What does network penetration testing include?

External perimeter (exposed services, VPN config, SSL/TLS), internal network (AD enumeration via BloodHound, NTLM relay, Kerberoast, AS-REP roast, segmentation bypass, lateral movement), and wireless (WPA2/3-Enterprise EAP, rogue AP, PMKID).

External vs internal network pentest?

External proves whether attackers can establish initial foothold from the Internet. Internal proves whether — once inside (assumed breach or initial foothold) — segmentation and identity controls stop them from reaching crown-jewel assets.

Do you test Active Directory?

Yes. Full AD attack chain: enumeration → Kerberoast / AS-REP → NTLM relay / coercion → constrained delegation → DCSync. Mapped to MITRE ATT&CK with proof of each step.

Network map + segmentation findings, AD attack path (BloodHound graph + proof at each hop), CVSS-scored findings, code-level + policy remediation, CREST-approved report.

Network penetration testing

Find what a vuln scan never reaches.

External · Internal · Wireless · Devices, tested by hand for SMB-signing NTLM relay, mitm6 + WPAD coercion, kerberoastable service accounts, ADCS ESC1 template abuse, EAP/WPA2-Enterprise misconfig, and exposed firewall management. Every finding lands with the captured ticket, the relayed session, the cracked hash, and the GPO or ACL diff your team can ship.

Read a sample report

Four surfaces

External · Internal · Wireless · Devices, one method, four entry points.

Evidence

Captured tickets, relayed sessions, cracked hashes, not screenshots of a scanner.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

NAC bypass, VLAN hop, AD CS abuse, internal compromise from a guest port in under an hour.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why a vuln scan isn't a pentest

An open port is not domain admin.

A scanner reports SMB signing optional, IPv6 enabled, a service account with a SPN. SecureLayer7's operators take it further, relay the next workstation auth into a privileged share, run mitm6 against the IPv6 stack to coerce DC$ to authenticate, kerberoast the SPN and crack it offline. Every finding ships with the captured ticket, the relayed session, and the GPO or registry diff your engineers can deploy.

How AI fits in network pentest engagements →

Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.

IN SCOPE.

What lands in a network engagement.

PERIMETER

External attack surface

Exposed services, expired certs, forgotten subdomains, third-party connectors with weak trust.

ACTIVE DIRECTORY

Domain pivot paths

Kerberoasting, AS-REP, ACL abuse, ADCS templates, GPO ownership. Map to Domain Admin.

SEGMENTATION

VLAN + zone hops

Lateral routes the firewall ruleset doesn't see. Server VLAN to OT, DMZ to user, prod to dev.

EGRESS

Outbound chains

DNS tunnels, C2 channels through allowed proxies, SSL-inspection gaps, egress to attacker infra.

INTERNAL NETWORK COVERAGE.

What 200+ internal chains decompose into when we run a real test.

200+

01
Guest port to domain user
NAC bypass via MAC spoof on a printer VLAN, then LLMNR poisoning with Responder to capture NTLMv2 hashes.
02
NTLM relay to ADCS
Coerce auth with PetitPotam or PrinterBug, relay to Active Directory Certificate Services ESC8 web enrollment for a domain admin cert.
03
Kerberoasting to service account
Request service tickets for SPN-bound accounts, crack the RC4 hash offline, reuse the password against linked SQL boxes.
04
mitm6 to DNS takeover
Spoof DHCPv6 with mitm6, become the IPv6 DNS server, relay WPAD-triggered auth into LDAPS for domain object writes.
05
LAPS read to local admin
Abuse a misconfigured ACL on ms-Mcs-AdmPwd to pull plaintext local administrator passwords across a tier-2 fleet.
06
Segmentation hop to OT
Find a flat path from corporate Wi-Fi to the OT VLAN through a forgotten jump host with exposed RDP and reusable creds.

What we test —

Four network surfaces. One engagement.

Each boundary gets a manual, threat-modelled review against its real attack surface — perimeter, AD-joined estate, wireless edge, and the devices that route between them. Intensity tunes per scope.

External — internet-facing

Subdomain takeover, exposed RDP/SSH/SMB, vendor-portal SSRF, VPN-appliance CVE chains, perimeter mail-relay abuse, exposed git/CI endpoints, ASN-wide cert-transparency mining, and credential-leak correlation against the perimeter login surface.

Internal — east-west + AD

SMB-signing NTLM relay, kerberoasting and AS-REProasting, mitm6 + WPAD coercion, ADCS ESC1–ESC8 abuse, LAPS-password reuse, Group Policy preference passwords, BloodHound-mapped attack paths to Domain Admin and Tier-0 hosts.

Wireless — Wi-Fi + 802.1X

WPA2/WPA3 handshake capture and crack, EAP-TLS cert-pinning bypass, PEAP/MSCHAPv2 relay, rogue-AP and KARMA, 802.1X NAC bypass via MAC spoof, guest-network pivot, captive-portal credential harvest.

Devices — firewalls, switches, routers

Exposed management interfaces (SSH/HTTPS/SNMP), default and stale credentials, ACL bypass via spoofed source, SNMPv2 community brute-force, IPv6-routing override, firmware-CVE pivot to lateral access.

NETWORK PENTEST METHODOLOGY.

Eight phases. Perimeter to Domain Admin.

Threat-modelled to your perimeter, AD topology, segmentation, and admin-tier model. Not a template we run against every network.

01
Scope & threat-model
In-scope CIDRs, AD forests, wireless SSIDs, and admin tiers agreed in writing before any traffic. Out-of-scope DR sites, partner ASNs, and legal-blocked targets recorded.
02
Recon & enumeration
ASN and cert-transparency sweep on the perimeter, BloodHound and PingCastle on the internal estate, wireless RF survey for in-scope SSIDs, SNMP or SSH banner inventory on devices.
03
External exploitation
Vendor-portal SSRF, exposed admin interfaces, VPN-appliance CVE chains, mail-relay abuse, leaked-credential password-spray. Exercised to first foothold inside the perimeter.
04
AD exploitation
NTLM relay across SMB-signing-off hosts, mitm6 with WPAD coercion, kerberoast and AS-REProast, ADCS ESC chains, LAPS reuse, Group Policy preference passwords. Pursued to Domain Admin or Tier-0.
05
Wireless & edge
Handshake capture and crack, EAP or PEAP relay, rogue-AP and KARMA, 802.1X bypass via MAC spoof, captive-portal harvest. Measured to a routable session inside the corporate VLAN.
06
Vulnerability analysis
Findings correlated, chained into attack paths, scored against your real network blast-radius. Your team sees what's reachable, not just what's exposed.
07
Remediation guidance
GPO snippets, ADCS template diffs, firewall ACL changes, switch port-security configs, AD tiering recommendations. Written for network and AD engineers, not auditors.
08
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.

Insights

Network security Resources.

Field notes on segmentation drift, AD path abuse, and the internal-network bugs that scanners miss.

Network

Defending against MITM attacks with network segmentation

Where east-west exposure becomes lateral movement, and how VLAN segmentation and trust boundaries actually hold up under a manual pentest.

Active Directory

Active Directory attacks and preventive measures

Kerberoasting, NTLM relay, ADCS ESC chains, the AD attack paths a manual pentest actually exercises, and the controls that close each one.

Devices

Firewall penetration testing, strengthen your network security

How an exposed firewall management interface or stale rule becomes the pivot point of an internal compromise, and how to test it from scoping to retest.

Meet our expert

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes network pentest engagements against your perimeter, AD topology, wireless footprint, and admin-tier model. He guides the pod from kick-off through final report and re-test.

Scopes external, internal, wireless, and device-layer engagements against your real risk model.
Owns kick-off, mid-engagement check-ins, and live walkthrough of every captured ticket and relayed session.
Drives remediation review and re-test until every attack path is closed.

SL7 Lab. Published CVE research.

Ready to scope a network pentest? Book 30 minutes with John to walk through your perimeter, AD model, and timeline.

Book a 30-min call

Common procurement questions

What buyers ask about network penetration testing.

Six questions procurement teams send before signing a network pentest SOW. Answered against our methodology and your auditor.

Show all 6 questions

Have a procurement question not listed here?

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

SaaS production networks, segmentation between dev/stage/prod, VPN paths.

See Tech SaaS pentest

FinTech

Branch-DC networks, ATM-adjacent zones, payment-rail segmentation.

See FinTech pentest

Retail

Store networks, in-store wireless, POS-back-office segmentation.

See Retail pentest

Sample network pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full attack-path narrative, captured ticket, relayed session, and the GPO or ACL diff your engineers can deploy. Sent on request after a 5-minute scoping call.

Find what a vuln scan never reaches.

Four surfaces

Evidence

Re-test included

An open port is not domain admin.

What lands in a network engagement.

Four network surfaces. One engagement.

External — internet-facing

Internal — east-west + AD

Wireless — Wi-Fi + 802.1X

Devices — firewalls, switches, routers

Eight phases. Perimeter to Domain Admin.

Scope & threat-model

Recon & enumeration

External exploitation

AD exploitation

Wireless & edge

Vulnerability analysis

Remediation guidance

Patch verification

Network security Resources.

Defending against MITM attacks with network segmentation

Active Directory attacks and preventive measures

Firewall penetration testing, strengthen your network security

Meet our expert

John Dill

How long does a network penetration testing engagement take?

What is tested in a network pentest?

Do you include a re-test?

Which compliance frameworks does the report map to?

How does this differ from a vulnerability scanner?

Is the report regulator-ready?

Tested by industry.

Tech SaaS

FinTech

Retail

See what arrives in your inbox.