Nmap and masscan
Port and service discovery across external and internal ranges.
A network and cloud penetration test that follows the attack paths real intrusions use.
External perimeter, internal Active Directory, AWS/Azure/GCP configuration — aligned to NIST SP 800-115 and PTES, cross-walked to CIS Benchmarks so findings map to the controls your auditor expects.
Why methodology matters
The attack paths that cause breaches span network, identity, and cloud.
A perimeter scan misses what matters most: a compromised workstation that kerberoasts domain accounts, an AD misconfiguration BloodHound maps to domain admin in three hops, an IAM role any authenticated principal can assume. Those findings only surface when a tester manually walks the attack path.
The methodology below covers perimeter, identity, and cloud in a structured sequence aligned to the standards your auditor will recognize.
The methodology
Six phases, every engagement.
- 01
Scoping and rules of engagement
Confirm in-scope IP ranges, AD domain(s), cloud accounts (AWS/Azure/GCP), and any explicit exclusions, change windows, and safe-testing constraints — aligned to NIST SP 800-115.
- 02
External recon and surface mapping
Subdomain and asset discovery, port and service identification, TLS posture, attack-surface drift from baseline. Builds the inventory for the validation phase.
- 03
External validation and exploitation
Manual validation of identified weaknesses — perimeter VPN, exposed admin interfaces, mail and DNS, and any unauthenticated services reachable from the internet.
- 04
Internal testing and identity
Active Directory attack-path mapping, kerberoasting, AS-REP roasting, NTLM relay, LLMNR/NBT-NS poisoning under explicit authorization, lateral-movement validation, and segmentation testing.
- 05
Cloud configuration and IAM
IAM trust-path review across AWS, Azure, or GCP; public-storage and serverless-permission audit; secrets in CI and metadata; container and Kubernetes RBAC. Findings cross-walked to CIS Benchmarks.
- 06
Reporting and retest
Per-finding writeup with PoC, severity, paste-ready remediation, and a segmentation-testing report where in scope. Same-day disclosure of criticals. Retest and reissued report after fixes.
What we look for
Coverage across attack paths real intrusions use.
- · External — exposed admin interfaces, perimeter VPN posture, default credentials, attack-surface drift, mail and DNS misconfiguration, TLS quality.
- · Internal / Active Directory — kerberoasting, AS-REP roasting, NTLM relay, ACL abuse via BloodHound, ADCS misconfigurations, GPO-driven privilege escalation, segmentation containment.
- · Identity providers — SAML/OIDC trust paths, SCIM provisioning, MFA bypass, conditional-access drift, OAuth scope abuse, refresh-token replay.
- · AWS — IAM role and policy abuse, public S3, EC2 metadata exposure (IMDSv1 vs v2), Lambda permissions, KMS key handling, GuardDuty and CloudTrail coverage gaps.
- · Azure — Entra ID misconfigurations, conditional-access gaps, managed identity abuse, storage account exposure, RBAC drift.
- · GCP — IAM hierarchy abuse, Compute Engine metadata server, public Cloud Storage, service-account impersonation, Workload Identity misconfig.
- · Containers and Kubernetes — RBAC misconfiguration, exposed dashboards and APIs, container escape paths, secrets in environment.
Not sure which surfaces to prioritize?
A quick scoping call gives you a fixed scope, price, and date — no slides.
Get a straight answer Tools we use
The network and cloud toolkit.
Nessus / OpenVAS
Authenticated and unauthenticated vulnerability scanning to identify candidates for manual validation.
BloodHound and SharpHound
Active Directory attack-path graphing — kerberoasting, ACL abuse, trust analysis.
Impacket suite
SMB/AD protocol attacks — secretsdump, GetUserSPNs, ntlmrelayx, psexec, smbexec.
NetExec (formerly CrackMapExec)
Large-scale SMB, WinRM, and AD enumeration.
Responder
LLMNR/NBT-NS poisoning under explicit authorization.
Pacu, ROADtools, GCPBucketBrute
Cloud post-exploitation across AWS, Azure, and GCP.
ScoutSuite and Prowler
Cloud configuration audit aligned to CIS Benchmarks.
Hashcat
Offline credential cracking against captured hashes.
Quality controls
How we keep the report honest.
- · Manual validation of every scanner-produced finding — scanner output is a starting point, not a deliverable.
- · Peer review on every finding before the report.
- · Evidence standard — every finding has a reproducible PoC, command, or screenshot trail.
- · Senior throughout — same person from scoping call to retest. No subcontractors.
- · Same-day disclosure of critical findings on a shared channel.
Deliverables
One report, three audiences.
- · Board summary; executive section with compliance framework and CIS Benchmark mapping; engineering section with PoC, command lines, and paste-ready remediation per finding.
- · Segmentation-testing report where in scope (PCI DSS 11.4.5 / 11.4.6).
- · Retest of all reported findings and reissued report after fixes.
FAQ
Network and cloud methodology — common questions
How do you handle internal testing without sending a tester on site?
We agree on the access model at scoping: an internal jump host you provision, an on-site engagement, or an assumed-breach foothold. We document the choice and its operational impact in the report.
Do you test for PCI DSS segmentation specifically?
Yes. Segmentation testing per PCI DSS Requirement 11.4.5 (and 11.4.6 for service providers) is in scope where payment and out-of-scope environments share infrastructure. We verify that boundary controls actually contain a compromised host.
How does cloud testing differ from network testing?
Cloud testing focuses on IAM trust paths, configuration drift, and workload exposure — the attack surface is identity and configuration rather than ports and services. Most modern engagements combine both: external network plus cloud configuration plus internal where workloads connect back into corporate identity.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.