Skip to content
Cyberoptic Security
Services About Releases Contact Get a quote

Internal Network Penetration Testing

Simulates an attacker who already has a foothold inside your network, and measures how far they could actually get.

Get a quote

What is an internal network penetration test?

An internal network penetration test simulates an attacker who has already gained access to your network, through a compromised employee account, a successful phishing attack, a contractor device, or an unauthorised physical connection. The test evaluates how far an attacker could progress once they are inside your perimeter.

This differs from external testing, which looks at what attackers can reach from the internet. Internal testing assumes the perimeter has already been breached, a realistic scenario for any organisation that has experienced a security incident.

What we test

The approach mirrors how an attacker with initial access would operate, following realistic attack paths rather than simply scanning the network.

  • Network enumeration and mapping: identifying accessible systems, services and devices from a standard user position, including those that should not be reachable.
  • Privilege escalation: moving from low-privilege accounts to more powerful ones using misconfigured permissions, unpatched vulnerabilities, exposed service accounts, or accessible credentials.
  • Lateral movement: testing how access to one system enables reaching others, particularly where credential reuse or administrative account misuse occurs.
  • Active Directory assessment: for Windows environments, examining common misconfigurations and attack paths including Kerberoasting, AS-REP roasting, unconstrained delegation, and weak permissions that could lead to domain administrator.
  • Credential exposure: checking for accessible password hashes, plaintext credentials or session tokens from standard network positions, including file shares, scripts, configuration files and system memory.
  • Network segmentation: testing whether sensitive areas are properly isolated. Direct access from a standard workstation to finance systems, production servers or backups is a finding regardless of those systems’ own security.
  • Detection capability: noting whether test activity generates alerts or appears in logging, flagging significant visibility gaps.

Who needs an internal network penetration test?

  • Organisations that have never tested internally: many businesses invest heavily in perimeter controls without testing the internal network, which typically holds sensitive data and is often less defended than the perimeter.
  • Compliance-driven testing: ISO 27001 requires assessment of internal environments, and PCI DSS mandates internal penetration testing for organisations in scope, at least annually.
  • After significant changes: networks accumulate legacy systems, forgotten service accounts, over-permissioned groups and configuration drift. After a merger, an upgrade or a move to hybrid, internal testing shows the current reality from an attacker’s view.
  • Following an incident: after a breach or near-miss, internal testing post-remediation confirms the attack path is closed and similar weaknesses do not exist elsewhere.

What the process looks like

The engagement begins with a scoping call to understand the environment: network size, operating systems, Active Directory deployment, and any systems that need careful handling during testing.

Most internal tests provide a standard user account and network access, either on-site or via VPN, representing realistic starting positions like a compromised employee account or a connected device.

Testing typically spans three to five days depending on size and complexity, with findings documented throughout, including the complete attack path for each significant discovery. The report includes a management summary, a detailed technical section for your IT team or provider, and prioritised remediation guidance.

Retesting

Once remediation is complete, focused retesting confirms the fixes were applied correctly and the identified attack paths are closed.

Where we work

On-site testing is available for Auckland businesses, with travel arranged for other New Zealand locations that need on-site access. Many internal tests run successfully over remote VPN, particularly for single-office or cloud-based organisations.