Network penetration testing

Find what a vuln scan never reaches.

External · Internal · Wireless · Devices, tested by hand for SMB-signing NTLM relay, mitm6 + WPAD coercion, kerberoastable service accounts, ADCS ESC1 template abuse, EAP/WPA2-Enterprise misconfig, and exposed firewall management. Every finding lands with the captured ticket, the relayed session, the cracked hash, and the GPO or ACL diff your team can ship.

Read a sample report
Four network surfaces, External, Internal, Wireless, Devices, converging on a proof-of-exploit card showing a kerberoast-to-domain-admin chain.

Four surfaces

External · Internal · Wireless · Devices, one method, four entry points.

Evidence

Captured tickets, relayed sessions, cracked hashes, not screenshots of a scanner.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • AICPA SOC 2 Type II
  • CREST accredited
  • ISO/IEC 27001

Why a vuln scan isn't a pentest

An open port is not domain admin.

A scanner reports SMB signing optional, IPv6 enabled, a service account with a SPN. SecureLayer7's operators take it further, relay the next workstation auth into a privileged share, run mitm6 against the IPv6 stack to coerce DC$ to authenticate, kerberoast the SPN and crack it offline. Every finding ships with the captured ticket, the relayed session, and the GPO or registry diff your engineers can deploy.

How AI fits in network pentest engagements →
Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.
Two columns, scanner findings on the left, the chained exploit each becomes on the right: NTLM relay, mitm6 coercion, kerberoast.

IN SCOPE.

What lands in a network engagement.

PERIMETER
External attack surface

Exposed services, expired certs, forgotten subdomains, third-party connectors with weak trust.

ACTIVE DIRECTORY
Domain pivot paths

Kerberoasting, AS-REP, ACL abuse, ADCS templates, GPO ownership. Map to Domain Admin.

SEGMENTATION
VLAN + zone hops

Lateral routes the firewall ruleset doesn't see. Server VLAN to OT, DMZ to user, prod to dev.

EGRESS
Outbound chains

DNS tunnels, C2 channels through allowed proxies, SSL-inspection gaps, egress to attacker infra.

INTERNAL NETWORK COVERAGE.

What 200+ internal chains decompose into when we run a real test.

200+
  1. 01
    Guest port to domain user

    NAC bypass via MAC spoof on a printer VLAN, then LLMNR poisoning with Responder to capture NTLMv2 hashes.

  2. 02
    NTLM relay to ADCS

    Coerce auth with PetitPotam or PrinterBug, relay to Active Directory Certificate Services ESC8 web enrollment for a domain admin cert.

  3. 03
    Kerberoasting to service account

    Request service tickets for SPN-bound accounts, crack the RC4 hash offline, reuse the password against linked SQL boxes.

  4. 04
    mitm6 to DNS takeover

    Spoof DHCPv6 with mitm6, become the IPv6 DNS server, relay WPAD-triggered auth into LDAPS for domain object writes.

  5. 05
    LAPS read to local admin

    Abuse a misconfigured ACL on ms-Mcs-AdmPwd to pull plaintext local administrator passwords across a tier-2 fleet.

  6. 06
    Segmentation hop to OT

    Find a flat path from corporate Wi-Fi to the OT VLAN through a forgotten jump host with exposed RDP and reusable creds.

What we test —

Four network surfaces. One engagement.

Each boundary gets a manual, threat-modelled review against its real attack surface — perimeter, AD-joined estate, wireless edge, and the devices that route between them. Intensity tunes per scope.

External — internet-facing

Subdomain takeover, exposed RDP/SSH/SMB, vendor-portal SSRF, VPN-appliance CVE chains, perimeter mail-relay abuse, exposed git/CI endpoints, ASN-wide cert-transparency mining, and credential-leak correlation against the perimeter login surface.

Internal — east-west + AD

SMB-signing NTLM relay, kerberoasting and AS-REProasting, mitm6 + WPAD coercion, ADCS ESC1–ESC8 abuse, LAPS-password reuse, Group Policy preference passwords, BloodHound-mapped attack paths to Domain Admin and Tier-0 hosts.

Wireless — Wi-Fi + 802.1X

WPA2/WPA3 handshake capture and crack, EAP-TLS cert-pinning bypass, PEAP/MSCHAPv2 relay, rogue-AP and KARMA, 802.1X NAC bypass via MAC spoof, guest-network pivot, captive-portal credential harvest.

Devices — firewalls, switches, routers

Exposed management interfaces (SSH/HTTPS/SNMP), default and stale credentials, ACL bypass via spoofed source, SNMPv2 community brute-force, IPv6-routing override, firmware-CVE pivot to lateral access.

NETWORK PENTEST METHODOLOGY.

Eight phases. Perimeter to Domain Admin.

Threat-modelled to your perimeter, AD topology, segmentation, and admin-tier model. Not a template we run against every network.

  1. 01

    Scope & threat-model

    In-scope CIDRs, AD forests, wireless SSIDs, and admin tiers agreed in writing before any traffic. Out-of-scope DR sites, partner ASNs, and legal-blocked targets recorded.

  2. 02

    Recon & enumeration

    ASN and cert-transparency sweep on the perimeter, BloodHound and PingCastle on the internal estate, wireless RF survey for in-scope SSIDs, SNMP or SSH banner inventory on devices.

  3. 03

    External exploitation

    Vendor-portal SSRF, exposed admin interfaces, VPN-appliance CVE chains, mail-relay abuse, leaked-credential password-spray. Exercised to first foothold inside the perimeter.

  4. 04

    AD exploitation

    NTLM relay across SMB-signing-off hosts, mitm6 with WPAD coercion, kerberoast and AS-REProast, ADCS ESC chains, LAPS reuse, Group Policy preference passwords. Pursued to Domain Admin or Tier-0.

  5. 05

    Wireless & edge

    Handshake capture and crack, EAP or PEAP relay, rogue-AP and KARMA, 802.1X bypass via MAC spoof, captive-portal harvest. Measured to a routable session inside the corporate VLAN.

  6. 06

    Vulnerability analysis

    Findings correlated, chained into attack paths, scored against your real network blast-radius. Your team sees what's reachable, not just what's exposed.

  7. 07

    Remediation guidance

    GPO snippets, ADCS template diffs, firewall ACL changes, switch port-security configs, AD tiering recommendations. Written for network and AD engineers, not auditors.

  8. 08

    Patch verification

    Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.

Insights

Network security Resources.

Field notes on segmentation drift, AD path abuse, and the internal-network bugs that scanners miss.

Meet our expert

Meet our expert

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes network pentest engagements against your perimeter, AD topology, wireless footprint, and admin-tier model. He guides the pod from kick-off through final report and re-test.

  • Scopes external, internal, wireless, and device-layer engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every captured ticket and relayed session.
  • Drives remediation review and re-test until every attack path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope a network pentest? Book 30 minutes with John to walk through your perimeter, AD model, and timeline.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

SaaS production networks, segmentation between dev/stage/prod, VPN paths.

See Tech SaaS pentest

FinTech

Branch-DC networks, ATM-adjacent zones, payment-rail segmentation.

See FinTech pentest

Retail

Store networks, in-store wireless, POS-back-office segmentation.

See Retail pentest

Built for United States engagements

What changes when we deliver here.

  • Compliance scoping

    PCI DSS v4.0 §11.4.1 / §11.4.5 evidence on every network engagement.

  • Regulatory framework

    CMMC Level 2 CA.L2-3.12.1 and RA.L2-3.11.2 mapping for DIB clients.

  • Local engagements

    Manufacturer closed C3PAO assessment with our network report as primary evidence.

  • Local pricing

    USD per-IP-band pricing, no surcharge for after-hours US windows.

  • Compliance scoping

    NIST SP 800-115 method documented per phase of the engagement.

Questions US network-security leads ask first.

  • Does the report satisfy PCI DSS §11.4 annual external testing?

    Yes. The method follows §11.4.1 and §11.4.2. QSAs have accepted the artifact for ROC submission without rework.

  • Will this hold up to a CMMC Level 2 C3PAO assessment?

    Yes. Findings cite CA.L2-3.12.1 and RA.L2-3.11.2. Defense suppliers reuse the report inside their POAM.

  • How do you stage tests across multi-site US footprint?

    Test plane is US-only. Sites are sequenced to fit your change-window calendar. No after-hours surprise traffic.

  • Do you test segmentation between CDE and corporate zones?

    Yes. PCI DSS v4.0 §11.4.5 segmentation tests are part of the default scope for cardholder-data networks.

Delivery in United States

NIST 800-115 method. PCI §11.4. CMMC L2 evidence.

Internal and external scans run against NIST SP 800-115. Findings cite PCI DSS v4.0 §11.4 and CMMC Level 2 CA.L2-3.12.1. Austin TX operators keep traffic inside US business hours.

Direct line
+1-512-643-7291
Office
Austin, TX, United States

Frameworks scoped: SOC 2 · HIPAA · PCI DSS · NIST CSF · FedRAMP · CMMC.

Sample network pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full attack-path narrative, captured ticket, relayed session, and the GPO or ACL diff your engineers can deploy. Sent on request after a 5-minute scoping call.