Network Pentest

Network Penetration Testing Service

Digital Roxy runs external and internal network penetration tests against corporate infrastructure, cloud VPCs, and hybrid environments. From perimeter services to Domain Admin, every engagement maps the real path an attacker takes. OSCP-certified testers, manual exploitation, CVSS-scored findings, and compliance attestation.

Get a Scoped Quote Full Pentest Service

Network pentest is adversary simulation against your infrastructure.

A network penetration test measures how far a motivated attacker can move through your network once they find a foothold. External network testing validates perimeter defenses against the internet-facing attack surface. Internal network testing simulates an insider, a phished employee, or a compromised contractor: someone already on the network, now trying to escalate. The measurement that matters is time-to-Domain-Admin. Every finding in the report is a step on that path.

Digital Roxy network pentests cover perimeter enumeration, firewall rule validation, segmentation testing, Active Directory exploitation, Kerberos attacks (Kerberoasting, ASREPRoasting, unconstrained delegation), and lateral movement with tools like CrackMapExec, BloodHound, and Impacket. Cloud VPC boundaries and hybrid-cloud trust relationships are in scope where relevant. Every engagement finishes with a documented attack path from starting point to crown jewels, plus the exact controls that would have stopped the chain.

Network Pentest Findings

Attack Paths We Exploit on Network Engagements

Network pentest findings are rarely single vulnerabilities. They are chains. These are the chain components we exploit on most engagements.

Critical

Active Directory Misconfigurations

Kerberoasting of service accounts with weak passwords. ASREPRoasting of accounts with pre-authentication disabled. Unconstrained delegation trust that leads to TGT compromise. Default ACLs on privileged groups. AD misconfig is still the #1 cause of Domain Admin compromise in enterprise environments.

Critical

Exposed Management Interfaces

RDP, SSH, SMB, WinRM, and VNC exposed to the internet or to broad internal subnets. Default credentials, weak passwords, and missing MFA on these interfaces are a direct path to shell. Shodan-style reconnaissance finds them in minutes.

High

SMB & Legacy Protocol Abuse

SMB signing not required allows relay attacks. LLMNR and NBT-NS poisoning on internal networks captures NTLM hashes. NTLMv1 still enabled on legacy systems. Protocols written before 2005 are still the most productive internal pentest targets.

High

Firewall Rule Gaps

Segmentation rules that look right in the firewall UI but fail in practice. Any-any rules from jump hosts to production subnets. Management VPNs that route broader than documented. We validate every segmentation claim by actually attempting the blocked traffic, not by reading the ruleset.

High

Credential Reuse & Password Spraying

One leaked credential in a breach corpus, sprayed across every service the organization exposes, lands on an account somewhere. Every external network pentest tests this. Most engagements find at least one account. Some find dozens.

High

Cloud-On-Prem Trust Boundary Abuse

Azure AD Connect sync accounts with excessive on-prem privileges. Federation trust misconfigurations. AWS IAM roles assumable from on-prem servers with overly broad permissions. The cloud boundary is the new perimeter, and most teams have not tested it.

Medium

IPv6 & mDNS Internal Enumeration

IPv6 enabled by default on modern Windows with no monitoring. mDNS, LLMNR, and WSD broadcasting on internal networks. These channels leak hostnames, user names, and hashed credentials that never show in IPv4 logs.

Critical

Patch Backlog & Unpatched CVEs

ProxyShell, ProxyLogon, PrintNightmare, and the rolling list of CVEs that stay exploitable for years on unpatched infrastructure. We validate exploitation, not just version numbers.

Methodology

Our Network Pentest Methodology

Methodology aligned with OSSTMM 3 and NIST SP 800-115. External and internal phases are distinct engagements with distinct toolsets and distinct reporting structure.

EXT-RECON

External Attack Surface Mapping

Passive OSINT, DNS enumeration, subdomain discovery, certificate transparency logs, and identification of every internet-facing service tied to the organization. Shodan, Censys, and Digital Roxy's proprietary dataset give us the external surface you did not know you had.

EXT-PROBE

External Service Probing

Port scanning with rate limits to avoid provider notification thresholds. Service fingerprinting against every exposed endpoint. Vulnerability correlation against known CVEs for the exact versions detected. Manual validation of every candidate finding before it enters the report.

FOOTHOLD

Foothold Establishment

For external engagements that advance to active exploitation (when the scope allows it), we establish a foothold through a confirmed vulnerability. For internal engagements, the foothold is assumed: a provisioned user account or a corporate laptop image representing a phished employee.

INT-ENUM

Internal Network Enumeration

Once on the internal network, we enumerate Active Directory with BloodHound, map open shares, identify administrative tooling, and build the full internal attack graph. This is the phase where most "interesting" findings emerge.

LATERAL

Lateral Movement

Credential harvesting (LSASS, SAM, ntds.dit), pass-the-hash, pass-the-ticket, and targeted spraying to escalate from initial foothold into adjacent systems. Every lateral movement step is documented with the exact tooling and detection opportunity.

PRIVESC

Privilege Escalation

Local privilege escalation on compromised hosts (SeImpersonate abuse, unquoted service paths, DLL hijacking). Domain privilege escalation through AD CS, DCSync rights, and delegation misconfigurations. Goal: Domain Admin or the pre-agreed crown jewel.

REPORT

Attack Path Report & Retest

Narrative report showing the exact attack path from initial foothold to objective. CVSS-scored findings. Detection opportunities for each step (what your SOC would have seen if configured correctly). Free retest after remediation.

Toolset

Our Network Pentest Toolset

Tooling lineage traces to the offensive security community. Every tool listed is used by real red teams and real attackers. Our skill is in combining them into attack chains, not in using them individually.

Nmap + Masscan

Port discovery and service fingerprinting. Masscan for breadth, Nmap for depth and script-based version validation.

BloodHound + SharpHound

Active Directory attack path mapping. Every engagement includes a BloodHound graph of your AD environment as a report deliverable.

Impacket

Kerberos attacks, SMB relay, DCSync, and the full catalog of AD-native protocol abuse. Python-based so it runs from attacker Linux boxes without Windows tooling.

CrackMapExec / NetExec

Swiss-army tool for post-foothold network traversal. Credential spraying, share enumeration, command execution, and data extraction across Windows and Linux.

Responder + mitm6

LLMNR/NBT-NS/mDNS poisoning for hash capture. mitm6 for IPv6-based DNS takeover that most environments miss entirely.

Metasploit + Cobalt Strike

Post-exploitation frameworks for beaconed operations. Cobalt Strike for engagements requiring detection evasion testing.

Pricing

Network Pentest Engagement Tiers

Three engagement sizes. Every quote is fixed-price after a 15-minute scoping call. No hourly billing.

External

External-only pentest against internet-facing assets. Right for annual compliance with no internal scope.

From $4,500 · flat fee

Up to 32 external IPs
Subdomain enumeration
Service fingerprinting
CVE validation
1-week engagement
One free retest
PCI/SOC 2 attestation

Get Scoped Quote

External + Internal

Full network pentest simulating external attacker plus insider threat. Right for mature security programs.

From $9,500 · flat fee

Everything in External
Internal AD pentest
BloodHound attack path mapping
Lateral movement testing
Kerberos attack testing (Kerberoasting, ASREPRoasting)
Segmentation validation
2-3 week engagement
Attack path narrative report
Two free retests

Get Scoped Quote

Assumed Breach

Red-team-style assumed breach scenario. Tester starts with a low-privilege foothold and simulates a targeted intrusion.

From $14,500 · flat fee

Everything in External + Internal
Assumed breach foothold simulation
Detection evasion testing
Credential harvesting simulation
Data exfiltration path testing
Purple team debrief with SOC
MITRE ATT&CK mapping

Get Scoped Quote

FAQ

Network Pentest Questions, Answered Directly

External network pentesting simulates an attacker on the internet with zero insider access. It tests perimeter defenses, exposed services, and what can be reached from outside. Internal network pentesting simulates an attacker already on the network, typically through a phished employee or compromised contractor. It tests lateral movement, Active Directory security, and privilege escalation paths. Most compliance frameworks require both.

Yes. Options include: (1) a VPN connection to a tester-controlled box on the internal network, (2) shipping us a preconfigured laptop, (3) deploying a Digital Roxy testing appliance on the internal network for the engagement duration. All three are common. VPN is fastest to set up. Shipped laptop is cleanest for compliance scoping.

Standard network pentests do trigger alerts, and that is a feature, not a bug. Seeing which activity your SIEM catches is part of the value. For stealth-specific engagements (detection evasion testing, purple-team exercises), scope is defined explicitly to bypass standard detection and measure what your team can catch under adversarial conditions.

External-only network pentests take one week of active testing plus one week for reporting. External + internal combined engagements take two to three weeks of active testing. Assumed breach scenarios with detection evasion take three to four weeks. Your remediation time varies. Retest runs one to two weeks.

Yes, and it is one of the most valuable parts of an internal pentest. If you claim that your finance network is segmented from the general corporate network, we test that claim by attempting to reach finance systems from a corporate foothold. Segmentation claims in firewall documentation and segmentation in practice are often different. This matters for PCI DSS scoping and for SOC 2 logical access controls.

Yes, and AD is a primary focus of our internal pentest engagements. We run Kerberoasting, ASREPRoasting, DCSync, ACL-based privilege escalation, unconstrained delegation abuse, AD CS abuse (ESC1 through ESC8), and BloodHound-driven attack path enumeration. AD compromise typically happens within the first 4-8 hours of an internal engagement. The remaining time goes into documenting detection opportunities and building the full attack path narrative.

Any data accessed during internal pentest (hashes, screenshots, exfiltrated file samples for proof-of-access) is stored encrypted in an isolated engagement workspace during the test, and is destroyed on a defined schedule after the retest completes and attestation is delivered. Destruction is logged. Clients receive a data destruction certificate as a report deliverable.

Every engagement has a rules-of-engagement document with emergency contacts on both sides and a pre-agreed pause/abort procedure. If the client's SOC flags our activity and cannot confirm it, we have "get out of jail" letters signed by the scoping authority, plus real-time confirmation via Slack or phone. No pentest activity has ever caused a production outage on a Digital Roxy engagement, but the escalation path exists for the unusual case.

Other Testing Types

Explore Related Penetration Tests

Web Application Penetration Testing Web App Pentest Mobile Application Penetration Testing Mobile Pentest API Penetration Testing API Pentest Cloud Penetration Testing Cloud Pentest Penetration Testing as a Service (PTaaS) PTaaS

Ready to scope your Network Pentest?

Book a 15-minute scoping call. You get a fixed-price quote within one business day.

Book Scoping Call See Full Pentest Service