Network penetration testing

Find what a vuln scan never reaches.

External · Internal · Wireless · Devices, tested by hand for SMB-signing NTLM relay, mitm6 + WPAD coercion, kerberoastable service accounts, ADCS ESC1 template abuse, EAP/WPA2-Enterprise misconfig, and exposed firewall management. Every finding lands with the captured ticket, the relayed session, the cracked hash, and the GPO or ACL diff your team can ship.

Read a sample report
Four network surfaces, External, Internal, Wireless, Devices, converging on a proof-of-exploit card showing a kerberoast-to-domain-admin chain.

Four surfaces

External · Internal · Wireless · Devices, one method, four entry points.

Evidence

Captured tickets, relayed sessions, cracked hashes, not screenshots of a scanner.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • ISO/IEC 27001

Why a vuln scan isn't a pentest

An open port is not domain admin.

A scanner reports SMB signing optional, IPv6 enabled, a service account with a SPN. SecureLayer7's operators take it further, relay the next workstation auth into a privileged share, run mitm6 against the IPv6 stack to coerce DC$ to authenticate, kerberoast the SPN and crack it offline. Every finding ships with the captured ticket, the relayed session, and the GPO or registry diff your engineers can deploy.

How AI fits in network pentest engagements →
Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.
Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.

IN SCOPE.

What lands in a network engagement.

PERIMETER
External attack surface

Exposed services, expired certs, forgotten subdomains, third-party connectors with weak trust.

ACTIVE DIRECTORY
Domain pivot paths

Kerberoasting, AS-REP, ACL abuse, ADCS templates, GPO ownership. Map to Domain Admin.

SEGMENTATION
VLAN + zone hops

Lateral routes the firewall ruleset doesn't see. Server VLAN to OT, DMZ to user, prod to dev.

EGRESS
Outbound chains

DNS tunnels, C2 channels through allowed proxies, SSL-inspection gaps, egress to attacker infra.

INTERNAL NETWORK COVERAGE.

What 200+ internal chains decompose into when we run a real test.

200+
  1. 01
    Guest port to domain user

    NAC bypass via MAC spoof on a printer VLAN, then LLMNR poisoning with Responder to capture NTLMv2 hashes.

  2. 02
    NTLM relay to ADCS

    Coerce auth with PetitPotam or PrinterBug, relay to Active Directory Certificate Services ESC8 web enrollment for a domain admin cert.

  3. 03
    Kerberoasting to service account

    Request service tickets for SPN-bound accounts, crack the RC4 hash offline, reuse the password against linked SQL boxes.

  4. 04
    mitm6 to DNS takeover

    Spoof DHCPv6 with mitm6, become the IPv6 DNS server, relay WPAD-triggered auth into LDAPS for domain object writes.

  5. 05
    LAPS read to local admin

    Abuse a misconfigured ACL on ms-Mcs-AdmPwd to pull plaintext local administrator passwords across a tier-2 fleet.

  6. 06
    Segmentation hop to OT

    Find a flat path from corporate Wi-Fi to the OT VLAN through a forgotten jump host with exposed RDP and reusable creds.

What we test —

Four network surfaces. One engagement.

Each boundary gets a manual, threat-modelled review against its real attack surface — perimeter, AD-joined estate, wireless edge, and the devices that route between them. Intensity tunes per scope.

External — internet-facing

Subdomain takeover, exposed RDP/SSH/SMB, vendor-portal SSRF, VPN-appliance CVE chains, perimeter mail-relay abuse, exposed git/CI endpoints, ASN-wide cert-transparency mining, and credential-leak correlation against the perimeter login surface.

Internal — east-west + AD

SMB-signing NTLM relay, kerberoasting and AS-REProasting, mitm6 + WPAD coercion, ADCS ESC1–ESC8 abuse, LAPS-password reuse, Group Policy preference passwords, BloodHound-mapped attack paths to Domain Admin and Tier-0 hosts.

Wireless — Wi-Fi + 802.1X

WPA2/WPA3 handshake capture and crack, EAP-TLS cert-pinning bypass, PEAP/MSCHAPv2 relay, rogue-AP and KARMA, 802.1X NAC bypass via MAC spoof, guest-network pivot, captive-portal credential harvest.

Devices — firewalls, switches, routers

Exposed management interfaces (SSH/HTTPS/SNMP), default and stale credentials, ACL bypass via spoofed source, SNMPv2 community brute-force, IPv6-routing override, firmware-CVE pivot to lateral access.

NETWORK PENTEST METHODOLOGY.

Eight phases. Perimeter to Domain Admin.

Threat-modelled to your perimeter, AD topology, segmentation, and admin-tier model. Not a template we run against every network.

  1. 01

    Scope & threat-model

    In-scope CIDRs, AD forests, wireless SSIDs, and admin tiers agreed in writing before any traffic. Out-of-scope DR sites, partner ASNs, and legal-blocked targets recorded.

  2. 02

    Recon & enumeration

    ASN and cert-transparency sweep on the perimeter, BloodHound and PingCastle on the internal estate, wireless RF survey for in-scope SSIDs, SNMP or SSH banner inventory on devices.

  3. 03

    External exploitation

    Vendor-portal SSRF, exposed admin interfaces, VPN-appliance CVE chains, mail-relay abuse, leaked-credential password-spray. Exercised to first foothold inside the perimeter.

  4. 04

    AD exploitation

    NTLM relay across SMB-signing-off hosts, mitm6 with WPAD coercion, kerberoast and AS-REProast, ADCS ESC chains, LAPS reuse, Group Policy preference passwords. Pursued to Domain Admin or Tier-0.

  5. 05

    Wireless & edge

    Handshake capture and crack, EAP or PEAP relay, rogue-AP and KARMA, 802.1X bypass via MAC spoof, captive-portal harvest. Measured to a routable session inside the corporate VLAN.

  6. 06

    Vulnerability analysis

    Findings correlated, chained into attack paths, scored against your real network blast-radius. Your team sees what's reachable, not just what's exposed.

  7. 07

    Remediation guidance

    GPO snippets, ADCS template diffs, firewall ACL changes, switch port-security configs, AD tiering recommendations. Written for network and AD engineers, not auditors.

  8. 08

    Patch verification

    Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.

Insights

Network security Resources.

Field notes on segmentation drift, AD path abuse, and the internal-network bugs that scanners miss.

Meet our expert

Meet our expert

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes network pentest engagements against your perimeter, AD topology, wireless footprint, and admin-tier model. He guides the pod from kick-off through final report and re-test.

  • Scopes external, internal, wireless, and device-layer engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every captured ticket and relayed session.
  • Drives remediation review and re-test until every attack path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope a network pentest? Book 30 minutes with John to walk through your perimeter, AD model, and timeline.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

SaaS production networks, segmentation between dev/stage/prod, VPN paths.

See Tech SaaS pentest

FinTech

Branch-DC networks, ATM-adjacent zones, payment-rail segmentation.

See FinTech pentest

Retail

Store networks, in-store wireless, POS-back-office segmentation.

See Retail pentest

Built for United Arab Emirates engagements

What changes when we deliver here.

  • Compliance scoping

    Findings tagged to UAE IAS v2 T2 communications sub-controls

  • Regulatory framework

    NESA SIA network-segmentation clause mapping for CNI clients

  • Local engagements

    Tested a UAE utility's IT-OT segmentation before NESA review

  • Local pricing

    AED quotes; on-site work in Dubai, Abu Dhabi, Sharjah

  • Compliance scoping

    Dual-stack IPv4 and IPv6 in default scope

Network-test questions UAE buyers ask.

  • Do findings map to UAE IAS v2 T2?

    Yes. Every finding cites the T2 sub-control it breaks. NESA SIA network-segmentation clauses appear in the same row for CNI clients.

  • Do you test segmentation between business and OT?

    Yes. Passive checks first, then approved active probes. NESA SIA OT-IT segmentation clause expectations form the pass-fail line.

  • Can the test run from on-site?

    Yes. Operators come to your Dubai or Abu Dhabi site for internal tests. No tap data leaves the UAE during the window.

  • Is IPv6 covered?

    Yes. Dual-stack scoping is the default for UAE telecoms. Findings list both v4 and v6 paths and the UAE IAS v2 T2 sub-control affected.

Delivery in United Arab Emirates

UAE IAS T2 mapped. AED-denominated.

External, internal, and segmentation findings cite UAE IAS v2 T2 communications controls. NESA SIA network-segmentation expectations cross-referenced.

Direct line
+971-4-123-4567
Office
Dubai, UAE

Frameworks scoped: UAE IAS · NESA · ADHICS · PCI DSS · ISO/IEC 27001.

Sample network pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full attack-path narrative, captured ticket, relayed session, and the GPO or ACL diff your engineers can deploy. Sent on request after a 5-minute scoping call.