Assumed-breach assessment of your corporate network. We start from a low-privilege foothold and demonstrate the realistic paths to Domain Admin, sensitive data, and business-critical systems.
Most ransomware incidents and major breaches involve attackers who got inside through phishing or a compromised endpoint, then moved laterally for weeks before detection. An internal penetration test reveals what they could do, and how fast.
Modern threat actors do not stop at your perimeter. They get past it. Phishing, supply-chain compromise, third-party access, and stolen credentials mean any sufficiently determined adversary will eventually be inside your network. The relevant question is not "can they get in", it is "what happens next".
An internal penetration test simulates exactly that scenario. We start with a typical low-privilege foothold (a user account, a workstation on your network, or a guest network connection) and demonstrate what a threat actor could do from there. The output is a clear narrative of attack chains, prioritized by business impact.
This is the engagement that uncovers the misconfigurations and trust relationships your team built up over years and never had the time to revisit. The findings are almost always more interesting, and more urgent, than what external testing surfaces.
Kerberoasting, AS-REP roasting, unconstrained delegation, resource-based constrained delegation abuse, dangerous ACL inheritance, group nesting that exposes Tier 0 assets. We use BloodHound to map realistic attack paths and validate them manually rather than reporting theoretical edges.
The ESC1 through ESC8+ certificate-based escalation paths. AD CS misconfigurations are some of the most exploitable AD findings in modern enterprises and are often missed by traditional reviews.
LLMNR/NBT-NS poisoning, NTLM relay attacks, IPv6-based DHCPv6 takeover, and the cascade of credential compromise that often follows. These attacks remain effective in most enterprise networks because the default mitigations are still off by default.
From initial foothold to higher-privileged accounts, across systems, and into administrative tiers. Pass-the-hash, pass-the-ticket, Silver and Golden Tickets, DCSync, and other techniques in active use by real threat actors.
What an attacker would find once they have access. File shares with PII, source code repositories, password vaults, ticketing systems, and the inevitable "passwords.xlsx" on someone's network drive.
Whether your endpoint detection and response is actually catching the techniques real-world threat actors use. We use operator-grade tooling and tradecraft and report on what was detected, what was not, and what your detection program should add.
Active testing runs one to two weeks depending on environment size. We typically operate from a provided workstation, a VPN connection into a controlled network segment, or a virtual machine we deploy onto an isolated VLAN. The engagement follows our standard five-phase methodology.
We work in close communication with your blue team during the engagement when purple-team coordination is in scope, or remain operational-silent when the engagement is intended to test detection in addition to controls.
No. The whole point of an assumed-breach engagement is to start from a realistic position. We typically use a standard domain user account with no special privileges. The interesting story is what happens between that and Domain Admin.
Usually yes, on purpose. We use real-world tradecraft. EDR alerts during the engagement are valuable data: they show what your detection program is catching, what it is missing, and what tuning will improve coverage.
Remote works for the vast majority of engagements. We typically connect via VPN to a controlled network segment, or operate from a virtual machine deployed in your environment. On-site testing is available if needed for physical access scope.
A vulnerability scan reports things that might be exploitable. An internal pentest validates whether they actually are, chains them with other weaknesses, and demonstrates real impact. A scan tells you "this server has a known CVE". A pentest tells you "an attacker on the user VLAN can reach Domain Admin in four hours by chaining that CVE with this misconfiguration and these credentials".
We notify your designated emergency contact within hours, share what we found, and pause before exploiting further. Your team decides how to respond. Containment and remediation always take priority over completing the engagement on schedule.
Tell us about your environment, your compliance drivers, and your timeline. We will respond within one business day.