Network penetration testing
Your perimeter is smaller than it used to be, but it still exists, and inside it, flat networks and legacy protocols still hand attackers the keys. We test both sides.
What we test
External testing of your internet-facing infrastructure, internal testing from an assumed foothold, or both.
- External perimeter. Exposed services and management interfaces, VPN endpoints, mail security, DNS hygiene and vulnerable software versions.
- Internal network. Lateral movement from a standard workstation or implant, network segmentation in practice, and paths to crown-jewel systems.
- Credential attacks. Password spraying, relay attacks (NTLM/SMB), Kerberos abuse (kerberoasting, AS-REP roasting) and credential reuse across systems.
- Active Directory. Misconfigured ACLs, delegation issues, certificate services (AD CS) abuse and privilege escalation paths to domain admin.
- Legacy protocols and services. LLMNR/NBT-NS poisoning, unsigned SMB, cleartext protocols and forgotten infrastructure.
How we test it
External engagements start from nothing but your company name and agreed IP ranges, the same position as a real attacker. We validate every exploitable finding rather than pasting scanner output into a report.
Internal engagements typically run from a device we ship to your office or a VM you host, simulating a compromised workstation or malicious insider. The goal is a realistic answer to one question: once someone is in, how far can they get?
Everything runs under agreed rules of engagement with defined windows, emergency contacts and no-strike lists, so testing never surprises your operations team.
The full process, severity ratings and reporting format are described in our methodology.
What you get
- Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
- Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
- Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
- Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.
Get a fixed quote
Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.
Related: cloud security review, since most "networks" now extend into a cloud VPC.