3
Hops to Domain
Admin Found
Internal and external
Network both tested
Lateral movement
Attack paths mapped
Segmentation
Controls verified
Remediation
Prioritised fixes delivered
Reconnaissance & Attack Surface Mapping
Before testing begins we map your attack surface the way real attackers do: DNS enumeration, certificate transparency analysis, exposed service discovery, and OSINT collection to build a complete picture of what is visible to an external attacker. This phase often reveals forgotten systems and services that internal teams have lost track of.
External Network Testing
We probe your internet-facing infrastructure for exploitable vulnerabilities in firewalls, VPNs, remote access solutions, public-facing servers, and cloud-connected endpoints. External testing simulates what an attacker on the open internet can find and exploit with no prior access to your environment.
Internal Network Testing
Simulating a threat actor who has bypassed perimeter controls: whether through a phishing attack, compromised credentials, or physical access: our internal testing probes for flat network architecture, over-privileged service accounts, unpatched systems, and misconfigured network devices that allow lateral movement to critical systems.
Lateral Movement & Privilege Escalation
Once initial access is established, we simulate what a real attacker would do with it. We probe for lateral movement paths, privilege escalation vectors, credential reuse opportunities, and routes to your most sensitive systems: showing you exactly how far a breach could realistically go.
Active Directory & Authentication Testing
Active Directory is the target in the overwhelming majority of enterprise breaches. We test for Kerberoasting, AS-REP roasting, Pass-the-Hash, DCSync attacks, delegation abuse, and misconfigured group policies that would allow an attacker to escalate from a standard user to domain administrator.
Network Security Assessment Report
Every finding is documented with network path evidence, a proof-of-concept demonstrating exploitability, the business risk represented by the finding, and specific remediation guidance. We include a prioritized remediation roadmap that distinguishes between immediate critical fixes and longer-term architectural improvements.
What Makes Us Different From Others
- Full Attack Chain Simulation We do not report individual vulnerabilities in isolation. We demonstrate how multiple findings chain together into a realistic attack path from initial compromise to sensitive data or domain control.
- Active Directory Expertise AD is the target in most enterprise breaches. Our testers are specifically trained in AD attack techniques and include full AD security testing in every internal engagement.
- Scoped for Your Environment External-only, internal-only, or combined: we scope engagements based on your threat model, not a standard template. Organizations with remote workforces need different coverage than those with traditional perimeter architectures.
- Coordination with Your Team We work with your IT and security team throughout the engagement to avoid business disruption and to ensure findings are actionable given your specific environment and constraints.
- Retesting Included We verify that your remediations actually work. Retesting is included in the engagement, not charged as a separate service.
- Compliance-Aligned Reporting Reports can be structured to support PCI DSS, HIPAA, SOC 2, ISO 27001, and CMMC compliance requirements where network penetration testing is a required control.
garrisonOne's internal network test revealed that a standard user account could reach our domain controller in three hops due to a misconfigured service account. They showed us the entire attack chain: from initial access to domain admin: in a way that finally made our leadership understand why we needed to invest in network segmentation. Budget approved the same week.
Client results
See how we have helped
Manufacturing
Distributor — Network Security Assessment
Full network penetration test and security assessment for a regional distributor ahead of cyber insurance renewal. Coverage secured at preferred rates.
Network
Fully assessed
Insurance
Coverage secured
CMMC
Readiness achieved
Industry focus
Industries we serve
Related Services: Penetration Testing | Internal Network Testing | External Penetration Testing | Network Security Services
Frequently asked questions
What is the difference between external and internal network penetration testing?
External network penetration testing simulates an attacker on the open internet: probing your internet-facing systems, services, and remote access solutions for exploitable vulnerabilities. Internal network penetration testing simulates an attacker who has already breached your perimeter: through a phishing attack, compromised credentials, or rogue device: and is probing your internal infrastructure for lateral movement paths and critical system access. Most organizations benefit from both.
Will the penetration test disrupt our network or operations?
We design network penetration tests to avoid service disruption. Any potentially disruptive test: such as exploitation attempts against production systems: is coordinated with your team in advance. Testing is typically conducted in a controlled manner that is invisible to users during business hours.
What does Active Directory testing involve?
Active Directory testing involves probing for misconfigurations and known attack techniques including Kerberoasting, AS-REP roasting, Pass-the-Hash, Pass-the-Ticket, DCSync, delegation abuse, and misconfigured group policies. AD is the target in the majority of enterprise breaches, so thorough AD testing is a critical component of any internal network engagement.
How long does a network penetration test take?
An external-only engagement typically takes one to two weeks. A full internal and external assessment may take two to four weeks depending on network size and complexity. We provide a clear timeline during scoping.
Do you test cloud-connected infrastructure?
Yes. We include testing of VPN gateways, cloud-connected endpoints, and hybrid network architectures. For dedicated cloud security testing of AWS, Azure, or GCP environments, we recommend combining network testing with our cloud penetration testing service.
What are the most common findings in network penetration tests?
The most common critical findings include unpatched systems with known exploits, misconfigured Active Directory with privilege escalation paths, flat network architecture allowing unrestricted lateral movement, exposed management interfaces (RDP, SSH, WinRM) accessible from the internet, weak credentials on service accounts, and VPN configurations with outdated protocols.
Is network penetration testing required for compliance?
PCI DSS requires network penetration testing at least annually and after significant changes. HIPAA does not mandate penetration testing explicitly but requires regular risk assessments which most auditors expect to include penetration testing. SOC 2, ISO 27001, and CMMC all include requirements that are typically satisfied through regular network penetration testing.
Do you retest after remediation?
Yes, retesting is included. After your team has addressed findings, we verify that the fixes are effective and that no new vulnerabilities were introduced during the remediation process.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
