An internal penetration test simulates an assumed breach scenario: What happens when an attacker already has access to your internal network – whether through compromised credentials, an infected workstation, or a malicious insider? We show you how far an attacker can get and which critical systems are at risk.
Most organizations invest heavily in securing their perimeter – firewalls, email filters, and endpoint protection. But what happens when this line of defense has already been breached? Studies show that after initial access, attackers can often gain Domain Admin privileges within hours if the internal infrastructure is not hardened.
Our internal penetration test starts from the perspective of an attacker who is already inside the network. We systematically test Active Directory configurations, network segmentation, internal services, and permission structures. We use the same techniques as real attackers: Kerberoasting, AS-REP Roasting, NTLM relay attacks, Pass-the-Hash, and many more.
The goal is clear: We identify vulnerabilities and attack paths before real attackers do – and provide you with concrete recommendations for hardening your internal environment.
Identification of active hosts, open services, network topology, and Active Directory structures.
Exploitation of misconfigurations and vulnerabilities to escalate privileges – locally and within Active Directory.
Movement through the network to additional systems by exploiting trust relationships and stolen credentials.
Demonstrating impact through access to critical systems, sensitive data, or Domain Admin privileges.
Detailed report with documented attack paths, risk ratings, and prioritized remediation measures.
Kerberoasting, AS-REP Roasting, DCSync, GPO abuse, delegation vulnerabilities, and other AD-specific attack vectors.
Assessment of VLAN configurations, firewall rules between segments, and whether critical systems are adequately isolated.
Databases, file shares, intranet applications, management interfaces, and other internally exposed services for vulnerabilities and misconfigurations.
Password strength, credential reuse, stored credentials in scripts, group policies, and network shares.
Access control on backup infrastructure, encryption of backup data, and protection against ransomware scenarios.
Effectiveness of EDR/AV solutions, local admin rights, patch levels, and hardening of workstations and servers.
Anonymized engagement example
A Swiss services company. Standard workstation. Domain Admin in under 6 hours.
LLMNR deactivation, network segmentation, and certificate services overhaul implemented. After retest: same attack path to Domain Admin no longer possible.
A Swiss services company wants to test internal security after an external pentest. Starting point: network access via a standard workstation — simulating a compromised employee.
Upon completion of the internal penetration test, you will receive a comprehensive report containing the following elements:
Summary of the key findings and overall risk for executive leadership.
Detailed description of each attack path from initial access to objective achievement, including screenshots and evidence.
Each vulnerability is rated by criticality (CVSS) and business impact.
Prioritized action plan with concrete recommendations for remediating the identified vulnerabilities.