Contact us
Internal Pentesting

We break it so attackers can’t.

Focused on internal networks, Active Directory and Azure AD (Microsoft Entra ID). We can also cover AWS/GCP identity and hybrid environments.

Manual pentest + AI-assisted (operator-controlled)
Manual + AI
Methodology
<48h
kickoff
Free
Deliverable
Exec + Tech
Report
See packages
Introduction

What’s an Internal Pentest & its purpose?

An internal pentest (grey-box) or internal audit starts from an authorized connection to your internal network that you provide (for example, a standard network user via VPN or a computer connected to the network).

The goal is to safely discover and validate all vulnerabilities and misconfigurations that could be chained together to compromise the internal network, starting from the initial access point. We then document exactly how each issue was found, its impact on the business, and the prioritized remediation. Only the internal network is tested; external, social engineering, and physical components are not included. Identify attack paths

  • Identify real attack paths: privilege escalation, lateral movement, and sensitive data access within AD/LAN
  • Validate exploitability in a controlled manner without disrupting production systems
  • Assess internal security hygiene: identity/AD hardening, segmentation, patching, and credential protections
  • Deliver clear reproduction steps, impact analysis, and actionable remediation - with an optional retest to verify fixes
Coverage

What we test

Active Directory (on-prem)

  • Privilege escalation paths
  • Kerberos/credential abuse
  • Delegation, GPOs, ACLs

Azure AD / Entra ID

  • Conditional Access & roles
  • App registrations / consent
  • Tenant & identity hygiene

Internal Network

  • Service enumeration
  • Segmentation & trust
  • Legacy protocols & exposures

AD CS & Certificates

  • ESC1–ESC8 abuses
  • Misissued templates
  • Shadow/KeyCredential attacks

Cloud IAM (AWS/GCP)

  • Roles & federation
  • Access keys & secrets
  • Cross-account trust

Lateral Movement & EDR evasion

  • RDP/SMB/WinRM paths
  • WMI & PSRemoting
  • Living-off-the-land
Manual + AI

AI-assisted pentesting included

We can augment manual testing with AI agents when it benefits coverage or speed. The level of AI involvement is chosen per engagement by the operator/pentester.

Manual-only

  • Human-led, tool-assisted
  • Ideal for sensitive systems
  • Deep AD/Azure analysis

Hybrid Default

  • Operator in the loop
  • AI for recon & triage
  • Human verification before impact

AI-accelerated

  • Graph/path finding in AD
  • Cloud IAM pattern hunting
  • Faster retest cycles
How it’s governed
  • Clear guardrails & rules of engagement
  • Operator approvals for risky actions
  • Full activity logs for auditability
Where AI helps
  • AD enumeration & path discovery
  • Azure/AWS misconfiguration detection
  • Drafting remediation steps faster
Methodology

Attack chain (MITRE ATT&CK)

Initial Access
T1078 Valid Accounts T1133 External Remote Services T1199 Trusted Relationship
Recon
T1087 Account Discovery T1069.002 Domain Groups T1046 Service Scanning
Privilege Escalation
T1068 Exploitation T1548 UAC Bypass T1134 Token Manipulation
Lateral Movement
T1021 Remote Services T1047 WMI T1570 Lateral Tool Transfer
Execution & Evasion
T1059 Cmd/Scripting T1053 Scheduled Tasks T1562 Impair Defenses
Post-Exploitation
T1003 OS Credential Dumping T1041 Exfil over C2 T1486 Data Encrypted
Engagement options

Packages that fit your scope

Assessment

Full infrastructure (AD-first)
  • Complete internal & AD/Entra review
  • Credential & attack-path analysis
  • Report with vulnerabilities and how to fix them
  • Readout session for stakeholders
Request quote

Assessment + Remediation

We find it & we fix it
  • Everything in Assessment
  • We implement agreed fixes (GPO/ACL, CA, IAM)
  • Hardening baselines & secure configuration
  • Knowledge transfer & validation retest
Request quote

Bespoke / Confidential

Custom scope • NDA-first
  • Special requests & high-sensitivity projects
  • Confidentiality emphasized (strict NDA)
  • Tailored methodology & deliverables
  • Dedicated point of contact
Contact us discreetly
FAQ

Frequently Asked Questions

Tip: Click a question to expand the answer.

What exactly do you test?

Internal network only. We focus on on-prem Active Directory, Microsoft Entra ID (Azure AD), and any internal services reachable from the provided access point (VPN/jump host/VDI). External perimeter, social engineering, and physical testing are out of scope.

What does “grey-box initial access” mean?

You provide an authorized foothold (e.g., a standard AD user via VPN or a domain-joined workstation). We do not phish, spray, or brute-force to obtain access. From that foothold we emulate a post-compromise attacker operating inside your network.

What’s the objective and what do we receive?

Objective: identify every realistic path to impactful compromise (privilege escalation, lateral movement, sensitive data access) and safely prove exploitability. Deliverables: an executive summary and a technical report detailing how each finding was discovered, the business impact, severity, and clear remediation steps - plus a live readout and an optional retest to verify fixes.

Is this safe for our production systems?

Yes. We use non-destructive techniques by default, follow pre-agreed Rules of Engagement, schedule intrusive steps in change windows, and coordinate with your SOC/IT. We avoid DoS conditions, mass credential lockouts, and any ransomware-style actions.

How soon can we start?

As soon as scope and Rules of Engagement are signed and initial access is provisioned. Typical prerequisites: written authorization, a point of contact, VPN/jump-box details, one standard user in scope, any necessary allow-listing in EDR/IPS, and a high-level network/AD diagram.

Start a project

Get a tailored quote

Tell us about your internal environment. We’ll respond with scope, approach, and a fixed quote.

  • Kickoff in < 48 hours
  • NDA on request
  • Free remediation retest