Attack Readiness

How far can an attacker go
once they are inside your network?

A simulated insider or post-breach attack across your internal network. Every path from initial foothold to domain compromise, mapped and documented.

Request a pentest 24/7 Incident Hotline

What is an internal pentest?

You know your perimeter is guarded. You have internal systems you assume are safe. You get a realistic picture of what happens when an attacker, a compromised workstation, or a malicious insider gains a foothold. An internal pentest simulates an attacker who is already on your network, exploring Active Directory, lateral movement paths, privilege escalation, and access to sensitive data. You receive a detailed report with attack paths and concrete hardening recommendations.

About this service

Internal Pentest: what happens after the perimeter falls

Not every threat comes from outside. A malicious insider, a compromised workstation, or a visitor with network access: the internal network is often the real battlefield. An internal pentest simulates an attacker who has already gained a foothold and investigates how far they can go.

The team tests from a position within your network. This can be a connected laptop on an arbitrary network point, a VPN connection, or a compromised workstation. From there, all internal attack paths are explored: network segmentation, Active Directory configuration, internal applications, and shared resources.

Many organisations invest heavily in perimeter security but underestimate internal risks. An internal pentest reveals whether an attacker with limited initial access can escalate to domain admin, reach sensitive data, or access critical systems. It tests not just individual vulnerabilities but full attack paths.

Why this matters

Three internal risks most organisations underestimate

A single compromised account can reach everything

Weak segmentation and overprivileged accounts mean that one phished user or infected endpoint can become a gateway to your entire Active Directory environment.
Legacy systems and misconfigurations persist for years

Old protocols like NTLM, unpatched servers, and default credentials accumulate silently. Attackers know exactly where to look and exploit them before your team finds them.
Lateral movement goes undetected for months

Without proper internal monitoring, attackers move through the network undetected. The average dwell time before detection is measured in months, not hours.

What gets tested

Scope of the internal pentest

Active Directory and domain infrastructure

Network segmentation and VLAN configuration

Internal applications and databases

Shared network drives and file servers

Privilege escalation paths (local and domain)

Credential harvesting and pass-the-hash/ticket attacks

Internal DNS and DHCP

Print servers, legacy systems, and shadow IT

Admin access and jump servers

Lateral movement opportunities

Methodology

How DEFION conducts an internal pentest

Kick-off and scoping

Defining the starting point (which network segment, which initial rights), constraints, and objectives.

Network reconnaissance

Mapping the internal network, identifying active hosts, services, and infrastructure components.

Vulnerability identification

Searching for misconfigurations, outdated software, weak credentials, and insecure protocols.

Exploitation and privilege escalation

Exploiting found vulnerabilities, escalating rights, lateral movement through the network.

Domain compromise assessment

Evaluating whether full domain compromise is possible, including the path to domain admin.

Reporting and debrief

Detailed report with attack paths, CVSS scores, and prioritised remediation. Technical walkthrough with your team.

What you receive

Deliverables

Executive summary
Technical report with attack paths, exploitation evidence, and CVSS scores
Active Directory security assessment
Network architecture observations and segmentation advice
Remediation steps per finding with prioritisation
Report debrief with technical team

Target audience

Who is an internal pentest for?

An internal pentest is relevant for any organisation where internal access could lead to significant damage. If an employee, contractor, or compromised device can cause serious harm, you need to know how.

Organisations that want to validate their internal network segmentation
Companies with complex Active Directory environments
IT teams that want to understand the risk of a compromised workstation
Organisations preparing NIS2 or ISO 27001 compliance
Companies after a merger where networks have been combined

Frequently asked questions

FAQ

From which starting point is the test performed?

We decide that together during kick-off. Common options are: a laptop connected to the office network (visitor or insider simulation), a standard user account (insider threat), or a fully unprivileged starting point. The starting point influences the realism and scope of the test.

Is Active Directory specifically tested?

Yes. Active Directory is the primary target for attackers in most environments. The team tests for misconfigurations, weak group policies, Kerberoasting, AS-REP roasting, delegation vulnerabilities, and other known AD attack techniques.

Can this disrupt daily operations?

The team works carefully and in coordination. Risky actions such as password spraying are agreed and limited. The goal is insight without disruption. Extra precautions are taken for critical systems.

How does an internal pentest differ from a vulnerability assessment?

A vulnerability assessment inventories weaknesses. An internal pentest goes further: the team exploits vulnerabilities, chains them into attack paths, and demonstrates actual risk. You see not only what is vulnerable but what an attacker can actually achieve.

Can I combine an internal pentest with an external pentest?

Absolutely. A combined approach gives the most complete picture: what can an external attacker reach, and once inside, how far does the damage extend internally? Many organisations choose this combination, especially for compliance programmes.

External Pentest

Learn more →

Red Teaming

Learn more →

Cloud Security Assessment

Learn more →

Wireless Pentest

Learn more →