Internal Penetration Test (In-Network Runner)
Most real breaches play out on the inside. The internal pentest runs an ephemeral, engagement-bound runner right inside your network – as a Docker image or a hardened appliance. It checks how far an attacker who already has a foot in the door would get: via Active Directory, weak credentials and lateral movement.
With a signed scope, kill switch and an offline-verifiable licence for appliances.
What we check
Here is what the Internal pentest covers – concrete and verifiable.
- Active Directory enumeration and escalation paths (BloodHound)
- Credential spraying, Kerberoasting and AS-REP roasting
- Relay attacks, ADCS weaknesses, Kerberos and DCSync
- Multi-hop paths through the internal network (lateral movement)
- Weak and reused credentials (hash cracking kept offline)
- HMAC-signed scope document – out-of-scope targets refused locally
Your benefits
What the Internal pentest actually gives you – beyond the pure technology.
Realistic attacker view
The runner shows what is really possible after an initial compromise – the decisive view external scans cannot give you.
Safe by design
Signed scope, local out-of-scope refusal, heartbeat with kill switch and self-destruct on expiry – defence in depth instead of blind trust.
Batteries included
nmap, nuclei, BloodHound, netexec, impacket, Certipy, Responder, Coercer and more come pre-installed – no tedious toolchain setup.
Fully auditable
Every action lands in the append-only audit trail. You can trace what happened, when and in which scope at any time.
How it works
- 1
Create an engagement
Define scope (CIDRs, exclusions), time window and rules of engagement – including an authorisation reference.
- 2
Deploy the runner
Start a Docker image or appliance in the target network and register it with a one-time enrolment token.
- 3
Signed scope
The runner receives an HMAC-signed scope document and refuses out-of-scope targets locally.
- 4
Test & terminate
AD escalation and credential tests run in a controlled way; on expiry or stop the runner self-destructs.
Typical findings
- Path to Domain Admin across multiple hopscritical
- Kerberoastable service account with a weak passwordcritical
- ADCS misconfiguration with escalation potentialhigh
- Reused local admin credentialshigh
Example finding categories. Actual results depend on your environment.
Use cases
- Realistic assessment of internal resilience
- Active Directory hardening before or after a migration
- Proof of segmentation and least-privilege effectiveness
- Preparing for audits and cyber-insurance requirements
Frequently asked questions
How do you ensure only authorised targets are tested?
The runner enforces its HMAC-signed scope document locally and refuses out-of-scope targets on its own (defence in depth) – on top of the server-side engagement check.
What happens after the test?
The runner is ephemeral: it respects the kill switch via heartbeats and self-destructs when the time window expires or on stop.
Do I need an appliance?
No. The runner runs as a Docker image; for particularly sensitive environments there is also a hardened appliance with an offline-verifiable licence key.
Goes well with
Active Exploitation
From suspicion to proof: controlled exploitation proves a vulnerability unambiguously – in three graded modes.
AI pentest
An autonomous AI agent thinks like an attacker: combines findings, follows paths and explains them clearly.
Continuous validation
Security is not a single date: ongoing re-scans, a stable finding history and an always-current risk picture.
Ready for the Internal pentest?
Start with a free scan or talk to us about the plan that fits your use case.