment, lateral movement analysis, a priority-ordered remediation roadmap, Essential Eight maturity mapping, and an executive summary. All remediated findings qualify for a free 30-day retest.

Find the attack path before it's used.

Most internal networks have a path from any compromised endpoint to domain admin. We find it, document it, and show your team exactly how to close it.

Scope an internal test →View all pen testing →