Internal Network Penetration Testing

When a breach happens, attackers move fast.
Let’s find out how far they’d get.

Assess the security of your internal network by simulating an attacker who has already gained initial access. Identify risks to privilege escalation and lateral movement.
CREST Pathway accredited
UK Cyber Security Council corporate member
Cyber Essentials Certified

Internal Network Security

Securing your internal network focuses on protecting systems, users, and data from an attacker that has gained initial access. This reflects how most real-world breaches occur, where attackers gain a foothold through phishing, stolen credentials, or a service exposed to the internet, and then move laterally within the internal environment.

Internal networks often contain critical assets such as Active Directory, file servers, databases, and other administrative systems. Weak access controls, misconfigurations, or excessive privileges can allow an attacker to escalate access and compromise large parts of the organisation.

Internal network penetration testing simulates a realistic breach scenario – assuming an attacker has already gained initial access through phishing, compromised credentials, or an external vulnerability. We then evaluate how far they could progress inside your environment.

Our testing identifies privilege escalation paths, lateral movement opportunities, and access to critical systems like domain controllers, databases, and file servers. This approach helps you prioritise remediation efforts where they’ll have the greatest impact on reducing real-world breach risk.

Why You Should Get a Pentest

Who Needs Internal Network Pentesting?

External network testing is essential for:

Organisations with Active Directory environments – Testing AD security, Group Policy configurations, and domain trust relationships to prevent domain-wide compromise.
Businesses with remote workers – Validating that VPN access doesn’t provide excessive internal network access or privilege escalation opportunities.
Companies with sensitive data – Ensuring network segmentation effectively protects customer databases, financial systems, and intellectual property.
Regulated industries – Meeting compliance requirements for PCI DSS, ISO 27001, and SOC 2 that require internal security testing.
Post-breach preparedness – Understanding your true exposure if perimeter defenses are bypassed, which is how most modern breaches occur.

Regular internal testing validates that security controls limit lateral movement and prevent attackers from accessing your most critical assets.

Our Pentest Methodology

How We Approach Internal Pentesting

Internal network penetration testing involves an assessment of your organisation’s internal network’s servers, network devices, and workstations.

This type of testing is crucial for identifying vulnerabilities that could be exploited by attackers who have already gained access to your internal network, whether through phishing, social engineering, or other means.
Reconnaissance & Enumeration

We begin by mapping your internal network, identifying Active Directory structure, discovering hosts and services, and understanding network topology – just as an attacker would after initial compromise.

Credential Attacks & Harvesting

We test for weak passwords through password spraying, identify credential reuse, extract cached credentials, and demonstrate how attackers steal authentication tokens for lateral movement.

Exploitation & Privilege Escalation

We safely exploit identified vulnerabilities to demonstrate real risk, escalate privileges on compromised systems, and show realistic paths from standard user to Domain Admin access.

Lateral Movement & Pivoting

We move through your network using techniques like pass-the-hash, token impersonation, and exploitation of trust relationships to demonstrate how far an attacker could spread after initial compromise.

Impact Assessment & Reporting

We document complete attack chains, assess business impact of each finding, provide risk-rated technical analysis, and deliver actionable remediation guidance for your IT and security teams.

What We Look For

What’s Included in an Internal Pentest?

We go beyond basic network scanning to identify real attack paths that could lead to complete network compromise.
Active Directory Security

Domain controllers, GPO misconfiguration, Kerberos weaknesses, privileged group memberships, trust relationships, and AD certificate services vulnerabilities.

Internal Network Segmentation

VLAN isolation, firewall rules between network zones, access controls preventing lateral movement, and segregation of critical systems.

Exploitation & Privilege Escalation

Local privilege escalation on workstations and servers, service account abuse, kernel exploits, and misconfigured permissions allowing unauthorised elevation.

Password Security & Credential Reuse

Password spraying attacks, credential stuffing, hash cracking, identification of weak or default passwords across the network.

Endpoint & Server Configurations

Windows workstations and servers, unpatched systems, insecure services, weak local administrator passwords, and endpoint security controls.

Lateral Movement Techniques

Pass-the-hash attacks, token impersonation, SMB relay attacks, and exploitation of trust relationships between systems.

Access to Sensitive Systems

File servers containing intellectual property, database servers with customer data, backup systems, and administrative consoles.

Legacy Protocols & Misconfigurations

LLMNR/NBT-NS poisoning, SMBv1 vulnerabilities, insecure protocols, and outdated network services that facilitate attacks.

Network Devices & Internal Firewalls

Switches, routers, internal firewalls, wireless access points, and network infrastructure that could be compromised or misconfigured.

Assumed Compromise Testing

We start from the position that an attacker has already gained initial access (through phishing, stolen credentials, or a compromised device). This realistic scenario lets us focus on what matters most: how far they could get once inside.

Pricing

From £2,850

for internal network penetration testing

Not sure where your network fits? A 30-minute scoping call is free and gets you a fixed written quote, with no obligation to proceed.

No obligation · Strictly confidential · Quote within one business day

Pricing Examples
Small office network (1-2 subnets, local servers)
£2,850 – £3,300
Medium enterprise network (multiple subnets, local servers)
£3,800 – £4,200
Large network (multiple subnets/zones)
£4,750 – £6,600
Complex multi-site enterprise
£7,500+

Indicative ranges only. Your exact price is confirmed after a short scoping conversation – see full service pricing.

What’s Included
  • Fixed-price proposal within one business day
  • Manual, consultant-led testing. Not automated scans
  • Report within 2 business days of testing completion
  • Debrief call with your team to talk through findings and risk
  • No obligation to proceed, and all enquiries are confidential

Internal Network Penetration Testing – common questions

Everything you need to know about how penetration testing is priced, scoped, and delivered before you request a quote.

Internal network penetration testing simulates an attack from inside your network perimeter. This could represent a malicious insider threat, a compromised employee account, or an attacker who has gained initial access through phishing or other means.

We assess what an attacker could achieve once inside your network, including lateral movement, privilege escalation, and access to sensitive data.

Yes, PCI DSS Requirement 11.4 explicitly requires internal penetration testing for all organisations with in-scope systems. Similar to external network pentesting, it must be conducted at least annually and after significant changes to the environment.

An internal penetration test for PCI DSS must include testing from both outside the CDE and from within the CDE. One of the main goals of testing is to identify ingress points from both trusted and untrusted positions on the network.

External testing simulates an attack from the internet, testing your perimeter defenses (firewalls, exposed services, VPNs). Internal testing assumes the attacker is already inside your network.

Internal testing typically uncovers different vulnerabilities: weak domain credentials, misconfigured Active Directory, unpatched internal systems, excessive file share permissions, and insecure internal applications that aren’t exposed to the internet.

Not necessarily. Testing can be conducted three ways:

  • On-site – we physically visit your office with our equipment
  • Remote via VPN – you provide us VPN access to simulate a remote employee’s access
  • Hybrid – we ship a pre-configured device (drop-box) that you connect to your network, which we access remotely.

Each approach has trade-offs in terms of realism, cost, and logistics.

The minimum requirement is network access. For black box testing, we only need a network connection (physical or VPN).

For grey box testing (recommended), you provide credentials for a standard user account, which allows more realistic and thorough testing.

For white box testing, you’d provide network documentation, system inventory, and administrative credentials to test from a fully informed perspective.

Common findings include:

  • weak or reused passwords across accounts
  • unpatched systems vulnerable to exploits
  • misconfigured Active Directory (GPO issues, excessive permissions)
  • privilege escalation paths to Domain Admin
  • lateral movement opportunities between systems
  • exposed credentials (in files, scripts, memory)
  • overly permissive file shares with sensitive data
  • vulnerable internal web applications
  • weak network segmentation
  • insecure internal protocols (LLMNR, NetBIOS, SMB signing)

We use non-destructive testing methods and coordinate activities to minimise disruption.

However, some tests (like exploiting vulnerabilities or password spraying) carry inherent risks. We discuss acceptable risk levels during scoping and can adjust our approach based on your tolerance.

For extremely sensitive environments, we can perform testing in maintenance windows or against isolated segments.

Active Directory assessment is a core component of internal testing. When your internal network environment includes Active Directory we examine:

  • Domain user enumeration and password policies
  • Kerberos weaknesses (e.g. Kerberoasting)
  • Privilege escalation paths (BloodHound analysis)
  • Group Policy misconfigurations
  • Delegation issues and unconstrained delegation
  • Trust relationships between domains, credential exposure and Group Policy Preferences
  • Paths to Domain Admin compromise.

Achieving Domain Admin (or equivalent administrative access) is often a goal of internal testing, as it represents full network compromise. If we achieve this, we document the attack path, demonstrate the impact, and continue testing to identify additional vulnerabilities. We don’t perform destructive actions even with administrative access and, instead, we document what would be possible and help you understand the full scope of risk.

However, attaining Domain Admin privileges is not the be-all and end-all of Exploitr’s methodology. Our goal is to understand your business’ security concerns and base our testing methodology on how best to approach providing assurance to your organisation.

Your business concerns may be that you are concerned about a specific internal service becoming compromised, which would impact the business operations – in this scenario the ability to compromise an internal Active Directory domain is a tool for us to use as a stepping stone, and not the final goal.

We specifically test whether your network segmentation is effective. This includes attempting to: move between VLANs or subnets that should be isolated, access sensitive segments (servers, databases, payment systems) from general workstations, pivot from guest/IoT networks to corporate networks, and bypass segmentation controls through routing or firewall misconfigurations.

In highly secure environments we may often need to gain an initial compromise of an internal server that has network visibility of an adjacent network. For example, in a PCI DSS internal pentest there may be an intermediary server system that is accessible from the “user” network, which requires an initial compromise of an administrative account or the entire Active Directory domain to allow the lateral movement between networks.

We recommend performing testing annually at a minimum for compliance and due diligence. Additional testing should be considered after major network infrastructure changes, after merger/acquisition activity that changes your network.

Consider quarterly testing for high-security environments (or check out our PTaaS service), and following any suspected security incident. Many organisations also perform testing before and after major system upgrades or migrations.

Typical prices for an internal penetration test are usually based on the number of days for testing. This can range from 4-10 days depending upon the size of the network, the number of assets that are in scope, and the types of testing that are performed.

At Exploitr our prices start from £2,850 for a small, local office network assessment. Larger engagements with multiple networks, a mix of on-premises and cloud networks, and the inclusion of Wi-Fi and sample workstation build reviews can be up to £7,500+.

Speak with us to discuss your requirements and we can scope an assessment that meets your needs and budget.

Ready to Test Your Internal Network Security?

Get a fixed-price quote within 24 hours. Our team will review your network environment and provide a tailored testing proposal that addresses your specific infrastructure.