Service A.02 · Network Penetration Testing

Network penetration testing services that prove your perimeter and your blue team.

CyberFortify's network penetration testing services simulate real-world attacker behaviour against your external attack surface, internal corporate network and cloud-edge infrastructure. We validate firewall rules, segmentation boundaries, Active Directory hardening and lateral-movement paths against MITRE ATT&CK adversary techniques - producing reports your auditors and incident-response teams can both use.

Aligned with: MITRE ATT&CK · PTES · NIST 800-115 Engagement: 5-15 business days Scope: External · internal · assumed-breach
100%
Manual exploitation
24h
Critical SLA
AD
Hardening review
Free retest
Test classes: Active Directory abuse · Kerberoasting · AS-REP roasting · LLMNR/NBT-NS poisoning · SMB relay · ADCS misconfig · Constrained delegation · Pivot & tunnel · VPN flaws · Wi-Fi (WPA2/3) · Segmentation bypass · VLAN hopping Test classes: Active Directory abuse · Kerberoasting · AS-REP roasting · LLMNR/NBT-NS poisoning · SMB relay · ADCS misconfig · Constrained delegation · Pivot & tunnel · VPN flaws · Wi-Fi (WPA2/3) · Segmentation bypass · VLAN hopping
// Executive summary

CyberFortify's network penetration testing services simulate real-world attacker tradecraft against three vantage points - the external internet perimeter, the internal corporate network and the wireless edge. Every engagement covers Active Directory abuse, lateral movement, segmentation testing and PCI DSS Requirement 11.4 evidence. Reports map to MITRE ATT&CK tactics and the Penetration Testing Execution Standard, with NIST SP 800-115 grounding and a free remediation retest at the end.

// 01 What network penetration testing actually is

// DefinitionNetwork Pen Test

A controlled, manual simulation of an attacker against the network infrastructure that connects your business - firewalls, edge routers, VPN concentrators, Active Directory domains, jump boxes, internal subnets, segmentation boundaries, Wi-Fi access points and the internet-exposed services that face every adversary.

Three distinct vantage points get tested. External (public-internet attacker), internal (already inside the corporate network) and assumed-breach (low-privilege starting credentials in hand). Each models a different stage of the attacker kill chain.

The discipline predates application security testing by a decade and remains one of the most consequential offensive exercises any organisation can run - because the blast radius of a network compromise is almost never limited to a single application. A modern network penetration test validates not just the perimeter but the assumptions a defender makes about how trust flows once an attacker is inside the wire.

CyberFortify's engineers have delivered network engagements against environments ranging from twenty-host startup networks to multi-domain Active Directory forests with tens of thousands of endpoints. Every engagement is led by senior offensive engineers with current OSCP / OSEP / CRTO certifications. Automation supports the lead tester - it never replaces them.

// 02 Three vantage points: external, internal and wireless

The phrase network penetration testing covers three distinct adversary perspectives. Each models a different stage of the kill chain, requires different tradecraft, and produces evidence against different compliance controls. Most regulated organisations test all three on an annual cycle; the most common CyberFortify pairing is external + internal in a single combined engagement.

Vantage 01 EX

External network pen test

Internet-attacker simulation

The tester begins at your registered domain and public IP allocation, exactly as a Mandiant-tracked threat actor would. Internet-exposed services are enumerated, edge devices are validated for pre-auth exploitability, and the perimeter is probed for the foothold that turns external recon into internal access.

  • Edge CVE
  • VPN auth bypass
  • Pre-auth RCE
  • Subdomain takeover
  • Mail edge
  • SPF/DMARC
Vantage 02 IN

Internal network pen test

Assumed-breach simulation

The tester starts on the corporate network as a phished employee, a malicious-USB victim or a contractor laptop. Active Directory is the primary target. The objective is to demonstrate the realistic blast radius from a single foothold - which is what defenders are actually defending against in 2026.

  • AD abuse
  • BloodHound
  • Kerberoast
  • NTLM relay
  • ADCS
  • Lateral move
Vantage 03 WI

Wireless penetration testing

Physical-proximity simulation

The tester evaluates the wireless edge from the parking lot, lobby and adjacent floors. WPA2-Enterprise authentication is interrogated, captive-portal flows are probed for bypass, and rogue-AP / evil-twin vectors are tested where authorised - especially the Wi-Fi-to-AD pivot.

  • WPA3
  • EAP relay
  • Captive bypass
  • Rogue AP
  • PMKID
  • Wi-Fi → AD

// 03 The network compromise kill chain

Manual network penetration testing follows a six-stage attack flow that mirrors how real adversaries operate inside enterprise environments. Mature blue teams want to see the full chain - not just where the breach starts, but how a compromised endpoint becomes a domain takeover three hours later. Every CyberFortify network engagement walks this chain end-to-end with explicit evidence at each stage, mapped to the relevant MITRE ATT&CK tactic.

Stage 01 01

Reconnaissance

Passive OSINT, certificate transparency, leaked-credential corpora.

Subdomain enumCT logsHIBP
TA0043 · Recon
Stage 02 02

Initial access

Edge CVE, exposed VPN, valid stolen credentials, mail-edge abuse.

Pre-auth RCEVPN bypassOAuth
TA0001 · Initial Access
Stage 03 03

Credential access

LLMNR/NBT-NS poisoning, NTLM relay, Kerberoasting, SAM/LSASS.

ResponderntlmrelayxRubeus
TA0006 · Credential Access
Stage 04 04

Privilege escalation

ADCS ESC abuse, ACL paths, RBCD, GPO write, kernel exploits.

ESC1-ESC11RBCDACL abuse
TA0004 · Priv Escalation
Stage 05 05

Lateral movement

Pass-the-Hash, Pass-the-Ticket, OverPass, WMI, WinRM, SMB.

PtHPtTWMIWinRM
TA0008 · Lateral Move
Stage 06 06

Domain dominance

DCSync, Golden / Silver tickets, trust abuse, persistence.

DCSyncGolden TGTSID history
TA0003 · Persistence

// 04 Network attack surface in scope

Scope is set during pre-engagement and documented in a signed rules-of-engagement letter. The surfaces below cover what we test on a typical end-to-end engagement; sub-engagements (external-only, AD-only, wireless-only) are scoped accordingly.

N.01 · External

Public IP & edge perimeter

Public IP ranges, edge firewalls, WAFs and reverse-proxy infrastructure. Banner enumeration, version-driven CVE validation, exposed admin services and dangling edge devices.

N.02 · External

VPN & remote access

IPsec, SSL-VPN (Citrix, Fortinet, Pulse, Palo Alto GlobalProtect), WireGuard concentrators. Auth bypass, pre-auth RCE testing, split-tunnel weaknesses, post-VPN segmentation.

N.03 · External

Mail & identity edge

SMTP / IMAP, Microsoft 365, Google Workspace boundary. Conditional Access bypass, OAuth consent abuse, mailbox-rule persistence, illicit MFA registration.

N.04 · External

DNS & mail security

Zone misconfiguration, subdomain takeover, dangling CNAMEs, mail security (SPF / DKIM / DMARC) effectiveness, MX-host hardening.

N.05 · Internal

Active Directory

Enumeration, password policy validation, ACL abuse, ADCS misconfiguration (ESC1-ESC11), Kerberos delegation review, BloodHound attack-path analysis.

N.06 · Internal

Lateral movement & pivoting

SMB relay, Pass-the-Hash, Pass-the-Ticket, OverPass-the-Hash, RBCD, WMI / WinRM execution, golden / silver ticket forging under explicit authorisation.

N.07 · Internal

Network segmentation

Production / corporate / OT / guest / DMZ boundary testing. Required evidence for PCI DSS Requirement 11.4.5 on cardholder-data-environment isolation.

N.08 · Wireless

Wireless infrastructure

WPA2-Enterprise / WPA2-PSK, WPA3-SAE, captive-portal abuse, EAP-relay, rogue-AP testing, evil-twin against managed clients, Wi-Fi-to-AD pivots.

N.09 · Hybrid

Cloud edge & hybrid

VPN-extended Azure subscriptions, AWS Direct Connect, GCP Cloud Interconnect, hybrid identity (Entra Connect / AD FS) - bridges into our cloud penetration testing service.

// 05 Active Directory attack catalogue

Active Directory is the highest-leverage internal target in any Windows-heavy enterprise. The matrix below is the technique catalogue CyberFortify works through on every internal AD engagement, mapped to MITRE ATT&CK technique IDs and grouped by tactic. Severity is judged on impact in a typical enterprise - not theoretical worst-case - and reflects how often each technique results in domain-administrator-equivalent access.

Tactic Recon & Enum
T1087.002
Domain account enum
SharpHound, ldapsearch on default ACLs.
T1018
Trust enumeration
Cross-forest trust mapping & SID-history abuse.
T1069.002
Group membership
Tier-0 / Tier-1 group enumeration via PowerView.
T1615
GPO discovery
SYSVOL trawling for credentials & GPP cpassword.
Tactic Credentials
T1558.003
Kerberoasting
Service-account TGS extraction & offline crack.
T1558.004
AS-REP roasting
DONT_REQ_PREAUTH accounts - offline crack of AS-REP.
T1557.001
NTLM relay
SMB / LDAP relay via ntlmrelayx, no signing required.
T1557.001
LLMNR/NBT-NS poison
Responder + multicast poisoning for hash capture.
Tactic Privilege
T1649
ADCS ESC1-ESC11
Certificate-template misconfig → DA equivalence.
T1078.002
RBCD abuse
Resource-based constrained delegation takeover.
T1222.001
ACL path abuse
GenericAll / GenericWrite / WriteDACL chains.
T1484.001
GPO write
Modify linked GPO → SYSTEM on every host.
Tactic Lateral Move
T1550.002
Pass-the-Hash
NTLM hash reuse via CrackMapExec / impacket.
T1550.003
Pass-the-Ticket
Kerberos TGT/TGS reuse via Rubeus.
T1021.006
WinRM & WMI exec
Remote command execution across the domain.
T1021.002
SMB exec / DCOM
PsExec-style movement & DCOM lateral.
Tactic Domain Dominance
T1003.006
DCSync
krbtgt extraction → full domain credential dump.
T1558.001
Golden ticket
krbtgt-signed TGT for arbitrary user / SID forging.
T1558.002
Silver ticket
Service-account TGS forgery for targeted access.
T1574.005
SID-history abuse
Cross-forest privilege via SID injection.
Critical · domain-equivalent risk High · privilege chain Medium · enumeration / staging

// 06 Network segmentation testing for PCI DSS 11.4.5

Segmentation testing is a distinct discipline within network penetration testing and the most common reason a QSA returns a finding to remediation. PCI DSS Requirement 11.4.5 mandates that, where segmentation is used to reduce the scope of the cardholder data environment (CDE), it must be tested to confirm that out-of-scope networks have no reachable path into scope. The zone model below is what CyberFortify exercises on a typical CDE engagement.

Zone 01
Public internet
External attacker source. Must be unable to reach any CDE asset directly.
Edge enum + RCE
↓ FW + WAF + reverse proxy
Zone 02
DMZ
Public-facing web tier. Permitted limited egress to internal app tier; no direct CDE path.
Hop validation
↓ Internal firewall + ACLs
Zone 03
Corporate / user LAN
Workstations & user identity. Highest source of breach precursors. Must NOT reach CDE.
PCI 11.4.5
↓ Microsegmentation (VLAN / SDN / firewall)
Zone 04
Cardholder data environment
PAN storage, processing & transmission. Tested for east-west isolation from corp/dev.
CDE in-scope
↓ Air-gap or strict ACL
Zone 05
OT / ICS or admin tier
Out-of-scope sensitive networks. Tested for inadvertent exposure from breach scenarios.
Out-of-band

Each transition is exercised in both directions. Failed isolation is documented with the specific packet flow that succeeded (source IP, destination IP, port, protocol), the firewall rule or misconfigured ACL responsible, and the exact PCI DSS sub-requirement (11.4.1 through 11.4.7) it violates. The output is the segmentation evidence pack your QSA accepts directly.

// 07 CyberFortify's network pen testing methodology

Every engagement follows a documented seven-phase methodology grounded in the Penetration Testing Execution Standard (PTES), NIST SP 800-115 and aligned with the relevant tactics of the MITRE ATT&CK framework. The phases are reproducible, audit-defensible and produce evidence your security team can use long after the engagement ends.

01

Pre-engagement & rules of engagement

Targets, in-scope IP ranges, exclusions, test windows, emergency contacts and escalation paths agreed in writing.

Authorisation letter
02

Reconnaissance

Passive (OSINT, certificate transparency, breached-credential corpora, GitHub leaks) and active (subdomain enumeration, rate-limited port scanning, banner grabbing).

Passive + active
03

Threat modelling

Mapping of crown-jewel data, high-value identities, critical services and likely adversary objectives. Test plan tied to MITRE ATT&CK tactics most relevant to your business.

ATT&CK aligned
04

Vulnerability identification

Manual testing combined with carefully tuned automation. False-positive elimination is a deliberate, documented step - not an afterthought.

Hand validated
05

Exploitation & lateral movement

Confirmed weaknesses are exploited under controlled conditions, chained where possible, with post-exploitation activity documented without impact to production stability.

Controlled exploit
06

Reporting

Executive summary, detailed technical report with CVSS scoring, evidence and remediation guidance - ready for engineering tickets and audit binders alike.

Audit-ready
07

Free remediation retest

Once your team ships fixes, every closed finding is revalidated and an updated attestation report is issued at no additional cost.

Included

// 08 Common findings from recent engagements

The findings below are anonymised, severity-coded snapshots from recent CyberFortify network penetration testing engagements. They illustrate the gap between automated scanner output and what manual testers actually find in production-grade enterprise environments.

Critical T1649 · ADCS CVSS 9.8

Domain takeover via ADCS ESC1 misconfiguration

Certify.exe req /ca:CORP-CA /template:VulnTemplate /altname:Administrator

An issued certificate template allowed any authenticated user to request a certificate with an arbitrary subjectAltName, including the domain administrator. The tester moved from low-priv user → DA in 14 minutes via Certify + Rubeus.

Critical T1557.001 · NTLM Relay CVSS 9.0

NTLM relay → ADCS web enrolment → DA

ntlmrelayx.py -t http://CA/certsrv -smb2support --adcs --template DomainController

SMB signing was unenforced on a domain controller. A coerced authentication via PetitPotam was relayed to the ADCS web-enrolment endpoint, returning a DC certificate that authenticated as the DC.

High T1558.003 · Kerberoast CVSS 8.1

Service-account compromise via crackable SPN

Rubeus kerberoast → hashcat -m 13100

A service account with SPN registered, password set in 2018 and never rotated, cracked offline in 4 minutes. The account had local-admin rights on 320 servers via legacy GPO.

High T1078 · VPN Bypass CVSS 8.6

SSL-VPN auth bypass via leaked cookie scope

GET /remote/login?lang=en + crafted cookie

An unpatched edge VPN appliance accepted session cookies issued to a lower-trust portal. The tester gained internal network access from the public internet without credentials.

High PCI 11.4.5 · Segmentation CVSS 7.5

Corporate-to-CDE reachable via misconfigured VLAN ACL

tcp/3389 from 10.5.0.0/16 → 10.20.10.0/24 (CDE)

A "temporary" RDP rule from a Q4 deployment had not been removed. From a corporate workstation, the tester reached a CDE jump host directly, voiding segmentation.

Medium T1557.001 · LLMNR CVSS 6.1

LLMNR poisoning → NetNTLMv2 hash capture

Responder -I eth0 -wd

LLMNR and NBT-NS were enabled across the corporate VLAN. Within 90 minutes Responder captured 47 unique hashes, of which 3 cracked offline yielding low-priv shells.

// 09 When to commission a network penetration test

The triggers below are the moments where CyberFortify customers most often commission a network penetration test. The headline driver is PCI DSS 11.4 annual + after-significant-change cadence; product, M&A and incident triggers stack on top.

01 Compliance trigger

Annual PCI / ISO / SOC 2 cycle

PCI DSS v4.0 Req. 11.4 (annual + after significant change), ISO 27001 A.8.29, HIPAA 164.308(a)(8) and SOC 2 CC7.1 all expect a current-year network pen test in your audit binder.

02 Infrastructure trigger

AD migration or cloud cut-over

Tenant-to-tenant migrations, on-prem-to-Entra ID cut-over, hybrid identity rollouts, replacement of edge VPN appliances. Test before the trust boundary becomes load-bearing.

03 Office trigger

New office or data-centre

A new physical site introduces new wireless infrastructure, edge connectivity and segmentation boundaries. Test before users arrive - and again 30 days after, when configuration drift sets in.

04 M&A trigger

Pre-acquisition diligence

Buy-side diligence on a target company. Network pen test in the diligence window surfaces AD security debt that materially affects integration cost and ransomware-blast-radius post-close.

05 Incident trigger

Post-incident assurance

After ransomware containment, BEC compromise, or a near-miss intrusion. A fresh internal pen test validates that AD persistence and trust-relationship abuse paths are fully remediated.

06 Sales trigger

Cyber-insurance renewal

Insurance underwriters increasingly require evidence of a current-year network penetration test, with explicit AD hardening and segmentation findings, before binding or renewing cover.

// 10 Network pen test vs vulnerability scan vs Nmap report

The matrix below compares manual network penetration testing against the three most common automated alternatives. The verdict customers reach: keep continuous vulnerability scanning running for breadth, run a CyberFortify manual network pen test annually (and on major change) for depth and audit evidence.

CapabilityManual network pen testVulnerability scanNmap / port scanAuto AD audit
Lateral movement chainsYesNoNoNo
Active Directory abuse pathsYesNoNoPartial
ADCS ESC1-ESC11 testingYesNoNoDetect-only
Segmentation evidence (PCI 11.4.5)YesNoPartialNo
False-positive rate<1%HighN/AMedium
PCI 11.4 / ISO A.8.29 evidenceSatisfiesNoNoNo
CadenceAnnual / on changeContinuousContinuousContinuous

// 11 Engagement timeline week by week

Combined external + internal + AD engagements typically span four to five weeks end-to-end. The timeline below covers the most common configuration; external-only or AD-only engagements compress accordingly.

01 Week one · Pre-engagement

Scoping & ROE

  • 30-min scoping call
  • Fixed quote within 48h
  • Rules-of-engagement letter
  • Test IPs, exclusions agreed
  • Assumed-breach account staged
02 Week two · External

External recon & perimeter

  • OSINT & passive recon
  • Perimeter port scan
  • Edge CVE validation
  • VPN / mail edge testing
  • Subdomain takeover sweep
03 Week three · Internal

AD attack-path execution

  • BloodHound collection
  • Kerberoast & AS-REP
  • NTLM relay paths
  • ADCS ESC validation
  • Lateral movement chain
04 Week four · Reporting

Reports & remediation

  • Executive summary
  • Technical findings report
  • Segmentation evidence pack
  • Walkthrough with blue team
  • Free retest scheduled

// 12 Tooling and offensive tradecraft

Tooling alone does not make a penetration test - tester judgement does. CyberFortify's engineers combine industry-standard offensive tooling, custom internal scripts developed across hundreds of engagements, and selectively tuned automation.

Recon & discoverynmap · masscan · rustscan · amass · httpx
Active DirectoryBloodHound · SharpHound · Certify · Rubeus · impacket
Lateral movementCrackMapExec · NetExec · Responder · Mythic / Sliver C2
Wi-Fi & physicalaircrack-ng · hcxdumptool · eaphammer · bettercap
ExploitationMetasploit (selectively) · custom Python · CVE research
ReportingPlexTrac · CyberFortify report template · CVSS v3.1 calculator

// 13 Compliance standards mapping

Network pen testing reports from CyberFortify map every finding to recognised industry standards so your audit cycle is faster and your assessor receives the references they expect.

StandardReferenceUsed for
PCI DSS v4.0Requirements 11.4.1 - 11.4.7, 1.2, 1.3Cardholder data environment segmentation evidence
ISO 27001:2022Annex A.8.20, A.8.21, A.8.22, A.8.29Network security & segregation evidence
NIST CSF 2.0PR.AC-5, DE.CM-1, RS.AN-2Boundary defence & detection capability
SOC 2CC6.1, CC6.6, CC7.1Logical access & security event detection
MITRE ATT&CKTA0001 / TA0006 / TA0008 / TA0003Adversary technique mapping
HIPAA Security Rule164.308(a)(8) evaluationePHI environments
NIST SP 800-115Technical guide methodologyFederal & FedRAMP-adjacent contexts

// 14 Why CyberFortify for network penetration testing

Generic vendor scan-and-report

Nmap output and a Nessus dump rebadged as a "pen test". No lateral movement. No Active Directory tradecraft. No segmentation evidence. Reports rejected as audit evidence.

CyberFortify manual network pen testing

Real lateral movement, real AD abuse, real exploit chains. Findings hand-validated. Segmentation evidence ready for QSAs. Reports drop into your auditor's working paper. Free remediation retest.

Most CyberFortify network engagements are bundled with a follow-on API security assessment or a full-scope red team adversary simulation - depending on the threat model and the question your buyers and auditors are asking.

// 15 Frequently asked questions

How long does a network penetration test take?

A typical CyberFortify network penetration test runs five to fifteen business days of active testing depending on scope - external alone, internal alone, or combined external + internal + Active Directory. Larger multi-domain forests sit at the upper end. Total elapsed time including scoping, reporting and remediation retest is typically four to six weeks.

What is the difference between external and internal network penetration testing?

External network pen testing simulates an attacker on the public internet who only knows your domain name. Internal pen testing assumes the attacker is already inside the corporate network - through phishing, a malicious USB drop, or a compromised laptop - and focuses on Active Directory, lateral movement and segmentation. Most regulated organisations test both.

What is Active Directory penetration testing?

Active Directory penetration testing is a focused subset of internal network testing that targets the AD environment specifically - domain controllers, GPOs, ACLs, ADCS, Kerberos delegation and trust relationships. Common techniques include Kerberoasting, AS-REP roasting, NTLM relay, DCSync, ADCS ESC1-ESC11 abuse, BloodHound attack-path analysis and Pass-the-Hash / Pass-the-Ticket lateral movement.

Does this satisfy PCI DSS Requirement 11.4?

Yes. PCI DSS v4.0 Requirement 11.4 mandates external and internal penetration testing of the cardholder data environment annually and after any significant change. Requirement 11.4.5 specifically requires segmentation testing. CyberFortify network pen test reports include the segmentation evidence pack, methodology statement and findings format that QSAs accept directly.

What is the difference between vulnerability scanning and network pen testing?

A vulnerability scan is automation: a tool enumerates known CVEs in software versions and emits a report. A network penetration test is human-led offensive engineering - chaining weaknesses into exploit paths, abusing trust relationships scanners cannot model, and demonstrating real impact. PCI DSS, ISO 27001 and SOC 2 evidence requirements explicitly require penetration testing, not scanning.

Will the test impact production?

CyberFortify's methodology prioritises non-destructive validation. We coordinate testing windows, exclude denial-of-service techniques unless explicitly scoped, and use authenticated assumed-breach accounts where appropriate. Production-impacting techniques (DCSync, intrusive deserialisation gadgets) require explicit written authorisation in the rules-of-engagement document.

Do you do red teaming as part of network testing?

Sometimes. Our red team service is a separate, goal-based offering that combines network pen testing tradecraft with phishing, physical entry, custom malware and full MITRE ATT&CK adversary simulation. We will recommend the right model in scoping.

How is reporting structured?

Every engagement closes with five deliverables: an executive summary, a detailed technical report (CVSS-scored, evidence-backed), a remediation playbook (Jira-ready), a compliance evidence pack and a free remediation retest attestation letter.

Do you test wireless networks?

Yes - wireless penetration testing is a distinct vantage point in our scope. CyberFortify tests WPA2 / WPA3 (PSK and Enterprise), captive-portal flows, EAP relay, rogue-AP / evil-twin scenarios and the Wi-Fi-to-AD pivot. Wireless tests are typically performed on-site over a one-to-three-day testing window.

Can you test from on-prem, or only remotely?

Both. Most external testing is performed remotely from CyberFortify's secure testing environment. Internal and wireless testing is performed either on-site or via a dedicated tester VPN tunnel into your environment, depending on what your security team prefers.

Ready for a manual network pen test?

Schedule a free 30-minute scoping call. CyberFortify's offensive security team will recommend a model and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →