Infrastructure
Penetration Testing

We simulate a scenario where an attacker has gained access to the internal network — for example through a compromised workstation, VPN account or physical network connection. As a first step we map the network architecture: identifying open ports and services, performing OS and version fingerprinting, mapping network segmentation and testing default credentials on network devices and management interfaces.

We focus on vulnerabilities and configuration weaknesses — combinations of technical CVEs and configuration errors that enable further compromise. We test weak authentication, missing MFA and lockout policies, unauthorised access to management interfaces and excessive service account permissions. We also assess the security of network devices: firewalls, switches, routers, VPN gateways, SNMPv1 community strings and ACL misconfigurations.

A core focus is Active Directory — Kerberoasting, AS-REP Roasting, misconfigured GPOs, paths to Domain Admin through excessive permissions and misconfigured domain trusts. We verify the real-world impact of compromise: privilege escalation, lateral movement, data exfiltration simulation and ransomware scenarios. The output is a precise attack path description from a standard user all the way to full domain compromise.

We simulate an attack from the internet — from the perspective of an external attacker with no prior access to the internal network. We begin with information gathering: TCP/UDP port scanning, OS and service fingerprinting, identification of HTTP(S), VPN, RDP, SSH, SMTP and FTP endpoints, TLS/SSL configuration review and mapping of publicly accessible infrastructure including subdomains and technology stack.

We test authentication and real exploitation possibilities — default credentials, dictionary and controlled brute-force attacks, exploitation of RCE, SSRF, LFI/RFI and XXE vulnerabilities, and abuse of middleware and web application server misconfigurations. Every finding is verified as a proof-of-concept so impact is unambiguously demonstrated.

Where a perimeter system is successfully compromised, we assess how far an attacker would realistically get — escalation to root/admin level, access to file servers and databases, lateral movement into the internal network. Data exfiltration and persistence simulations are always conducted within the agreed scope. The deliverable is a full report with CVSS scoring and a prioritised remediation plan.

We assess wireless networks from the perspective of an attacker in the vicinity of your building or branch office. We begin by mapping available SSIDs, analysing protocols in use (WPA2/WPA3, 802.1X, WPS) and identifying hidden networks. We test encryption strength and the resilience of authentication mechanisms against offline attacks on captured handshakes.

We conduct active attack scenarios — Rogue AP and Evil Twin attacks simulating a legitimate access point, deauth attacks forcing client reconnection, MITM scenarios for credential capture and WPS PIN vulnerability testing. For enterprise networks with 802.1X, we test resilience against RADIUS exploitation and invalid certificates.

Particular attention is given to network segmentation — verifying that guest Wi-Fi genuinely isolates guests from the production network at VLAN level, that appropriate firewall rules are applied and that lateral movement to internal systems is not possible after connecting. A common finding: guest and production infrastructure share the same VLAN, and printers and NAS devices are accessible from the guest segment.

We test the security of AWS, Azure and GCP cloud resources and their configuration. We begin with reconnaissance — identifying available resources, mapping IAM roles and policies, locating publicly accessible S3 or Blob Storage buckets containing sensitive data and checking for access keys in public repositories and CI/CD pipeline configurations.

A critical area is IAM privilege escalation — we test whether limited access can be escalated to administrator privileges through misconfigured roles, overly permissive policies or abuse of assume-role mechanisms. We assess cross-account access, publicly exposed credentials (API keys, tokens, service account keys) and network, security group and firewall rule misconfigurations.

We include a configuration audit against CIS Benchmarks — reviewing logging and monitoring (CloudTrail, Azure Monitor), encryption of data at rest and in transit, secrets management and key rotation. Findings are categorised by real-world impact: from full tenant compromise through customer data exfiltration to potential cost attacks.

Technical OSINT analysis maps everything a potential attacker knows about your organisation before making their first intrusion attempt. We identify domains and subdomains (including forgotten or unmaintained ones), map publicly accessible infrastructure and technology stack, search for leaked credentials in breach databases and check for presence in threat intelligence feeds and dark web sources.

We focus on data leaks — exposures of internal documents, configuration files or source code in public repositories, presence of access keys and passwords in GitHub commits and paste sites. We identify which technologies and software versions are visible externally and whether publicly available exploits exist for them.

Personnel OSINT targets the digital footprint of management, the IT team and key roles — analysis of LinkedIn, Facebook and GitHub profiles, mapping of third-party and supplier relationships, and identification of potential attack vectors. This data serves as a starting point for targeted spear-phishing or vishing campaigns and forms part of a comprehensive picture of your organisation's attack surface.