← Back to services // Offensive

Infrastructure Pentest

Internal and external network, from perimeter to domain admin

€175 /hour CCV certified

From external attack surfaces to internal network compromise. Our pentesters simulate realistic attack scenarios: firewall bypass, lateral movement, privilege escalation and domain takeover. We test what really matters.

What is an infrastructure pentest?

An infrastructure pentest is an attack on your network and system infrastructure. We test what is reachable from the internet (external) and what an attacker who is already inside can do (internal). The goal of a test: mapping all vulnerabilities within your network.

This is not a network scan. Where Nessus or Qualys report known CVEs and leave it at that, we go further: we exploit vulnerabilities, move laterally through the network, escalate privileges and demonstrate real impact. We test the full attack path, not just individual points.

External versus internal

  • External pentest: everything reachable from the internet - public IPs, VPN endpoints, mail servers, web servers, cloud services. We scan with Nmap and Masscan, test for outdated software, weak TLS configurations and publicly reachable management interfaces.
  • Internal pentest: we start from a position inside your internal network, for example a connected laptop in the office. LLMNR/NBT-NS poisoning, relay attacks, ARP spoofing, VLAN hopping, and then the path towards Domain Admin.

Why should you get an infrastructure pentest?

One firewall misconfiguration, one forgotten test server, one weak service-account password - that is the difference between secure and fully compromised:

  • Ransomware prevention: most ransomware attacks start with initial access via the network, followed by lateral movement towards domain controllers. We show whether that path is open.
  • Validate segmentation: many organisations think they are segmented. We prove whether that is the case, or whether VLANs and firewall rules contain holes.
  • Discover shadow IT: in almost every pentest we find forgotten systems - test servers, unauthorised services, systems outside the view of IT management.
  • Compliance: NIS2, ISO 27001 and BIO require periodic checks of your technical security.

Our approach

We test like a real attacker, but in a controlled and documented way. We share findings directly via short lines - you do not have to wait for the final report.

  1. External reconnaissance - mapping your attack surface: IP ranges, DNS records, SSL certificates, publicly reachable services.
  2. Port scanning & service enumeration - Nmap, Masscan and manual verification of all reachable ports and services.
  3. Exploitation - getting in via discovered vulnerabilities: outdated software, default credentials, misconfigurations or known exploits.
  4. Lateral movement - pass-the-hash, Kerberoasting, LLMNR poisoning, relay attacks, SMB shares with weak permissions. We move through the network the way ransomware groups do.
  5. Privilege escalation - towards Domain Admin via AD misconfigurations, delegation abuse or credential harvesting.
  6. Reporting - the full attack path documented with screenshots, commands and impact analysis. Every finding contains a concrete recommendation. Retest available on request.

What does an infrastructure pentest cost?

Our hourly rate is €175 per hour. The investment depends on:

  • Scope: number of external IPs, size of internal network, number of locations.
  • Depth: external only, or also internal with full domain compromise as the goal.
  • Complexity: multi-domain AD, complex segmentation, OT/IT separation.

After a scoping call you receive a fixed quote.

Methodology

1

External Recon

Scanning and analysing external attack surfaces.

2

Exploitation

Breaking in via weak points in the perimeter or via obtained credentials.

3

Lateral Movement

Horizontal movement through the network towards critical systems.

4

Privilege Escalation

Obtaining elevated rights up to domain admin.

5

Reporting

Full attack path documented with remediation advice.

Frequently asked questions

What is the difference between an external and internal pentest?

External tests what an attacker can reach from the internet. Internal starts from your network and tests lateral movement and privilege escalation towards Domain Admin. We recommend the combination for a realistic picture. What fits best for your situation we discuss in the scoping call.

How many IP addresses can you test?

From dozens to thousands. We determine the scope together. We focus on the systems that pose the most risk - that is more effective than scanning everything and delivering a PDF with a thousand false positives.

Can you also test OT/SCADA environments?

Yes, with the necessary caution. On OT networks we only test passively. Active tests we perform on the IT-OT transition. We understand that a crash in an OT environment has different consequences than in IT, we take that into account.

Do you also test network segmentation?

That is one of the core components of an internal pentest. VLAN configurations, firewall rules between segments, whether critical systems are truly isolated - that is what we test.

Related services

// Offensive

Active Directory Pentest

Kerberoasting, delegation abuse and privilege escalation in AD

 // Offensive

Penetration Testing

CCV certified - blackbox, greybox & whitebox

 // Offensive

WiFi Pentest

Rogue AP, evil twin, WPA2 cracking and network segmentation

Ready to test your security?

Get in touch with our team for a no-obligation conversation about your security challenges.

Get in touch