InternalNetworkPenetrationTesting

Internal network penetration testing typically costs between £5,000 and £15,000 depending on network size, domain complexity, and testing scope. A standard internal test for a mid-sized organisation (200-500 users, single domain) averages £7,500 for 6 days of testing. Larger organisations with multiple domains, complex Active Directory forests, or extensive network segmentation typically cost £10,000-£15,000. We provide fixed-price quotes after reviewing your network architecture and user count. All engagements are fixed-price: the quote provided after scoping is the amount you pay, with no day-rate overruns or scope creep surcharges. See our full breakdown on our penetration testing cost page.

An internal network penetration test is a security assessment that simulates an attack from inside your network, mimicking a malicious employee or a threat actor who has already breached your perimeter. Unlike external testing (which attacks from the internet), internal testing focuses on what an attacker can do after gaining access, such as moving laterally, escalating privileges in Active Directory, or deploying ransomware across your network.

External penetration testing attacks your organisation from the internet, targeting public-facing systems: your website, VPN gateway, email servers, and external IP addresses. It simulates a threat actor who has no prior access to your environment, testing the lock on the front door. Internal penetration testing begins from inside your corporate network, simulating either a malicious insider (an employee or contractor) or a threat actor who has already gained initial access via phishing, a compromised VPN credential, or a physical device. It tests whether an attacker already inside the building can move freely, reaching sensitive file shares, escalating privileges in Active Directory, or deploying ransomware across your network. Most compliance frameworks require both. PCI DSS Requirement 11.3 mandates annual internal and external testing as separate engagements. ISO 27001 Annex A.8.8 and cyber insurance questionnaires increasingly ask for evidence of both types. If you have only conducted an external network penetration test to date, your internal attack surface has never been validated.

Firewalls only protect the perimeter. Once an attacker bypasses the firewall (via phishing, VPN compromise, or weak Wi-Fi), there are often few controls stopping them from reaching sensitive data. Perimeters are eventually breached; internal penetration testing ensures that a single breach does not result in a total ransomware takeover by validating network segmentation and access controls.

Yes, Active Directory (AD) security is a primary focus of internal testing. We identify misconfigurations like weak ACLs, Kerberoasting opportunities, and unpatched Domain Controllers that would allow an attacker to escalate from a standard user to a Domain Admin, giving them total control over your IT infrastructure.

Yes. PCI DSS Requirement 11.3 mandates both internal and external penetration testing at least annually and after any significant infrastructure change. Failure to evidence this during a QSA audit can result in loss of PCI compliance status and suspension of card processing. Our reports are fully compliant with PCI DSS standards, providing the evidence auditors need to validate your segmentation and internal security controls.

Our methodology mirrors the exact path ransomware groups (like LockBit or BlackCat) take: Initial Access, Internal Recon, Lateral Movement, Domain Compromise. By identifying and closing these paths, you effectively neutralise the impact of a ransomware outbreak before it happens, preventing data exfiltration and encryption.

We typically perform internal testing remotely using a pre-configured hardware testing device or a virtual machine (VM) that you deploy inside your network. This device establishes a secure, encrypted tunnel back to our command centre, allowing our CREST-certified testers to operate as if they were physically sitting in your office.

The terms are often used interchangeably by UK organisations and refer to the same assessment scope. 'Infrastructure penetration testing' typically describes the broader category that includes both internal network testing (testing the corporate LAN, Active Directory, and internal servers) and external network testing (testing public-facing infrastructure). When most UK organisations request 'infrastructure penetration testing,' they mean an internal network assessment: testing the servers, endpoints, Active Directory environment, and network segmentation controls that make up their internal IT infrastructure. At Precursor Security, our internal network penetration tests cover the full internal infrastructure scope: Active Directory, segmentation, lateral movement paths, and server-level vulnerabilities.

Yes, increasingly. Major UK cyber insurance underwriters (including those operating through Lloyd's of London syndicates) have tightened technical requirements since 2022. Annual internal penetration testing is now a standard requirement for cyber policies above £1M coverage, and failure to evidence it can result in claim rejection following a breach. The exact requirements vary by policy, but common stipulations include: annual internal testing by a CREST-accredited provider, evidence of Active Directory and network segmentation testing, and a findings remediation report. We issue test completion certificates alongside our reports that satisfy insurance renewal questionnaire requirements.

Yes. Active Directory security is a primary focus of every internal network penetration test we conduct. Our testing covers Kerberoasting and AS-REP roasting (cracking service account passwords offline), Pass-the-Hash and Pass-the-Ticket attacks, NTLM relay attacks against hosts with SMB signing disabled, GPO misconfiguration and ACL abuse, and unconstrained delegation exploitation. We use BloodHound to map the complete attack path from standard user to Domain Admin and document every exploitable path with a specific finding, CVSS score, and remediation step.

Lateral movement is the phase of an attack where a threat actor, having gained initial access to one system, moves across the internal network to reach higher-value targets: domain controllers, finance servers, backup systems, or crown jewel data stores. It is how a phishing email that compromises a single employee's laptop turns into a full domain ransomware event. In our internal tests, we simulate lateral movement by chaining credentials stolen via LLMNR/NBT-NS poisoning, tokens captured via impersonation, and Pass-the-Hash techniques, then using those credentials to access systems the original compromised account should never reach. Testing lateral movement paths is the core purpose of an internal penetration test. Firewalls and EDR tools are designed to stop lateral movement, but only if they are configured correctly. We test whether they actually do.