<1h
Compromise to
Financial DB
Lateral movement
Simulated inside-out attack
AD attack paths
Active Directory weaknesses exposed
Segmentation
Network isolation gaps identified
Remediation
Actionable fix list delivered
Internal Reconnaissance
From a foothold inside your network, we enumerate hosts, services, shares, users, groups, and network topology using the same passive and active techniques a real attacker would use. This phase identifies targets of value and maps the internal attack surface before exploitation begins.
Active Directory Attack Testing
Active Directory is the target in the overwhelming majority of enterprise breaches. We test for Kerberoasting, AS-REP roasting, Pass-the-Hash, Pass-the-Ticket, DCSync, Golden Ticket, Silver Ticket, ACL abuse, delegation misconfigurations, and GPO-based privilege escalation paths from standard user to domain administrator.
Lateral Movement Simulation
Using compromised credentials and discovered vulnerabilities, we move laterally through your network to simulate what a real attacker would do after gaining initial access. We identify flat network segments, over-permissive firewall rules, and SMB signing weaknesses that enable credential relay attacks.
Privilege Escalation
We test for local privilege escalation from standard user to local administrator using unquoted service paths, weak registry permissions, scheduled task abuse, and known local privilege escalation vulnerabilities. We also test for domain privilege escalation through AD misconfigurations and LAPS weaknesses.
Sensitive Data & Credential Discovery
We identify sensitive data exposed on file shares, identify password files and credential caches, and test for cleartext credentials in scripts, configuration files, and Group Policy preferences. Access to this data is documented and its business impact assessed.
Attack Path Report & Remediation Roadmap
We provide a visual attack path diagram showing the full compromise chain from initial access to domain admin or critical data. Every step in the path is documented with the specific misconfiguration or vulnerability that enabled it, and remediation guidance is prioritized by impact on breaking the attack chain.
What Makes Us Different From Others
- Active Directory Specialization AD security is central to every internal network test. Our testers are specifically trained in modern AD attack techniques including those that post-exploitation frameworks are built around.
- Attack Chain Visualization We produce visual attack path diagrams that show exactly how a domain compromise would unfold: more useful for remediation prioritization than a flat list of findings.
- Realistic Threat Simulation We simulate the specific threat actors most likely to target your organization: ransomware operators, nation-state actors, or opportunistic criminals: so findings reflect your actual risk profile.
- Credential Safety We follow strict credential handling procedures throughout the engagement. Captured credentials are stored securely and returned or destroyed at engagement end.
- Detection Gap Analysis We document which phases of our attack simulation triggered alerts or were detected, and which went undetected. This gives your security team visibility into their detection blind spots.
- Retesting Included We verify that AD misconfigurations have been corrected and that critical attack paths have been broken.
We had invested in a next-gen firewall and EDR platform and felt reasonably secure. garrisonOne's internal test showed that from a single compromised user account, they could reach our SQL server containing customer financial data in under an hour using only built-in Windows tools: nothing that would trigger our EDR. The segmentation work that followed was long overdue.
Client results
See how we have helped
Retail
E-Commerce — PCI DSS Penetration Test
Pre-PCI DSS audit penetration test uncovered critical vulnerabilities in the payment processing environment. All findings remediated before the QSA assessment.
Critical
Findings remediated
PCI DSS
Audit passed
0
Post-test failures
Manufacturing
Distributor — Network Security Assessment
Full network penetration test and security assessment for a regional distributor ahead of cyber insurance renewal. Coverage secured at preferred rates.
Network
Fully assessed
Insurance
Coverage secured
CMMC
Readiness achieved
Industry focus
Industries we serve
Related Services: Penetration Testing | Network Penetration Testing | External Penetration Testing | Red Team Services
Frequently asked questions
What is internal network penetration testing?
Internal network penetration testing simulates a threat actor operating inside your network: after bypassing perimeter controls through a phishing attack, compromised credentials, physical access, or insider threat. The test maps lateral movement paths, privilege escalation routes, and access to critical systems from a compromised starting position.
What starting position do you use for internal testing?
We typically start from a standard unprivileged user account: representing a compromised employee credential: and a standard workstation access. This is the most realistic starting point for most organizations. We can also test from other starting positions such as a guest network segment or a compromised contractor account.
What Active Directory attacks do you test for?
We test for Kerberoasting (cracking service account passwords from TGS tickets), AS-REP roasting (accounts with preauthentication disabled), Pass-the-Hash, Pass-the-Ticket, DCSync (extracting credential hashes), Golden and Silver Ticket attacks, ACL-based privilege escalation, delegation abuse (unconstrained, constrained, and resource-based), and GPO misconfiguration.
How long does internal penetration testing take?
An internal network test typically takes two to three weeks depending on network size and complexity. Larger environments with multiple domain trusts may require three to four weeks for complete coverage.
Do you test for ransomware attack paths?
Yes. Ransomware operators follow predictable attack chains: initial compromise, lateral movement, domain admin acquisition, defense evasion, and deployment. We specifically map the paths that ransomware operators would take in your environment and identify where those paths can be broken.
What is the difference between a vulnerability scan and an internal penetration test?
A vulnerability scan uses automated tools to identify known vulnerabilities on accessible systems. An internal penetration test uses those findings as a starting point and adds manual exploitation, Active Directory attack testing, lateral movement simulation, and privilege escalation chains. The penetration test shows what an attacker would actually do with discovered vulnerabilities, not just that they exist.
How do you coordinate the test with our IT team?
We establish a clear rules of engagement document before testing begins that defines the scope, starting position, out-of-scope systems, testing hours, and emergency contact procedures. We maintain communication with your IT team throughout and immediately report any critical finding that poses an immediate risk to your environment.
Do you test network segmentation effectiveness?
Yes. Testing whether critical systems are properly isolated from general user networks is a key objective of internal testing. We atte