Assume breach. Simulate genuine insider threats and scenarios like an employee accidentally clicking on that free gift card link. In ~80% of our engagements in 2025 (so far) we've uncovered vulnerabilities that allowed us to go from just network access to Domain Admin.
Internal Network Penetration Testing simulates an attacker with internal network access such as a compromised BYOD device or malicious insider. The test identifies weaknesses in host configurations, and looks for privilege escalation paths, and lateral movement opportunities.
T-14 days
T-7 days
Our remote testing probes allows us to conduct internal network penetration tests from afar without the need for old-school site visits. Once the device is connected to your network, it automatically dials back to our testing infrastructure with no configuration required on your part.
This approach not only minimises disruptions by allowing for out of hours testing activities but also reduces costs!
Testing starts! Our certified penetration testers manually search for vulnerabilities to uncover complex attack chains used by advanced threat actors.
Should any critical vulnerabilities be discovered, we communicate these immediately to ensure swift mitigation.
T+14 Days
Upon completion of the testing phase, we deliver a detailed report that outlines all identified vulnerabilities, accompanied by options for remediation.
A key part of our service is the debrief call, where we walk through the report together. This ensures that all findings are fully understood and that the necessary steps for remediation are clearly communicated.
Discover vulnerabilities within the network that may not be visible from the outside. Ensure that the old cupboard PC hasn't been overlooked in your vulnerability management processes.
Identify discrepancies between your policy documentation and actual practices, and ensure that security measures are enforceable and effective in real-world scenarios.
Gain visibility of the potential damage a malicious insider could cause, particularly by identifying employees with excessive access privileges.
Close your organisation's detection gaps. Internal network penetration testing provides an opportunity to test and refine surveillance and alert systems.
Manual assessment forms the bulk of our penetration testing engagements:
Project Black's high-level approach to assessing networks is adapted from NIST SP 800-115 and Chris McNab's "Network Security Assessment". The methodology aims to add structure to penetration testing engagements such that weaknesses are consistently discovered across various environments.
4 key phases of testing are highlighted below:
Assessing Network Services
This stage involves a thorough review and validation of network services to identify open ports, running services, enumerating versions and associated vulnerabilities with publicly available exploit code.
Assessing Misconfigurations
In this step, we examine network and system configurations to uncover insecure settings that could be exploited by attackers. This can include verifying security protocols, authentication/authorisation mechanisms, and various software configurations.
Active Directory Evaluation
The assessment of Active Directory involves identifying vulnerable configurations like unconstrained delegation, and permission DACLs to identify ways to escalate privileges to domain admin.
Identifying Opportunities for Vulnerability Chaining
Identifying opportunities to chain exploitation of multiple vulnerabilities can result in greater impact than what's possible with exploitation of standalone findings.
Project Black maintains an extensive repository of internally developed TTPs (Tactics, Techniques, and Procedures) while also drawing upon the wealth of open-source knowledge contributed by the global hacking community.
No. We use a remote testing probe - a small plug-and-play device you connect to your network that automatically dials back to our testing infrastructure. This means we can conduct internal assessments fully remotely, reducing cost and disruption.
Our probes are small rugged PCs that require no configuration on your end. Once plugged into a network port, they establish an encrypted outbound connection to our systems, allowing us to conduct testing remotely.
We typically simulate a compromised device that’s fully unauthenticated (e.g. a rogue device). If we’re unsuccessful in establishing a foothold from this scenario we may ask for a standard domain account.
Generally not disruptive at all. We avoid techniques that could crash services or cause degradation. Out-of-hours testing windows for potentially dangerous actions can be arranged via the remote probe to further reduce business impact. We communicate immediately if anything unexpected occurs.
Common AD attack paths we evaluate include Kerberoasting, AS-REP Roasting, Pass-the-Hash, delegation abuse (constrained and unconstrained), ACL misconfigurations, NTLM relay attacks, and domain privilege escalation paths through to Domain Admin.
In approximately 80% of our 2025 internal network engagements, we have successfully escalated from standard user access to Domain Admin. This highlights how common privilege escalation paths remain in real-world Active Directory environments.
Simply fill out and submit the form, and we'll provide you with a quote within hours - unless you fill it in at 3am!