Network Segmentation Testing

Network segmentation testing typically costs between £3,500 and £8,000 depending on network complexity and number of segments to validate. A standard segmentation test for PCI DSS CDE validation (testing isolation between 3-5 network segments) averages £3,500 to £5,000 for 2-3 days of testing. Complex environments with multiple VLANs, data centres, microsegmentation platforms, or multi-site deployments typically cost £6,000 to £8,000. For PCI DSS buyers, £3,500 for segmentation validation is a fraction of the cost of full CDE scope expansion, which can triple compliance costs when segmentation controls fail. We provide fixed-price quotes after reviewing your network architecture and compliance requirements.

We connect a physical device or virtual machine to the specific network segment, for example the Guest VLAN or an IoT zone. We then attempt to identify and connect to assets in restricted segments (such as the Server VLAN or Cardholder Data Environment) using a range of adversarial techniques: VLAN hopping, DTP negotiation, ACL bypass, protocol traversal (mDNS, LLMNR), and NAC evasion. Every test attempt is logged with the tool used, the technique, and the outcome. The result is a source-to-destination zone connectivity matrix with clear pass/fail verdicts.

Yes. PCI DSS v4.0.1 Requirement 11.4.5 (previously Requirement 11.3.4 in v3.2.1) mandates that any organisation using network segmentation to reduce PCI scope must perform penetration testing to verify that segmentation is effective and operational. Merchants must test at least annually. Service providers, including managed service providers, payment processors, and SaaS platforms, must test every six months. Testing must validate both ingress and egress CDE boundaries, confirming no path exists between out-of-scope systems and the Cardholder Data Environment. Our segmentation testing report is structured for QSA review and RoC inclusion.

A network penetration test evaluates the security of systems within a network: vulnerabilities, misconfigurations, exploitable services. Segmentation testing evaluates whether network boundaries work as designed, specifically whether an attacker positioned in one segment can reach assets in another. The tests are complementary. In a typical engagement, an internal penetration test validates what can be compromised; segmentation testing validates whether the firewall rules and VLAN boundaries that are supposed to contain a compromise actually do. Many organisations run segmentation testing as a standalone exercise, particularly for PCI DSS CDE validation, rather than as part of a broader pen test scope.

For standard zone isolation testing, network-level access is sufficient. We connect to the source zone and attempt to reach the destination zone using custom packet crafting, without requiring credentials. For PCI DSS Requirement 11.4.5 compliance testing, this unauthenticated approach satisfies the requirement. Authenticated testing can be added to assess whether a compromised account in one zone could traverse segmentation boundaries using legitimate credentials. This is particularly relevant for Zero Trust and microsegmentation validation, where identity is a key enforcement dimension.

Typically, no. The scanning is targeted and low-bandwidth. We test for connectivity between zones, not load testing. Testing windows can be agreed in advance to avoid peak trading hours. For OT/SCADA environments, we coordinate with your operational team to schedule testing during planned maintenance windows or conduct testing at network level only to avoid any disruption to live processes.

Yes. We test whether your NAC solution, such as Cisco ISE, Forescout, or similar, correctly blocks unauthorised devices or moves them to a quarantine VLAN upon connection. NAC bypass is a common finding in segmentation engagements. We also test whether devices that bypass NAC can then reach restricted segments.

Yes. IT/OT boundary testing is one of the highest-stakes segmentation engagements we conduct. We verify the integrity of the air gap, or the segmentation controls where a true air gap has been replaced by managed connectivity, between the corporate IT network and the operational technology (OT) or SCADA environment. Our testing identifies unauthorised paths that would allow a compromise on the IT side to reach industrial control systems, historian servers, or engineering workstations. We work safely within OT environments, coordinating with your operational team to avoid any disruption to live processes.

Yes. We conduct independent validation of software-defined microsegmentation deployments across all major platforms: Illumio, Guardicore (Akamai), VMware NSX, and Cisco ACI. Vendor dashboards show policy coverage percentage. They cannot prove that policy enforcement prevents real lateral movement. Our testing assumes a foothold in one workload and attempts east-west movement across microsegmented boundaries, verifying that identity-based and application-aware policies are enforced at the workload level under adversarial conditions. The resulting report provides the independent third-party evidence required for board reporting and cyber insurance validation of your microsegmentation investment.