Subscribe to the CyberThreatPOV Podcast

Episode 11: Offensive Security Testing Part 1 – Internal Pentesting

*Check out our podcast and YouTube video released on 10/12/22, where we talk about this subject. Hope to see you there!


Have you ever thought, what’s the return on investment (ROI) of a penetration test? Is it even worth it? What value do you actually get from a penetration test? Well, let’s consider, what is the ROI of a soccer ball for Leo Messi? A billion dollars. For you and me? $0.00.

My point is a penetration test is a tool. Like any other tool, it’s only as good as your use of it. Its purpose is to assist in identifying and evaluating vulnerabilities to determine risk to your firm or organization. In this blog post and accompanying podcast, we explore two types of Internal Penetration Testing. Traditional Internal Pentests and Assumed Breach. At the end of this blog post I describe how to get the most value, the most ROI out of your next penetration test.

The Difference Between Traditional Internal Pentests and Assumed Breach

Traditional Internal Pentest

A traditional internal pentest typically consists of connecting a device or laptop, that’s running Kali Linux or some other pentesting OS, to the target network. This pentest begins from the assumption that an “attacker” has someone gained access to your network and is trying to further penetrate your systems to carry out their evil biddings. Normally, you do not start with any kind of domain credentials. And your job is to find all the vulnerabilities you can in the time allowed for the engagement.

The first downside of a traditional internal pentest is that it lacks realism. Many firms and organizations are seeking a penetration test, in part, so they can begin to simulate a real attacker in their network. While a red team is going to be the best option for that specific goal, the next type of internal pentest, Assumed Breach, gets us closer to that target, while still being a comprehensive pentest. The second downside is that the goals of this type of test doesn’t warrant the testing of the security controls and antivirus/EDR on your endpoints. Because of that, there could be high severity vulnerabilities on your endpoints that lead to privilege escalation or even bypassing defenses, that get missed.

Don’t get me wrong. There is tremendous value in having a traditional internal penetration test done. However, we understand that most clients are limited in time and budget, and they want to spend their dollars the best way possible. To us Assumed Breach more often provides more value dollar for dollar.

Assumed Breach

If you’ve received an internal penetration test from us (SecurIT360) in the last year you know that we’re big proponents of assumed breach over traditional internal pentests. This test starts with access to a domain user account on a domain system. Typically, an end-user workstation with typical rights and permissions your users would have. We start with the assumption that an attacker has compromised a user or system and has obtained internal access to your environment. This is a great tabletop exercise idea as well. Perhaps it’s an attacker or maybe it’s a malicious insider, or maybe even worse a vendor with unattended access to key servers.

The reason this test is constructed this way is because it simulates, more closely than a traditional internal pentest, a real attacker on your network. In this type of test, at least at SecurIT360, we thoroughly review your endpoint security configuration, we identify privilege escalation and lateral movement opportunities, and we intentionally make more noise as the engagement progresses. This is great because it also tests your security monitoring capabilities and/or your SOC. The third reason we see clients pursuing assumed breach is because of the ability to identify misconfigurations within Active Directory. In a traditional penetration test, many times you need a valid account before you can begin poking around Active Directory. So, it moves the configuration checking further down the line of priorities. But with assumed breach, that’s a staple component of the testing.

The ROI of a Pentest

Going back to the analogy from the introduction. The reason the ROI of a soccer ball is a billion dollars for Leo Messi is because of the countless hours of training and repetition and learning he has put into his craft. The same can be send for pentests.

First, don’t look at a pentest as an annual compliance check-box event. Put time and effort in to understand the findings and the root causes. Many findings on an internal pentest can be solved by implementing least privilege and change management procedures. Dig into that! I find that clients who take the time to ask questions and get engaged in the process, end up understanding their systems, applications, and environments better after a pentest. This is not to toot our own horn; this is the truth that many have never peeled back the layers or looked behind the curtain of their systems. But when you do, you begin to fully understand the immense ROI of a pentest.

If you’re on to go, listen here or on your favorite podcast app:

Work with Us: