Skip to content
All services
Internal · in your network

Internal Penetration Test (In-Network Runner)

Most real breaches play out on the inside. The internal pentest runs an ephemeral, engagement-bound runner right inside your network – as a Docker image or a hardened appliance. It checks how far an attacker who already has a foot in the door would get: via Active Directory, weak credentials and lateral movement.

With a signed scope, kill switch and an offline-verifiable licence for appliances.

What we check

Here is what the Internal pentest covers – concrete and verifiable.

  • Active Directory enumeration and escalation paths (BloodHound)
  • Credential spraying, Kerberoasting and AS-REP roasting
  • Relay attacks, ADCS weaknesses, Kerberos and DCSync
  • Multi-hop paths through the internal network (lateral movement)
  • Weak and reused credentials (hash cracking kept offline)
  • HMAC-signed scope document – out-of-scope targets refused locally

Your benefits

What the Internal pentest actually gives you – beyond the pure technology.

Realistic attacker view

The runner shows what is really possible after an initial compromise – the decisive view external scans cannot give you.

Safe by design

Signed scope, local out-of-scope refusal, heartbeat with kill switch and self-destruct on expiry – defence in depth instead of blind trust.

Batteries included

nmap, nuclei, BloodHound, netexec, impacket, Certipy, Responder, Coercer and more come pre-installed – no tedious toolchain setup.

Fully auditable

Every action lands in the append-only audit trail. You can trace what happened, when and in which scope at any time.

How it works

  1. 1

    Create an engagement

    Define scope (CIDRs, exclusions), time window and rules of engagement – including an authorisation reference.

  2. 2

    Deploy the runner

    Start a Docker image or appliance in the target network and register it with a one-time enrolment token.

  3. 3

    Signed scope

    The runner receives an HMAC-signed scope document and refuses out-of-scope targets locally.

  4. 4

    Test & terminate

    AD escalation and credential tests run in a controlled way; on expiry or stop the runner self-destructs.

Typical findings

  • Path to Domain Admin across multiple hopscritical
  • Kerberoastable service account with a weak passwordcritical
  • ADCS misconfiguration with escalation potentialhigh
  • Reused local admin credentialshigh

Example finding categories. Actual results depend on your environment.

Use cases

  • Realistic assessment of internal resilience
  • Active Directory hardening before or after a migration
  • Proof of segmentation and least-privilege effectiveness
  • Preparing for audits and cyber-insurance requirements

Frequently asked questions

How do you ensure only authorised targets are tested?

The runner enforces its HMAC-signed scope document locally and refuses out-of-scope targets on its own (defence in depth) – on top of the server-side engagement check.

What happens after the test?

The runner is ephemeral: it respects the kill switch via heartbeats and self-destructs when the time window expires or on stop.

Do I need an appliance?

No. The runner runs as a Docker image; for particularly sensitive environments there is also a hardened appliance with an offline-verifiable licence key.

Goes well with

Ready for the Internal pentest?

Start with a free scan or talk to us about the plan that fits your use case.