Port scan to Domain Admin.
External + internal network pentest including full Active Directory attack-path mapping. We show how an attacker actually moves through your environment - not a CSV of CVEs.
Threat landscape
What network attackers exploit first
The classes of attack that turn one compromised endpoint into a domain takeover. We hunt these on every internal engagement.
AD path to Domain Admin
BloodHound graphs show most networks have a sub-5-hop path from any user to DA. We find it before attackers do.
Lateral via SMB relay
NTLM coercion + relay attacks turn one compromised endpoint into full-network reach.
Kerberoasting + cred dump
Service-account TGS-REP hashes cracked offline give attackers high-privilege creds without alerts.
VPN / RDP brute-force
Exposed remote-access portals with weak MFA are the #1 ransomware entry vector.
Weak segmentation blast
Flat networks turn one compromise into 50. We map every east-west path attackers can use.
Insider / privilege creep
Over-permissioned accounts and stale access tokens are the longest-running risk most orgs ignore.
What we cover
- External & internal network assessment
- Authenticated & unauthenticated vuln scans
- Configuration review (firewalls / routers / switches)
- Privilege escalation testing
- Lateral movement & pivoting scenarios
- Active Directory attack paths
Common findings
- Default / weak credentials
- Unpatched services & known CVEs
- Kerberoasting / AS-REP-roasting
- SMB relay & NTLM coercion
- ACL / GPO abuse paths
- Weak segmentation & open egress
Engagement modes
External + internal
Most useful as a combined engagement - we start outside and walk in. Or pick one mode if scope is set.
External pentest
- Perimeter asset enumeration
- Internet-facing service review
- VPN / remote-access posture
- Brand-impersonating asset hunt
- Subdomain takeover checks
- Email / DMARC posture
Internal pentest
- Assumed-breach starting position
- Active Directory enumeration
- Credential harvesting (kerberoast / asreproast)
- Lateral movement to crown-jewel hosts
- Domain Admin path mapping
- Segmentation + egress controls
Active Directory
Sample attack path
How a standard domain user becomes Domain Admin - a path we find in most internal engagements. Visualized with BloodHound in your report.
Tools & stack
What's in the toolbox
See what a real report looks like
24 pages, redacted from a live engagement. Executive summary, technical findings with PoCs, remediation roadmap and attestation.
- Executive summary + technical report
- Reproducible PoCs with screenshots
- Remediation roadmap + retest plan
- Letter-of-attestation appendix
How we work
Methodology
A repeatable five-phase process. Same depth whether it's a focused spot test or a multi-surface engagement.
Recon & threat modeling
Asset discovery, app mapping, STRIDE/DREAD analysis to scope what matters.
Automated baseline
Tuned SAST/DAST/scanners to clear the noise. Never the primary signal.
Manual exploitation
Where the real findings live. Senior testers, real PoCs, chained attacks.
Risk assessment
CVSS scoring combined with your business context - not auto-generated severities.
Reporting
Executive summary + reproducible technical report + remediation roadmap.
Frameworks & standards
Mapped to the standards your auditors care about
Reports map findings to the frameworks your compliance team is already chasing. Drop-in evidence for ISO, SOC 2, PCI and DPDP audits.
FAQ
Common questions
If you're evaluating multiple firms, these are the questions worth asking each of us.
How long does a typical engagement take?
A focused spot test runs 5-7 business days. Multi-surface engagements typically take 2-4 weeks depending on application complexity. We agree on a written scope before the contract - no surprise extensions.
Is testing safe to run in production?
We test in production only when staging is unavailable and only with explicit written approval, an agreed test window, and a documented rollback plan. Destructive checks (DoS, data corruption) are excluded unless specifically requested.
What certifications does your team hold?
Engagements are run by senior testers and signed off by a practice lead. We test to recognised methodologies - OWASP, PTES and the OSSTMM - and map every finding to CVSS and CWE. If your procurement process needs specific individual credentials on file, we'll share them under NDA during scoping.
Do you offer retests after we patch?
Yes - retest engagements are scoped separately, focused only on the findings you've patched. Pricing is proportional to the surface area being re-verified and we send a written scope before any work starts.
What format are the deliverables in?
PDF reports (executive summary + technical), an editable findings spreadsheet, attack-path diagrams where relevant, and a letter of attestation on request. All findings include CVSS, CWE, repro steps, and remediation guidance.
How is scope determined and priced?
After a 15-minute discovery call we send a written scope inside 48 hours - fixed-price, with clearly itemized exclusions. No hourly billing surprises, no scope creep mid-engagement.
Map your real attack surface.
IP-count and AD-domain summary is enough to scope - written proposal in 48 hours.