From the perimeter to Domain Admin
External and internal network testing, Active Directory takeover paths, segmentation validation — the kind of test that lands in the board report.
Who is it for?
- Enterprises with on-prem infrastructure
- Organisations with Active Directory
- Companies with hybrid environments
- Manufacturing and OT-adjacent networks
- NIS2 essential and important entities
Outcomes
External attack surface map
Every exposed asset, port, service and version — catalogued and prioritised.
Active Directory takeover paths
Kerberoasting, AS-REP, unconstrained delegation, ACL abuse, GPO exploitation — the BloodHound report you need.
Segmentation validation
We verify that VLANs, DMZ and zero-trust zones actually contain an attacker.
Patching & hardening gaps
Missing patches, default credentials, weak protocols (SMBv1, NTLMv1, LLMNR).
Lateral movement story
We chain the findings into a realistic attack story — from one foothold to Domain Admin.
Free retest
One free retest within 30 days — verifies fixes and updates the final report.
PTES + manual exploitation
- 01
Scoping
IP ranges, domains, Active Directory forests, exclusions, test windows — documented Rules of Engagement.
- 02
Reconnaissance
Asset discovery, service fingerprinting, OSINT for external, network mapping for internal.
- 03
Exploitation & post-exploitation
Privilege escalation, lateral movement, credential dumping, persistence (staged, never destructive).
- 04
Report & retest
Executive + technical report in 5 business days. Free retest within 30 days.
Frequently asked questions
External, internal, or both?
Do you need an on-site visit for internal testing?
Will this disrupt our network?
How long does it take?
NIS2 / DORA evidence?
Scope your network pentest
Share the scope and we will come back with a plan, timeline and price within one business day.