Network penetration testing

Find what a vuln scan never reaches.

External · Internal · Wireless · Devices, tested by hand for SMB-signing NTLM relay, mitm6 + WPAD coercion, kerberoastable service accounts, ADCS ESC1 template abuse, EAP/WPA2-Enterprise misconfig, and exposed firewall management. Every finding lands with the captured ticket, the relayed session, the cracked hash, and the GPO or ACL diff your team can ship.

Read a sample report
Four network surfaces, External, Internal, Wireless, Devices, converging on a proof-of-exploit card showing a kerberoast-to-domain-admin chain.

Four surfaces

External · Internal · Wireless · Devices, one method, four entry points.

Evidence

Captured tickets, relayed sessions, cracked hashes, not screenshots of a scanner.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • AICPA SOC 2 Type II
  • ISO/IEC 27001

Why a vuln scan isn't a pentest

An open port is not domain admin.

A scanner reports SMB signing optional, IPv6 enabled, a service account with a SPN. SecureLayer7's operators take it further, relay the next workstation auth into a privileged share, run mitm6 against the IPv6 stack to coerce DC$ to authenticate, kerberoast the SPN and crack it offline. Every finding ships with the captured ticket, the relayed session, and the GPO or registry diff your engineers can deploy.

How AI fits in network pentest engagements →
Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.
Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.

IN SCOPE.

What lands in a network engagement.

PERIMETER
External attack surface

Exposed services, expired certs, forgotten subdomains, third-party connectors with weak trust.

ACTIVE DIRECTORY
Domain pivot paths

Kerberoasting, AS-REP, ACL abuse, ADCS templates, GPO ownership. Map to Domain Admin.

SEGMENTATION
VLAN + zone hops

Lateral routes the firewall ruleset doesn't see. Server VLAN to OT, DMZ to user, prod to dev.

EGRESS
Outbound chains

DNS tunnels, C2 channels through allowed proxies, SSL-inspection gaps, egress to attacker infra.

INTERNAL NETWORK COVERAGE.

What 200+ internal chains decompose into when we run a real test.

200+
  1. 01
    Guest port to domain user

    NAC bypass via MAC spoof on a printer VLAN, then LLMNR poisoning with Responder to capture NTLMv2 hashes.

  2. 02
    NTLM relay to ADCS

    Coerce auth with PetitPotam or PrinterBug, relay to Active Directory Certificate Services ESC8 web enrollment for a domain admin cert.

  3. 03
    Kerberoasting to service account

    Request service tickets for SPN-bound accounts, crack the RC4 hash offline, reuse the password against linked SQL boxes.

  4. 04
    mitm6 to DNS takeover

    Spoof DHCPv6 with mitm6, become the IPv6 DNS server, relay WPAD-triggered auth into LDAPS for domain object writes.

  5. 05
    LAPS read to local admin

    Abuse a misconfigured ACL on ms-Mcs-AdmPwd to pull plaintext local administrator passwords across a tier-2 fleet.

  6. 06
    Segmentation hop to OT

    Find a flat path from corporate Wi-Fi to the OT VLAN through a forgotten jump host with exposed RDP and reusable creds.

What we test —

Four network surfaces. One engagement.

Each boundary gets a manual, threat-modelled review against its real attack surface — perimeter, AD-joined estate, wireless edge, and the devices that route between them. Intensity tunes per scope.

External — internet-facing

Subdomain takeover, exposed RDP/SSH/SMB, vendor-portal SSRF, VPN-appliance CVE chains, perimeter mail-relay abuse, exposed git/CI endpoints, ASN-wide cert-transparency mining, and credential-leak correlation against the perimeter login surface.

Internal — east-west + AD

SMB-signing NTLM relay, kerberoasting and AS-REProasting, mitm6 + WPAD coercion, ADCS ESC1–ESC8 abuse, LAPS-password reuse, Group Policy preference passwords, BloodHound-mapped attack paths to Domain Admin and Tier-0 hosts.

Wireless — Wi-Fi + 802.1X

WPA2/WPA3 handshake capture and crack, EAP-TLS cert-pinning bypass, PEAP/MSCHAPv2 relay, rogue-AP and KARMA, 802.1X NAC bypass via MAC spoof, guest-network pivot, captive-portal credential harvest.

Devices — firewalls, switches, routers

Exposed management interfaces (SSH/HTTPS/SNMP), default and stale credentials, ACL bypass via spoofed source, SNMPv2 community brute-force, IPv6-routing override, firmware-CVE pivot to lateral access.

NETWORK PENTEST METHODOLOGY.

Eight phases. Perimeter to Domain Admin.

Threat-modelled to your perimeter, AD topology, segmentation, and admin-tier model. Not a template we run against every network.

  1. 01

    Scope & threat-model

    In-scope CIDRs, AD forests, wireless SSIDs, and admin tiers agreed in writing before any traffic. Out-of-scope DR sites, partner ASNs, and legal-blocked targets recorded.

  2. 02

    Recon & enumeration

    ASN and cert-transparency sweep on the perimeter, BloodHound and PingCastle on the internal estate, wireless RF survey for in-scope SSIDs, SNMP or SSH banner inventory on devices.

  3. 03

    External exploitation

    Vendor-portal SSRF, exposed admin interfaces, VPN-appliance CVE chains, mail-relay abuse, leaked-credential password-spray. Exercised to first foothold inside the perimeter.

  4. 04

    AD exploitation

    NTLM relay across SMB-signing-off hosts, mitm6 with WPAD coercion, kerberoast and AS-REProast, ADCS ESC chains, LAPS reuse, Group Policy preference passwords. Pursued to Domain Admin or Tier-0.

  5. 05

    Wireless & edge

    Handshake capture and crack, EAP or PEAP relay, rogue-AP and KARMA, 802.1X bypass via MAC spoof, captive-portal harvest. Measured to a routable session inside the corporate VLAN.

  6. 06

    Vulnerability analysis

    Findings correlated, chained into attack paths, scored against your real network blast-radius. Your team sees what's reachable, not just what's exposed.

  7. 07

    Remediation guidance

    GPO snippets, ADCS template diffs, firewall ACL changes, switch port-security configs, AD tiering recommendations. Written for network and AD engineers, not auditors.

  8. 08

    Patch verification

    Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.

Insights

Network security Resources.

Field notes on segmentation drift, AD path abuse, and the internal-network bugs that scanners miss.

Meet our expert

Meet our expert

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes network pentest engagements against your perimeter, AD topology, wireless footprint, and admin-tier model. He guides the pod from kick-off through final report and re-test.

  • Scopes external, internal, wireless, and device-layer engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every captured ticket and relayed session.
  • Drives remediation review and re-test until every attack path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope a network pentest? Book 30 minutes with John to walk through your perimeter, AD model, and timeline.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

SaaS production networks, segmentation between dev/stage/prod, VPN paths.

See Tech SaaS pentest

FinTech

Branch-DC networks, ATM-adjacent zones, payment-rail segmentation.

See FinTech pentest

Retail

Store networks, in-store wireless, POS-back-office segmentation.

See Retail pentest

Built for United Kingdom engagements

What changes when we deliver here.

  • Compliance scoping

    NCSC CAF B3.a and B3.b control mapping in every finding

  • Regulatory framework

    Cyber Essentials Plus assessor alignment for the external scope

  • Local engagements

    UK manufacturing group cleaned 1,400 internal hosts pre-CE+ recertification

  • Local pricing

    GBP per-host bracket, capped at the estate ceiling

  • Compliance scoping

    UK GDPR Art. 32(1)(b) integrity-of-processing evidence

Network testing for UK estates.

  • Do you cover IPv6 paths?

    Yes. Dual-stack tested by default; IPv6-only LANs on request. Findings cite NCSC CAF B3.a data-in-transit controls.

  • How does the test fit Cyber Essentials Plus?

    External-facing services match the CE+ assessor's tests. Internal segment findings sit in a supplementary report so the CE+ certificate isn't blocked.

  • Will scanning trip the ICO breach threshold?

    No. Scope and rules-of-engagement signed by both sides. ICO Art. 33 flow documented but not invoked for the test itself.

  • Can you re-test after fixes?

    Yes. One free re-test inside 30 days, GBP fixed-fee. UK engagement lead writes the closure note.

Delivery in United Kingdom

UK network pentest. CAF B3 evidence.

Findings tie to NCSC CAF B3 — data security — and the Cyber Essentials Plus assessor's hands-on tests. London-region storage by default.

Direct line
+44-20-0000-0000
Office
London, United Kingdom

Frameworks scoped: CREST · NCSC CAF · UK GDPR · PCI DSS · ISO/IEC 27001.

Sample network pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full attack-path narrative, captured ticket, relayed session, and the GPO or ACL diff your engineers can deploy. Sent on request after a 5-minute scoping call.