CyberFortify's network penetration testing services simulate real-world attacker tradecraft against three vantage points - the external internet perimeter, the internal corporate network and the wireless edge. Every engagement covers Active Directory abuse, lateral movement, segmentation testing and PCI DSS Requirement 11.4 evidence. Reports map to MITRE ATT&CK tactics and the Penetration Testing Execution Standard, with NIST SP 800-115 grounding and a free remediation retest at the end.
// 01 What network penetration testing actually is
A controlled, manual simulation of an attacker against the network infrastructure that connects your business - firewalls, edge routers, VPN concentrators, Active Directory domains, jump boxes, internal subnets, segmentation boundaries, Wi-Fi access points and the internet-exposed services that face every adversary.
Three distinct vantage points get tested. External (public-internet attacker), internal (already inside the corporate network) and assumed-breach (low-privilege starting credentials in hand). Each models a different stage of the attacker kill chain.
The discipline predates application security testing by a decade and remains one of the most consequential offensive exercises any organisation can run - because the blast radius of a network compromise is almost never limited to a single application. A modern network penetration test validates not just the perimeter but the assumptions a defender makes about how trust flows once an attacker is inside the wire.
CyberFortify's engineers have delivered network engagements against environments ranging from twenty-host startup networks to multi-domain Active Directory forests with tens of thousands of endpoints. Every engagement is led by senior offensive engineers with current OSCP / OSEP / CRTO certifications. Automation supports the lead tester - it never replaces them.
// 02 Three vantage points: external, internal and wireless
The phrase network penetration testing covers three distinct adversary perspectives. Each models a different stage of the kill chain, requires different tradecraft, and produces evidence against different compliance controls. Most regulated organisations test all three on an annual cycle; the most common CyberFortify pairing is external + internal in a single combined engagement.
External network pen test
Internet-attacker simulationThe tester begins at your registered domain and public IP allocation, exactly as a Mandiant-tracked threat actor would. Internet-exposed services are enumerated, edge devices are validated for pre-auth exploitability, and the perimeter is probed for the foothold that turns external recon into internal access.
- Edge CVE
- VPN auth bypass
- Pre-auth RCE
- Subdomain takeover
- Mail edge
- SPF/DMARC
Internal network pen test
Assumed-breach simulationThe tester starts on the corporate network as a phished employee, a malicious-USB victim or a contractor laptop. Active Directory is the primary target. The objective is to demonstrate the realistic blast radius from a single foothold - which is what defenders are actually defending against in 2026.
- AD abuse
- BloodHound
- Kerberoast
- NTLM relay
- ADCS
- Lateral move
Wireless penetration testing
Physical-proximity simulationThe tester evaluates the wireless edge from the parking lot, lobby and adjacent floors. WPA2-Enterprise authentication is interrogated, captive-portal flows are probed for bypass, and rogue-AP / evil-twin vectors are tested where authorised - especially the Wi-Fi-to-AD pivot.
- WPA3
- EAP relay
- Captive bypass
- Rogue AP
- PMKID
- Wi-Fi → AD
// 03 The network compromise kill chain
Manual network penetration testing follows a six-stage attack flow that mirrors how real adversaries operate inside enterprise environments. Mature blue teams want to see the full chain - not just where the breach starts, but how a compromised endpoint becomes a domain takeover three hours later. Every CyberFortify network engagement walks this chain end-to-end with explicit evidence at each stage, mapped to the relevant MITRE ATT&CK tactic.
Reconnaissance
Passive OSINT, certificate transparency, leaked-credential corpora.
Initial access
Edge CVE, exposed VPN, valid stolen credentials, mail-edge abuse.
Credential access
LLMNR/NBT-NS poisoning, NTLM relay, Kerberoasting, SAM/LSASS.
Privilege escalation
ADCS ESC abuse, ACL paths, RBCD, GPO write, kernel exploits.
Lateral movement
Pass-the-Hash, Pass-the-Ticket, OverPass, WMI, WinRM, SMB.
Domain dominance
DCSync, Golden / Silver tickets, trust abuse, persistence.
// 04 Network attack surface in scope
Scope is set during pre-engagement and documented in a signed rules-of-engagement letter. The surfaces below cover what we test on a typical end-to-end engagement; sub-engagements (external-only, AD-only, wireless-only) are scoped accordingly.
Public IP & edge perimeter
Public IP ranges, edge firewalls, WAFs and reverse-proxy infrastructure. Banner enumeration, version-driven CVE validation, exposed admin services and dangling edge devices.
VPN & remote access
IPsec, SSL-VPN (Citrix, Fortinet, Pulse, Palo Alto GlobalProtect), WireGuard concentrators. Auth bypass, pre-auth RCE testing, split-tunnel weaknesses, post-VPN segmentation.
Mail & identity edge
SMTP / IMAP, Microsoft 365, Google Workspace boundary. Conditional Access bypass, OAuth consent abuse, mailbox-rule persistence, illicit MFA registration.
DNS & mail security
Zone misconfiguration, subdomain takeover, dangling CNAMEs, mail security (SPF / DKIM / DMARC) effectiveness, MX-host hardening.
Active Directory
Enumeration, password policy validation, ACL abuse, ADCS misconfiguration (ESC1-ESC11), Kerberos delegation review, BloodHound attack-path analysis.
Lateral movement & pivoting
SMB relay, Pass-the-Hash, Pass-the-Ticket, OverPass-the-Hash, RBCD, WMI / WinRM execution, golden / silver ticket forging under explicit authorisation.
Network segmentation
Production / corporate / OT / guest / DMZ boundary testing. Required evidence for PCI DSS Requirement 11.4.5 on cardholder-data-environment isolation.
Wireless infrastructure
WPA2-Enterprise / WPA2-PSK, WPA3-SAE, captive-portal abuse, EAP-relay, rogue-AP testing, evil-twin against managed clients, Wi-Fi-to-AD pivots.
Cloud edge & hybrid
VPN-extended Azure subscriptions, AWS Direct Connect, GCP Cloud Interconnect, hybrid identity (Entra Connect / AD FS) - bridges into our cloud penetration testing service.
// 05 Active Directory attack catalogue
Active Directory is the highest-leverage internal target in any Windows-heavy enterprise. The matrix below is the technique catalogue CyberFortify works through on every internal AD engagement, mapped to MITRE ATT&CK technique IDs and grouped by tactic. Severity is judged on impact in a typical enterprise - not theoretical worst-case - and reflects how often each technique results in domain-administrator-equivalent access.
Domain account enum
SharpHound, ldapsearch on default ACLs.Trust enumeration
Cross-forest trust mapping & SID-history abuse.Group membership
Tier-0 / Tier-1 group enumeration via PowerView.GPO discovery
SYSVOL trawling for credentials & GPP cpassword.Kerberoasting
Service-account TGS extraction & offline crack.AS-REP roasting
DONT_REQ_PREAUTH accounts - offline crack of AS-REP.NTLM relay
SMB / LDAP relay via ntlmrelayx, no signing required.LLMNR/NBT-NS poison
Responder + multicast poisoning for hash capture.ADCS ESC1-ESC11
Certificate-template misconfig → DA equivalence.RBCD abuse
Resource-based constrained delegation takeover.ACL path abuse
GenericAll / GenericWrite / WriteDACL chains.GPO write
Modify linked GPO → SYSTEM on every host.Pass-the-Hash
NTLM hash reuse via CrackMapExec / impacket.Pass-the-Ticket
Kerberos TGT/TGS reuse via Rubeus.WinRM & WMI exec
Remote command execution across the domain.SMB exec / DCOM
PsExec-style movement & DCOM lateral.DCSync
krbtgt extraction → full domain credential dump.Golden ticket
krbtgt-signed TGT for arbitrary user / SID forging.Silver ticket
Service-account TGS forgery for targeted access.SID-history abuse
Cross-forest privilege via SID injection.// 06 Network segmentation testing for PCI DSS 11.4.5
Segmentation testing is a distinct discipline within network penetration testing and the most common reason a QSA returns a finding to remediation. PCI DSS Requirement 11.4.5 mandates that, where segmentation is used to reduce the scope of the cardholder data environment (CDE), it must be tested to confirm that out-of-scope networks have no reachable path into scope. The zone model below is what CyberFortify exercises on a typical CDE engagement.
Each transition is exercised in both directions. Failed isolation is documented with the specific packet flow that succeeded (source IP, destination IP, port, protocol), the firewall rule or misconfigured ACL responsible, and the exact PCI DSS sub-requirement (11.4.1 through 11.4.7) it violates. The output is the segmentation evidence pack your QSA accepts directly.
// 07 CyberFortify's network pen testing methodology
Every engagement follows a documented seven-phase methodology grounded in the Penetration Testing Execution Standard (PTES), NIST SP 800-115 and aligned with the relevant tactics of the MITRE ATT&CK framework. The phases are reproducible, audit-defensible and produce evidence your security team can use long after the engagement ends.
Pre-engagement & rules of engagement
Targets, in-scope IP ranges, exclusions, test windows, emergency contacts and escalation paths agreed in writing.
Authorisation letterReconnaissance
Passive (OSINT, certificate transparency, breached-credential corpora, GitHub leaks) and active (subdomain enumeration, rate-limited port scanning, banner grabbing).
Passive + activeThreat modelling
Mapping of crown-jewel data, high-value identities, critical services and likely adversary objectives. Test plan tied to MITRE ATT&CK tactics most relevant to your business.
ATT&CK alignedVulnerability identification
Manual testing combined with carefully tuned automation. False-positive elimination is a deliberate, documented step - not an afterthought.
Hand validatedExploitation & lateral movement
Confirmed weaknesses are exploited under controlled conditions, chained where possible, with post-exploitation activity documented without impact to production stability.
Controlled exploitReporting
Executive summary, detailed technical report with CVSS scoring, evidence and remediation guidance - ready for engineering tickets and audit binders alike.
Audit-readyFree remediation retest
Once your team ships fixes, every closed finding is revalidated and an updated attestation report is issued at no additional cost.
Included// 08 Common findings from recent engagements
The findings below are anonymised, severity-coded snapshots from recent CyberFortify network penetration testing engagements. They illustrate the gap between automated scanner output and what manual testers actually find in production-grade enterprise environments.
Domain takeover via ADCS ESC1 misconfiguration
An issued certificate template allowed any authenticated user to request a certificate with an arbitrary subjectAltName, including the domain administrator. The tester moved from low-priv user → DA in 14 minutes via Certify + Rubeus.
NTLM relay → ADCS web enrolment → DA
SMB signing was unenforced on a domain controller. A coerced authentication via PetitPotam was relayed to the ADCS web-enrolment endpoint, returning a DC certificate that authenticated as the DC.
Service-account compromise via crackable SPN
A service account with SPN registered, password set in 2018 and never rotated, cracked offline in 4 minutes. The account had local-admin rights on 320 servers via legacy GPO.
SSL-VPN auth bypass via leaked cookie scope
An unpatched edge VPN appliance accepted session cookies issued to a lower-trust portal. The tester gained internal network access from the public internet without credentials.
Corporate-to-CDE reachable via misconfigured VLAN ACL
A "temporary" RDP rule from a Q4 deployment had not been removed. From a corporate workstation, the tester reached a CDE jump host directly, voiding segmentation.
LLMNR poisoning → NetNTLMv2 hash capture
LLMNR and NBT-NS were enabled across the corporate VLAN. Within 90 minutes Responder captured 47 unique hashes, of which 3 cracked offline yielding low-priv shells.
// 09 When to commission a network penetration test
The triggers below are the moments where CyberFortify customers most often commission a network penetration test. The headline driver is PCI DSS 11.4 annual + after-significant-change cadence; product, M&A and incident triggers stack on top.
Annual PCI / ISO / SOC 2 cycle
PCI DSS v4.0 Req. 11.4 (annual + after significant change), ISO 27001 A.8.29, HIPAA 164.308(a)(8) and SOC 2 CC7.1 all expect a current-year network pen test in your audit binder.
AD migration or cloud cut-over
Tenant-to-tenant migrations, on-prem-to-Entra ID cut-over, hybrid identity rollouts, replacement of edge VPN appliances. Test before the trust boundary becomes load-bearing.
New office or data-centre
A new physical site introduces new wireless infrastructure, edge connectivity and segmentation boundaries. Test before users arrive - and again 30 days after, when configuration drift sets in.
Pre-acquisition diligence
Buy-side diligence on a target company. Network pen test in the diligence window surfaces AD security debt that materially affects integration cost and ransomware-blast-radius post-close.
Post-incident assurance
After ransomware containment, BEC compromise, or a near-miss intrusion. A fresh internal pen test validates that AD persistence and trust-relationship abuse paths are fully remediated.
Cyber-insurance renewal
Insurance underwriters increasingly require evidence of a current-year network penetration test, with explicit AD hardening and segmentation findings, before binding or renewing cover.
// 10 Network pen test vs vulnerability scan vs Nmap report
The matrix below compares manual network penetration testing against the three most common automated alternatives. The verdict customers reach: keep continuous vulnerability scanning running for breadth, run a CyberFortify manual network pen test annually (and on major change) for depth and audit evidence.
| Capability | Manual network pen test | Vulnerability scan | Nmap / port scan | Auto AD audit |
|---|---|---|---|---|
| Lateral movement chains | Yes | No | No | No |
| Active Directory abuse paths | Yes | No | No | Partial |
| ADCS ESC1-ESC11 testing | Yes | No | No | Detect-only |
| Segmentation evidence (PCI 11.4.5) | Yes | No | Partial | No |
| False-positive rate | <1% | High | N/A | Medium |
| PCI 11.4 / ISO A.8.29 evidence | Satisfies | No | No | No |
| Cadence | Annual / on change | Continuous | Continuous | Continuous |
// 11 Engagement timeline week by week
Combined external + internal + AD engagements typically span four to five weeks end-to-end. The timeline below covers the most common configuration; external-only or AD-only engagements compress accordingly.
Scoping & ROE
- 30-min scoping call
- Fixed quote within 48h
- Rules-of-engagement letter
- Test IPs, exclusions agreed
- Assumed-breach account staged
External recon & perimeter
- OSINT & passive recon
- Perimeter port scan
- Edge CVE validation
- VPN / mail edge testing
- Subdomain takeover sweep
AD attack-path execution
- BloodHound collection
- Kerberoast & AS-REP
- NTLM relay paths
- ADCS ESC validation
- Lateral movement chain
Reports & remediation
- Executive summary
- Technical findings report
- Segmentation evidence pack
- Walkthrough with blue team
- Free retest scheduled
// 12 Tooling and offensive tradecraft
Tooling alone does not make a penetration test - tester judgement does. CyberFortify's engineers combine industry-standard offensive tooling, custom internal scripts developed across hundreds of engagements, and selectively tuned automation.
// 13 Compliance standards mapping
Network pen testing reports from CyberFortify map every finding to recognised industry standards so your audit cycle is faster and your assessor receives the references they expect.
| Standard | Reference | Used for |
|---|---|---|
| PCI DSS v4.0 | Requirements 11.4.1 - 11.4.7, 1.2, 1.3 | Cardholder data environment segmentation evidence |
| ISO 27001:2022 | Annex A.8.20, A.8.21, A.8.22, A.8.29 | Network security & segregation evidence |
| NIST CSF 2.0 | PR.AC-5, DE.CM-1, RS.AN-2 | Boundary defence & detection capability |
| SOC 2 | CC6.1, CC6.6, CC7.1 | Logical access & security event detection |
| MITRE ATT&CK | TA0001 / TA0006 / TA0008 / TA0003 | Adversary technique mapping |
| HIPAA Security Rule | 164.308(a)(8) evaluation | ePHI environments |
| NIST SP 800-115 | Technical guide methodology | Federal & FedRAMP-adjacent contexts |
// 14 Why CyberFortify for network penetration testing
Generic vendor scan-and-report
Nmap output and a Nessus dump rebadged as a "pen test". No lateral movement. No Active Directory tradecraft. No segmentation evidence. Reports rejected as audit evidence.
CyberFortify manual network pen testing
Real lateral movement, real AD abuse, real exploit chains. Findings hand-validated. Segmentation evidence ready for QSAs. Reports drop into your auditor's working paper. Free remediation retest.
Most CyberFortify network engagements are bundled with a follow-on API security assessment or a full-scope red team adversary simulation - depending on the threat model and the question your buyers and auditors are asking.
// 15 Frequently asked questions
How long does a network penetration test take?
A typical CyberFortify network penetration test runs five to fifteen business days of active testing depending on scope - external alone, internal alone, or combined external + internal + Active Directory. Larger multi-domain forests sit at the upper end. Total elapsed time including scoping, reporting and remediation retest is typically four to six weeks.
What is the difference between external and internal network penetration testing?
External network pen testing simulates an attacker on the public internet who only knows your domain name. Internal pen testing assumes the attacker is already inside the corporate network - through phishing, a malicious USB drop, or a compromised laptop - and focuses on Active Directory, lateral movement and segmentation. Most regulated organisations test both.
What is Active Directory penetration testing?
Active Directory penetration testing is a focused subset of internal network testing that targets the AD environment specifically - domain controllers, GPOs, ACLs, ADCS, Kerberos delegation and trust relationships. Common techniques include Kerberoasting, AS-REP roasting, NTLM relay, DCSync, ADCS ESC1-ESC11 abuse, BloodHound attack-path analysis and Pass-the-Hash / Pass-the-Ticket lateral movement.
Does this satisfy PCI DSS Requirement 11.4?
Yes. PCI DSS v4.0 Requirement 11.4 mandates external and internal penetration testing of the cardholder data environment annually and after any significant change. Requirement 11.4.5 specifically requires segmentation testing. CyberFortify network pen test reports include the segmentation evidence pack, methodology statement and findings format that QSAs accept directly.
What is the difference between vulnerability scanning and network pen testing?
A vulnerability scan is automation: a tool enumerates known CVEs in software versions and emits a report. A network penetration test is human-led offensive engineering - chaining weaknesses into exploit paths, abusing trust relationships scanners cannot model, and demonstrating real impact. PCI DSS, ISO 27001 and SOC 2 evidence requirements explicitly require penetration testing, not scanning.
Will the test impact production?
CyberFortify's methodology prioritises non-destructive validation. We coordinate testing windows, exclude denial-of-service techniques unless explicitly scoped, and use authenticated assumed-breach accounts where appropriate. Production-impacting techniques (DCSync, intrusive deserialisation gadgets) require explicit written authorisation in the rules-of-engagement document.
Do you do red teaming as part of network testing?
Sometimes. Our red team service is a separate, goal-based offering that combines network pen testing tradecraft with phishing, physical entry, custom malware and full MITRE ATT&CK adversary simulation. We will recommend the right model in scoping.
How is reporting structured?
Every engagement closes with five deliverables: an executive summary, a detailed technical report (CVSS-scored, evidence-backed), a remediation playbook (Jira-ready), a compliance evidence pack and a free remediation retest attestation letter.
Do you test wireless networks?
Yes - wireless penetration testing is a distinct vantage point in our scope. CyberFortify tests WPA2 / WPA3 (PSK and Enterprise), captive-portal flows, EAP relay, rogue-AP / evil-twin scenarios and the Wi-Fi-to-AD pivot. Wireless tests are typically performed on-site over a one-to-three-day testing window.
Can you test from on-prem, or only remotely?
Both. Most external testing is performed remotely from CyberFortify's secure testing environment. Internal and wireless testing is performed either on-site or via a dedicated tester VPN tunnel into your environment, depending on what your security team prefers.