Internal & External Network Penetration Testing
Two halves of the same question — what does the internet see, and what happens once an attacker is inside. We test both, end-to-end, with MITRE ATT&CK-mapped reporting and a free retest after remediation.
External network penetration testing
We attack your perimeter the way an outside threat actor would. Asset discovery and attack surface mapping across your owned IP space — DNS records, certificate transparency logs, subdomain enumeration, exposed cloud assets, and forgotten dev environments. Service fingerprinting on every exposed port, version detection, and identification of known exploits.
Probing the edge: certificate hygiene (expired certs, weak ciphers, missing SANs, certificate transparency leakage), exposed admin interfaces, default credentials, password-spray-friendly login portals (Outlook Web Access, Citrix, VPN, RDP gateways), and any exploitable misconfiguration in cloud-fronted services. Findings are validated by hand — no false-positive scanner spam in the report.
Internal network pentest — assumed compromise
The assumed-compromise model starts where most real incidents are an hour in: a low-privilege user account, a foothold device on the corporate VLAN, or a compromised workstation. From there we test the defenses that actually matter — lateral movement, privilege escalation, and identity attacks.
Active Directory / identity attacks: Kerberoasting and AS-REP roasting, password spraying with rate-limit evasion, LLMNR / NBT-NS poisoning with Responder, NTLM relay attacks via ntlmrelayx, Kerberos delegation abuse (unconstrained, constrained, RBCD), ADCS exploitation across the documented ESC patterns, BloodHound path analysis to map every route to Domain Admin. Privilege escalation paths across Windows endpoints (UAC bypass, token impersonation, service abuse, GPO weaponization) and lateral movement via WinRM, SMB, RDP, and WMI.
Wireless assessments
Where in scope: corporate WPA2/WPA3-Enterprise authentication attacks (PEAP/EAP weaknesses, hostapd-wpe, certificate validation issues), guest network isolation testing, BYOD segmentation, rogue access point detection, and physical RF coverage assessment. On-site engagements are straightforward to schedule for Atlanta and Georgia clients; remote audits possible with shipped hardware for distributed offices.
Deliverables & methodology
- Scoping call + rules of engagement letter signed before any traffic moves
- Phased engagement: reconnaissance → initial probe → exploitation → post-exploitation → lateral movement → privilege escalation
- Executive summary (1-2 pages, board-ready) plus full technical attack narrative
- Every technique mapped to MITRE ATT&CK technique IDs for your detection team
- Proof-of-compromise screenshots, command logs, and timestamped evidence per finding
- Prioritized remediation roadmap ordered by exploitability, not just CVSS
- Debrief call with security and engineering leads
- Free 60-day retest after critical remediation
- Letter of attestation for SOC 2 CC4.1, PCI DSS 11.4, HIPAA, cyber-insurance
Reference engagement
See our Active Directory pentest case study for the full assumed-compromise attack chain from standard domain user to Domain Admin — Kerberoasting, ADCS abuse, lateral movement via SMB, and full MITRE ATT&CK mapping. This is the reporting style and engagement depth you should expect.
Network pentest engagements served from Macon, GA, with clients across Atlanta, Savannah, Augusta, GA, and nationwide. For full pentest program coverage including web apps and wireless, see our penetration testing services.
FAQs
What's the difference between external and internal network pentesting?
External pentests attack from the internet — what an unauthenticated outsider sees and can exploit at your perimeter. Internal pentests assume a foothold is already inside (a compromised user, a malicious insider, a rogue device on the corporate VLAN) and measure how far that foothold can spread. Most real breaches involve both, so most clients scope both.
What does 'assumed compromise' mean?
Instead of spending the engagement trying to land initial access (which is mostly a question of phishing campaign quality), we start with a low-privilege user account or a foothold device on the corporate network. From there we test lateral movement, privilege escalation, and identity attacks. This produces more findings about your real defensive posture in less engagement time.
Will testing disrupt production?
Rarely, and never intentionally. We use low-impact techniques by default, coordinate noisy actions with your team, and skip anything destructive. Denial-of-service testing is a separate scope with explicit authorization. We have run hundreds of network pentests without causing an outage.
Do you cover wireless networks?
Yes. Wireless assessments cover corporate Wi-Fi (WPA2/WPA3-Enterprise auth attacks, EAP weaknesses), guest network isolation, BYOD segmentation, rogue access point detection, and physical RF coverage. On-site engagements straightforward to schedule for Atlanta and Georgia clients; wireless audits possible remotely with shipped hardware.
What deliverables do we get?
Executive summary for leadership, full attack narrative with timestamped command logs and screenshots, every finding mapped to MITRE ATT&CK technique IDs, prioritized remediation roadmap, letter of attestation for SOC 2 / PCI / HIPAA / cyber-insurance, and a free 60-day retest after remediation.
Network pentest reading
All postsBest Penetration Testing Companies in Georgia (2026)
Georgia-based pentest providers, what they actually deliver, and how to choose.
Read postCybersecurity Services for SaaS Startups (2026)
What security work a SaaS founder actually needs in years 1-3.
Read postPenetration Test Cost (2026)
Real pricing for web app, network, AD, and red team engagements.
Read post
Related services
Find out what's actually exposed.
Call William Beltz at (770) 652-1282 or book a scoping call to walk through rules of engagement, environment, and pricing.