Network & Infrastructure

We test the security of your internal and external boundaries: internet-facing services, internal segments, Active Directory, and the controls that separate them. We do more than list open ports and missing patches. We find the paths an attacker could take from an initial foothold to your critical assets, then judge whether your segmentation, access controls and detection would stop them.

We test the way attackers move through a network, so you learn where the real routes run rather than which boxes a checklist ticks. The consultant who scopes your test is the consultant who delivers it.

Who this is for / when to test

• Significant change: cloud migration, office moves, network redesign, or a new Active Directory forest.
• Compliance and assurance: PCI-DSS, ISO 27001, SOC 2 and Cyber Essentials Plus all expect regular infrastructure testing.
• Customer and tender requirements: buyers want evidence of independent infrastructure assurance.
• Mergers and acquisitions: you assess the security posture of an estate you are about to inherit.
• Annual assurance: your last test is over twelve months old, or insider-threat and blast-radius concerns have grown.

What we test

External

• We enumerate perimeter services across all public ranges, including non-standard ports, IPv6 exposure and forgotten cloud assets.
• We assess VPN endpoints, remote access gateways, RDP, SSH, SMTP, DNS and management interfaces for default credentials, known CVEs and authentication bypasses.
• We test public web applications and APIs for injection, authentication and access-control weaknesses.
• We check email spoofing resistance: SPF, DKIM and DMARC configuration.

Internal (assumed breach)

• We check whether VLANs, subnets and firewall rules enforce the separation they promise.
• We attack Active Directory with Kerberoasting, AS-REP roasting, ACL and GPO abuse, and BloodHound-based analysis of the shortest route to Domain Admin.
• We move laterally using Pass-the-Hash, Pass-the-Ticket, credential reuse and protocol abuse.
• We escalate privileges and extract credentials from memory.
• We simulate data access and exfiltration against your monitoring and egress controls.
• We review server and workstation hardening against CIS Benchmarks, where in scope.

Our methodology

We work to PTES and NIST SP 800-115, align hardening reviews to CIS Benchmarks, and reference NCSC guidance throughout.

1. Scoping: we agree IP ranges and assets, testing windows and change-freeze periods, out-of-scope systems, escalation contacts and reporting depth.
2. Reconnaissance and enumeration: we map exposed services and the internal estate.
3. Mapping and threat modelling: we identify trust relationships and likely attack paths.
4. Vulnerability analysis: we combine automated breadth with manual judgement to remove noise and find what scanners miss.
5. Exploitation: we run controlled, validated exploitation of confirmed weaknesses.
6. Post-exploitation: we test lateral movement, privilege escalation and segmentation to establish real blast radius.
7. Reporting and debrief: we write up the findings and walk your team through them live.
8. Retest: we retest every remediated finding and confirm it resolved.

Testing approaches

• Black box: no prior knowledge, simulating an external attacker. We use it to test perimeter realism.
• Grey box: partial information and, for internal testing, a standard domain account. We default to this. An assumed-breach internal test reflects the most realistic and damaging scenario, and external grey box covers the ground efficiently.
• White box: full network documentation and configuration access for maximum depth.

We recommend an external black/grey box test paired with an internal assumed-breach (grey box) test for most organisations.

What you get

• An executive summary covering what we tested, what we found, and the business impact of the most serious issues.
• Technical findings with proof of exploit, affected hosts and clear evidence.
• Per-finding remediation: configuration changes, patch versions and architecture adjustments.
• A CVSS severity rating alongside a business-risk rating that reflects exploitability and blast radius.
• Same-day notification of any critical finding.
• A debrief call and a retest of remediated findings, included.

FAQs

How long does a test take? External tests run three to five days. Internal tests run five to ten, depending on estate size and AD complexity. We confirm the figure at scoping.

Will it disrupt the network? We test live environments safely. We avoid denial-of-service techniques unless you agree to them, and we keep an escalation line open throughout.

Can it be done remotely? We run external testing fully remote. We deliver internal testing remotely via a deployed device or jump host, or on-site where you prefer.

How often should we test? At least annually, and after any significant infrastructure change. If your estate changes often, our continuous testing service fits better.