Updated: 2026-01-26

Request a pentest

Typical scope

  • Web app + API
  • Network / AD
  • Cloud / Kubernetes
  • Red team

Resources

Browse providers

Penetration Testing

Network Penetration Testing

Internal & External Network Pentest Including Active Directory

A network penetration test assesses external and internal networks for real-world attack vectors. The goal is to uncover misconfigurations, segmentation issues, and privilege-escalation paths — before attackers can exploit them.

The focus is on connected attack chains:

How does an attacker move from initial access to critical systems?

Network pentests are especially valuable after infrastructure changes, site expansions, or introducing new network segments.

Request Network Pentest

Pentest Overview

🌐 External & internal

From exposed services to internal segments and trust boundaries.

🧩 Active Directory focus

Common escalation paths and domain risks, documented clearly and traceably.

Clear priorities

Risk assessment + hardening plan so teams can remediate quickly.

What is a Network Pentest?

A network pentest simulates real attacks against:

  • external services (e.g. VPN, firewalls, remote access, exposed services)
  • internal networks and segments
  • Active Directory and identities
  • trust boundaries between networks/sites

It uses common attacker techniques (depending on scope), such as:

  • Service enumeration & weak service configurations
  • Credential harvesting
  • Pass-the-Hash / Pass-the-Ticket
  • Lateral movement
  • Privilege escalation

The goal is to make real attack paths visible — not just list isolated findings.

Is this relevant for you?

Typical triggers

  • New sites or network segments
  • VPN/remote access rollout or migration
  • AD migration, domain merger, new trusts
  • New firewalls / routing / NAC / zero-trust projects
  • ISO 27001 / TISAX preparation
  • Security incident or “near miss”

Common risks

  • Poor segmentation (too much implicit trust)
  • Over-privileged accounts / service accounts
  • Legacy protocols / insecure services
  • Weak GPOs / delegations
  • Overly broad VPN access
  • Unclear logging/detection coverage

Typical Scope

External
  • Open ports & services (exposure)
  • VPN endpoints, remote access, jump infrastructure
  • Firewall rules & internet-exposed systems
  • Initial access vectors (if in scope)
Internal
  • Segmentation & trust boundaries
  • User and service accounts
  • Lateral movement & privilege escalation
  • Access paths to sensitive systems
Active Directory (if in scope)
  • Kerberoasting / AS-REP roasting
  • Delegation / trust abuse
  • GPOs & group permissions, tiering models
  • Service account privileges
Optional
  • Hybrid connectivity (cloud ↔ on-prem)
  • Site interconnects / peering / MPLS
  • Jump hosts & admin access models
  • OT/IoT segments (separate scope)

Network Pentest vs Vulnerability Scan

A scan finds many indicators — a pentest proves real risk.

Network PentestVulnerability Scan
Attack simulation & exploit pathsAutomated detection
Proof: what is actually exploitable?Potential vulnerabilities
Prioritized by impact & exploitabilityPrioritized by CVSS/rules
Chain effects (segmentation → AD → data)Isolated findings without context

Process

1) Scope

Targets, boundaries, networks, AD, test windows

2) Authorization

Approvals, contacts, emergency stop

3) Recon

Exposure, services, entry points

4) Initial Access

External/internal paths (in scope)

5) Movement

Lateral movement, AD, escalation

6) Report

Findings, priorities, debrief

Typical duration: 5–15 business days (depending on number of networks, AD complexity, and production windows).

Deliverables

Executive Summary

Risk overview, priorities, management-ready recommendations.

Attack Paths & Evidence

Exploit paths, screenshots, reproduction — documented clearly and traceably.

Findings with Risk Rating

Impact, exploitability, affected systems, clear prioritization.

Hardening Plan

Concrete measures for segmentation, AD, services, and access paths.

Optional: Retest / Verification

Verification of implemented measures — useful for compliance and risk management.

Typical Costs

Small

1 site / manageable networks

€6,000–12,000

Medium

multiple segments / AD in scope

€12,000–25,000

Complex

multiple sites / high AD complexity

from €25,000

What affects effort?
  • Number of networks / sites / segments
  • Active Directory complexity (trusts, tiering, delegation)
  • External vs internal (or combined)
  • Production time windows & change freeze
  • Retest / verification

Preparation & Access

Required information
  • IP range(s) / network overview
  • Escalation contact & emergency stop
  • Test windows / production restrictions
  • Optional: test accounts (internal) and AD scope
Operational safety
  • Alignment on scans and aggressive tests
  • Monitoring during test windows
  • Clear rules: no DoS/instability in scope

FAQ

Do you also test internal networks?

Yes — including segmentation, lateral movement, and Active Directory, if in scope.

What is required for external testing?

IP ranges, a contact person, and formal authorization. Optionally additional information about VPN/remote access components.

Is there a risk to production systems?

We work with agreed time windows, controlled methods, and clear abort rules. DoS testing is not included by default.

Is Active Directory always included?

For internal tests it’s almost always relevant — but it can be scoped separately (e.g. “network without AD” or “AD focus”).

Is there a retest?

Optional — to verify implemented hardening measures, especially for compliance or elevated risk.

Request Network Pentest

Request Network Pentest

Not sure which test type fits?

Request a pentest