Infrastructure
Penetration Testing

Active host discovery, open port enumeration and service fingerprinting. OS and version identification. VLAN and segmentation mapping, management interfaces (iDRAC, IPMI, web consoles).

• TCP/UDP port scanning, service enumeration
• SNMPv1 community string enumeration
• Default credentials on network devices and management interfaces
• Detection of cleartext internal protocols (Telnet, FTP, HTTP)

The most common path to full compromise. BloodHound maps every route to Domain Admin — then we validate each one manually against your environment.

• Kerberoasting and AS-REP Roasting (service account hash cracking)
• NTLM relay, Pass-the-Hash, Pass-the-Ticket
• Active Directory Certificate Services (ADCS) — ESC1 through ESC8
• Misconfigured GPO, ACL and permission delegation
• Misconfigured domain trusts and SID history abuse

Firewalls, switches, routers, printers and VPN gateways are a chronically overlooked attack surface. We test every misconfiguration and unnecessarily exposed interface.

• Unauthorised access to management interfaces (web GUI, SSH, SNMP)
• ACL and firewall rule misconfigurations
• Printers and IoT devices as pivot points into the rest of the network
• VPN gateways — authentication, encryption and session management

Starting from a compromised workstation — we escalate privileges, move laterally and reach the data that matters to your business.

• DLL Hijacking, Unquoted Service Path, token impersonation
• AV/EDR evasion (AMSI bypass, Living-off-the-Land binaries)
• Lateral movement via SMB, WMI, PsExec, RDP, WinRM
• Access to databases, file servers and backup systems
• Data exfiltration simulation within agreed scope

We identify everything visible from the internet — including forgotten systems and shadow IT that never made it into your asset inventory.

• Subdomain enumeration — passive and active techniques
• TCP/UDP scanning, OS and service version fingerprinting
• Detection of exposed HTTP(S), VPN, RDP, SSH, SMTP and FTP endpoints
• TLS/SSL audit — certificate validity, weak ciphers, HSTS enforcement
• Technology stack fingerprinting and software version identification

We validate every vulnerability as a working exploit — not a scanner output. Every critical finding includes a screenshot or dump as proof of access.

• Default credentials, targeted brute-force with lockout detection
• RCE, SQL Injection, SSRF, XXE, LFI/RFI exploitation
• VPN gateway vulnerabilities (Cisco, Fortinet, Palo Alto, Pulse)
• Web server and middleware misconfigurations
• CVE exploitation against identified software versions

Pivoting into the internal network is not a default scope item — but when exploitation succeeds, we can attempt a direct breach with client approval to demonstrate real-world impact.

• Escalation to root/admin after successful compromise
• Lateral movement into the internal network (with client approval)
• Access to internal databases and file servers
• Data exfiltration simulation (within agreed scope)

We map everything broadcasting near your premises — visible and hidden networks, rogue APs and encryption strength.

• SSID mapping including hidden networks and rogue APs
• Protocol analysis — WPA2, WPA3, 802.1X, WPS
• Identification of weak authentication configurations
• Passive traffic capture and handshake collection

Attacks requiring zero network access — physical proximity to the building is sufficient.

• Evil Twin / Rogue AP — spoofing a legitimate access point
• Deauth attacks forcing client reconnection
• Offline WPA2 handshake cracking
• MITM credential capture post-connection
• WPS PIN brute-force (where WPS is enabled)

Enterprise Wi-Fi authentication via RADIUS has specific weaknesses. We test resilience against downgrade attacks and invalid certificate acceptance.

• RADIUS exploitation and invalid certificate acceptance
• PEAP-MSCHAPv2 downgrade attacks
• Client acceptance of self-signed certificates
• Verification of correct EAP chain configuration

Once connected, we verify that segmentation holds at every layer — not just on paper.

• Guest VLAN isolation from the production network
• Reachability of printers, NAS and internal systems from the guest segment
• Cross-VLAN communication and firewall gaps
• Lateral movement after connecting to the guest network

The most common source of cloud incidents — public storage buckets with sensitive data and leaked credentials in public repositories.

• Publicly accessible S3 / Blob Storage buckets containing sensitive data
• API keys and tokens in public GitHub repositories and CI/CD pipelines
• Credentials in configuration files and paste sites
• Databases and storage exposed without authentication

The most exploited weakness in cloud environments. We test dozens of escalation techniques from restricted access to full administrator.

• Escalation via misconfigured IAM roles and policies
• Assume-role exploitation and cross-account access
• Lambda / Cloud Functions privilege escalation
• Instance Metadata Service (IMDS) abuse
• Service account keys with excessive permissions

Misconfigured Security Groups and NSGs expose internal services to the internet. We review every rule.

• Security Groups / NSG — overly permissive rules (0.0.0.0/0)
• Publicly accessible databases (RDS, CosmosDB without authentication)
• Exposed management ports (22, 3389, 5432)
• VPC / VNet peering with unintended transitivity

Systematic cloud configuration audit against industry standards.

• Logging and monitoring — CloudTrail, Azure Monitor, Cloud Audit Logs
• Encryption at rest and in transit
• Secrets management and access key rotation
• MFA enforcement on root / global admin accounts
• Alerting on critical actions (root login, IAM policy changes)

A complete map of what a potential attacker knows about your infrastructure — including forgotten assets and shadow IT.

• Domains and subdomains — passive and active enumeration
• Forgotten infrastructure, shadow IT, expired certificates
• Shodan / Censys — exposed ports and services
• Publicly visible technologies and versions with associated CVEs

We find what breach databases and dark web sources know about your organisation — before an attacker does.

• Leaked employee credentials in breach databases
• API keys and passwords in GitHub commits and paste sites
• Internal documents and configs in public repositories
• Presence in threat intelligence feeds and dark web sources

People remain the weakest link. The digital footprint of management and key roles as an entry point for spear-phishing or vishing.

• LinkedIn, Facebook, GitHub — profile analysis for key roles
• Digital footprint of IT team and privileged users
• Mapping of vendor and third-party relationships
• Identification of spear-phishing and vishing attack vectors

A complete picture of your organisation's attack surface — as a foundation for further testing or as a standalone document for management and board.

• Attack surface map with risk prioritisation
• Overview of discovered leaks and exposed data
• Recommendations to reduce your digital footprint
• Input data for planning a follow-on external penetration test