Network penetration testing

Research-led network pentest, external, internal, Active Directory.

CREST-accredited researchers test the perimeter, the internal network, and the AD chain the way attackers do: edge exposure, lateral movement, Kerberos abuse, domain admin path. Two weeks from kickoff to a report your auditor accepts.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most network pentests stop at the perimeter scan. Attackers live inside the AD.

  • Templated external scans flag the same edge findings every quarter. None prove the path from edge to domain admin.

  • Internal pentests without Active Directory chain testing miss Kerberos, ACL, and trust-relationship abuse, the bugs ransomware operators actually use.

  • Reports listing CVSS without lateral-movement paths get ignored by auditors and execs alike.

Here is what we ship.

Why teams pick us

Path to domain admin, not edge CVSS lists.

  • External and internal coverage

    Edge exposure, internal recon, and AD chain tested as one engagement, not three quotes.

  • Active Directory chain

    Kerberoasting, AS-REP roasting, ACL abuse, ADCS abuse, delegation chains, trust-relationship traversal.

  • Detection-gap reporting

    Each chain ships with the detection that would have caught it. SOC takes the gaps and tunes.

How it works

From recon to domain admin in two to three weeks.

  1. Scope edge and internal

    Tell us external surface, internal range, AD forest, and the data surface that matters.

  2. Researchers chain the path

    Edge initial access, internal lateral movement, AD privilege escalation, domain admin objective.

  3. Findings with detection map

    Each finding ships with reproducer, the AD path, and the detection rule that would have caught it.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

External, internal, or both?
Both is the default. Most engagements test edge initial access plus internal AD chain in one scope.
Active Directory chain testing?
Yes. Kerberoasting, AS-REP, unconstrained delegation, ACL abuse, ADCS, trust relationships, BloodHound paths.
Will you find domain admin?
On most engagements, yes. We document the chain, the dwell time, and the detection gap.
Is it safe on production?
Yes. Read-only and recon by default. Destructive actions require explicit per-finding approval.
Do you cover detection?
Yes. Each finding ships with the detection rule that would have caught it. Purple-team option available.

Ready to see the path from edge to domain admin?

20-minute scoping call with the lead network pentester. External, internal, AD, and the detection gaps in between.

CREST · CERT-In · SOC 2 · ISO 27001