Assumed breach (or assumed compromise) is a security testing model where the initial compromise is treated as already having happened. Rather than spending time proving how an attacker might get in, the assessment starts from a limited foothold like a low-privilege domain account, a workstation on the internal network, or access to a specific application role. Phishing, stolen credentials, exposed remote access services, supplier compromise, and unmanaged endpoints can all provide initial access.
An assumed-breach assessment concentrates on post-compromise activity:
- local privilege escalation
- credential access
- abuse of Active Directory
- Kerberoasting
- pass-the-hash
- weak network segmentation
- access to critical systems or sensitive data
This makes the exercise efficient because it focuses the testing effort on the attack paths that create the greatest business risk.
For many organisations, an assumed breach assessment is a more realistic measure of resilience than a perimeter-only test. It can reveal whether one compromised user account or an infected workstation could lead to wider compromise, ransomware deployment, or loss of administrative control across the network.
Internal penetration testing commonly uses an assumed-breach model because it mirrors the situation defenders most need to understand: what happens after the first mistake, not before it. It is especially valuable for organisations with mature external controls that want clarity on the security of the environment behind them.