CREST-CERTIFIED · ASSUMED BREACH

CREST-Certified Internal Network Penetration Testing for UK Organisations

We model an attacker who is already inside, a stolen laptop, a rogue insider or a phished employee, and show exactly how far they could move across your servers, Active Directory and internal services. Then we tell you how to shut every path down.

Get my fixed quote in 24h →Download a sample report →

Free, no-obligation. A CREST tester replies within 24 hours, not a call centre.

CREST Member · Verify ↗

Internal Network Penetration Testing

ASSUMED BREACH

We start from inside the perimeter

FREE RETEST

We re-test every fix at no extra cost

Accredited & recognised

In short

What is internal network penetration testing?

Internal network penetration testing is a security assessment that simulates an attacker who already has a foothold on your network, a malicious insider, a compromised laptop or a contractor’s device. A CREST-certified tester attempts lateral movement, privilege escalation and Active Directory compromise to prove how far a real breach could spread.

EJN Labs provides CREST-certified internal network penetration testing services for UK organisations. Where external and perimeter testing checks what an outsider can reach, an internal infrastructure penetration test starts inside the perimeter and measures the blast radius of a single compromised device.

Also known as internal infrastructure penetration testing, an internal network pen test or an assumed-breach assessment.

PERIMETER VS INSIDE

Where Internal Testing Fits Alongside Perimeter Testing

External testing checks what an outsider can reach. Internal testing assumes they are already inside. Most UK organisations scope both, because they answer different questions.

External / Perimeter

What an outsider can reach

The internet-facing edge: firewalls, VPNs, mail and web services. It answers how exposed your perimeter is before anyone gets in.

View external network penetration testing →

YOU ARE HERE

Internal / Assumed Breach

What an intruder can reach once inside

We assume the perimeter is already crossed, by phishing, a lost device or a supplier, and measure how fast a single foothold becomes domain admin, and how far it spreads across your servers, Active Directory and internal services.

ASSUMED-BREACH METHODOLOGY

How Internal Network Penetration Testing Works

Every technique is mapped to MITRE ATT&CK, from a standard foothold to a measured blast radius, then a clear path to close every route.

Scoping and rules of engagement

We agree targets, sites, Active Directory domains, test windows and a safe-word so we can pause instantly.

Internal reconnaissance and network mapping

Host discovery and service enumeration across the in-scope subnets to build a picture of the internal estate.

Credential capture and relay

We exploit name-resolution weaknesses (LLMNR, NBT-NS, mDNS) and NTLM relay across SMB, LDAP and HTTP to harvest and reuse credentials.

Active Directory attacks and privilege escalation

Kerberoasting, AS-REP roasting, certificate-services abuse and attack-path analysis to escalate from a standard user.

Lateral movement and pivoting

We move host to host to reach the systems and data that matter most to your business.

Impact demonstration

We safely prove the business impact, such as domain compromise or access to sensitive shares, without disrupting operations.

Reporting, debrief and free retest

CVSS-rated findings, an attack-path narrative, a remediation call, and a free retest of every fix.

MANUAL-LED TOOLKIT

Tools and Techniques We Use

Manual-led and consultant-driven. Automated scanning establishes coverage; the findings that matter come from a CREST-certified tester chaining these by hand, under controlled conditions.

Nmap

Discovery

Host and service enumeration across the in-scope internal subnets to map the estate.

Responder

Poisoning

LLMNR, NBT-NS and mDNS poisoning to capture authentication on flat networks.

NetExec

AD Spraying

Authenticated enumeration, password spraying and lateral execution across hosts.

BloodHound

Attack Paths

Maps the shortest path from a standard user to domain admin across Active Directory.

Impacket

Protocol Abuse

NTLM relay, secretsdump, Kerberoasting and ticket attacks against Windows services.

Certipy

AD CS

Certificate-services abuse (ESC1 onward) for privilege escalation and persistence.

Rubeus

Kerberos

Kerberoasting, AS-REP roasting and ticket manipulation against the domain.

Mimikatz

Credentials

Credential and ticket extraction performed safely under controlled conditions.

Nessus

Coverage

Authenticated vulnerability scanning to establish a baseline before the manual phase.

WHAT WE FIND

Internal Network Weaknesses We Routinely Find

The same handful of internal weaknesses turn one foothold into full domain compromise, often basic deviations from CIS hardening benchmarks. These are the categories we find again and again.

🪪

Active Directory attack paths

Kerberoastable service accounts, accounts with pre-authentication disabled (AS-REP roasting), Active Directory Certificate Services misconfigurations (ESC1 onward), and unconstrained, constrained and resource-based delegation.

📡

Credential capture and relay

LLMNR and NBT-NS poisoning exposure, missing or weak SMB signing, and NTLM relay across SMB, LDAP and HTTP that turns a single response into reusable access.

🧱

Flat, unsegmented networks

User and server VLANs that talk to everything, so one compromised laptop can reach domain controllers, backups and finance systems unimpeded.

🔑

Excessive privilege and weak secrets

Excessive local administrator rights, default or reused credentials, and over-permissioned service accounts that hand an attacker the keys.

🩹

Unpatched and end-of-life systems

Missing patches, end-of-life operating systems and legacy protocols still enabled inside the perimeter where they are rarely monitored.

🗂️

Over-shared, exposed data

File servers and shares exposing sensitive data to every authenticated user, ready to be found the moment an attacker has any account.

Ready to scope your internal network test?

Get a fixed quote in 24 hours. Free and no-obligation.

Get my fixed quote → See a sample report

COMPLIANCE EVIDENCE

Internal Network Testing and Your Compliance Obligations

An internal network penetration test gives you the independent technical evidence that auditors and frameworks expect, in line with NCSC penetration testing guidance. It does not award a certificate; it produces the proof.

Cyber Essentials Plus

Deeper internal assurance that goes beyond the authenticated vulnerability assessment carried out for CE Plus. It does not replace or grant certification, which is awarded only by a licensed IASME Certification Body.

ISO 27001 (A.8.8)

Evidence supporting management of technical vulnerabilities within your ISMS. Testing also feeds independent review (A.5.35) and security testing (A.8.29).

PCI DSS (v4.0.1)

Independent internal penetration testing of the cardholder data environment (Req 11.4.3) and validation of segmentation controls (Req 11.4.5; 11.4.6 for service providers), at least annually.

SOC 2

Supporting evidence toward the Security (Common Criteria) category of the Trust Services Criteria, in particular vulnerability identification (CC7.1).

NIS2 and DORA

Supports the security-testing obligations under NIS2 (Art. 21) and DORA’s resilience-testing programme. DORA Threat-Led Penetration Testing is a separate, advanced exercise.

Cyber insurance and audits

An independent CREST-certified report that insurers and enterprise security questionnaires increasingly ask for before binding cover or onboarding a supplier.

TRANSPARENT PRICING

How Much Does Internal Network Penetration Testing Cost?

Priced by scope: as a rule of thumb we cover around 50 live hosts per tester-day, at a flat day rate of around £1,200. Every tester is senior or principal grade, so the price reflects the size of your estate, not who we send. See the full UK pen test pricing guide.

SINGLE SITE

£1,200 to £3,600
1 to 3 tester-days

Up to around 150 hosts on one site with a single Active Directory domain. The common starting point for SMEs.

MOST COMMISSIONED

MULTI-SITE / AD

£3,600 to £9,600
3 to 8 tester-days

Around 150 to 400 hosts across several sites or multiple Active Directory domains, with trust relationships to follow.

LARGE ESTATE

£9,600 to £14,400
8 to 12 tester-days

400 hosts or more across a large, multi-domain estate, with segmentation testing and sensitive systems in scope.

The price is fixed and agreed before we start. The quote is free and there is no obligation to proceed, and a CREST tester replies within 24 hours.

Get my fixed quote in 24h →

DELIVERABLES

What You Get

Not a scanner export. A clear account of how far an intruder could get inside your network, and exactly how to stop them.

✓

Technical report with CVSS-rated findings

Every issue rated, evidenced and reproducible, in the format your engineers and auditors expect.

✓

Plain-English executive summary

The business risk in language the board and your insurer can read without a translator.

✓

An attack-path narrative

The story of how one foothold became domain compromise, step by step, so the fix is obvious.

✓

Prioritised remediation guidance

What to fix first for the biggest reduction in risk, with practical, tested advice.

✓

A live debrief call with the tester

Time with the person who did the work, to walk your team through every finding.

✓

A free retest of every fix

We re-test everything you remediate, at no extra cost, so you can prove it is closed.

Download a sample internal infrastructure report →

CREST

Approved Provider

Active Directory Focus

FREE

Retest Included

24h

Fixed Quote

CLIENT REFERENCE

“Thorough, well-documented and actionable findings, methodical and aligned with industry best practices.”

– IT Director, International Property Group

UNDER NDA Named UK reference firms available during scoping calls.

Related Testing Services

External Penetration Testing Cloud Penetration Testing Vulnerability Assessment (VAPT) Red Teaming CREST Penetration Testing

Frequently Asked

What is internal network penetration testing?

An internal network penetration test simulates an attacker who already has access inside your network, then attempts to move laterally, escalate privileges and compromise Active Directory. It measures how far a single foothold, a phished user or a lost laptop, could spread before it reaches your most sensitive systems.

How much does an internal network penetration test cost in the UK?

Most UK internal network penetration tests fall between £1,200 and £14,400. As a rule of thumb we cover around 50 live hosts per tester-day at a flat day rate of around £1,200, with every tester senior or principal grade. See our UK pen test pricing guide or get a fixed quote.

Do you test Active Directory?

Yes. Active Directory is usually the heart of an internal test. We assess Kerberoasting, AS-REP roasting, certificate-services abuse, delegation weaknesses and attack paths from a standard user to domain admin, using tools such as BloodHound and Impacket.

Will the test disrupt our network or services?

No. Testing is controlled, agreed in advance and run with a safe-word so we can pause instantly. Disruptive techniques are excluded by default and intrusive checks are scheduled out of hours where needed. Tell us your scope and we will plan around your operations.

What information do you need to scope an internal network pen test?

Usually just the approximate number of live hosts, the number of sites, how many Active Directory domains you run and your objectives. As a rule of thumb we cover around 50 live hosts per tester-day, then turn that into a fixed-price scope. Send us your rough scope for a quote within 24 hours.

What tools do you use?

Our testing is manual-led and consultant-driven. We use industry-standard tooling including Nmap, Responder, NetExec, BloodHound, Impacket, Certipy and Nessus, but the findings that matter come from a CREST-certified tester chaining them by hand.

What is the difference between internal and external penetration testing?

External or perimeter testing assesses what an outsider can reach from the internet, such as firewalls, VPNs and public services. Internal testing assumes that perimeter is already breached and tests what an attacker can do once inside. Most organisations scope both. See our external network penetration testing service.

What is an assumed-breach test?

An assumed-breach test starts with the attacker already inside, for example with a standard user account or a device on your network. It skips the time and cost of bypassing the perimeter and focuses budget on what matters most: how far a real intruder could get.

How long does an internal network penetration test take?

A single-site internal test typically takes 3 to 5 working days. Larger estates with multiple sites or Active Directory domains take 6 to 12 days. We agree the exact duration during scoping based on host count and objectives.

Can an internal network pen test be done remotely?

Yes. We can ship a preconfigured testing device or use a secure jump host, so most internal tests run remotely with no tester on site. On-site testing is available where you prefer it. Get a fixed quote.

Does internal network testing help with Cyber Essentials Plus, ISO 27001 or PCI DSS?

Internal network testing produces independent technical evidence that supports several frameworks: technical vulnerability management under ISO 27001 (A.8.8), internal penetration testing under PCI DSS (Req 11.4.3) and assurance beyond the Cyber Essentials Plus assessment. It does not award certification, which only a licensed body can grant. See our CREST penetration testing page.

What is internal infrastructure penetration testing?

Internal infrastructure penetration testing is another name for internal network testing. It assesses the servers, network devices, Active Directory and internal services that run your business, from the position of an attacker who is already inside the perimeter.

EXPLORE EVERY SERVICE