Understand Your Risk With An Internal Penetration Test
An internal penetration test is the best way to determine if an attacker who gains a foothold on your network can elevate their permissions and steal sensitive information. An internal penetration test is also the best way to test your organization’s resilience to ransomware attacks. At Triaxiom we emulate the real-world attacks your organization is likely to face to quantify the risks of your network perimeter.
How an Internal Penetration Test Helps
- Active and Passive network reconnaissance including traffic sniffing, port scanning, LDAP enumeration, SMB enumeration, etc.
- Vulnerability scan on all in-scope targets
- Spoofing attacks such as ARP cache poisoning, LLMNR/NBNS spoofing, etc.
- Manual and automated exploit attempts
- Shared resource enumeration
- Password attacks
- Pivoting attacks
Our Internal Penetration Test Process
Our first step is to jump on a quick call with you and one of our lead engineers to understand your organization’s needs and to scope the penetration test. Within a few hours following this call, you will have a proposal with pricing information and next steps.
Our Proposal will have everything you need to make a decision, including scope, our detailed methodology for the in-scope assessments, pricing information, and the biography of a lead engineer who will be directly involved with your assessment.
Should you choose to move forward with Triaxiom, we will provide the required contracts to get the project started. Once contracts are signed, we will assign a project manager to your account that will work with you to schedule the kick-off call and execution of the assessment.
On the kickoff call, we will review the Rules of Engagement document that will govern the project. It will include all project contracts, the rules the team will follow during testing, the testing schedule, and allow you to provide the necessary technical details to facilitate your assessment.
Once we are on the same page, we will get started. While execution times vary depending on the scope, on average, most projects take one to two weeks of active testing to complete.
All of our assessments go through two rounds of Quality Assurance to ensure our reports and tests meet the highest standards. This includes a technical QA process to ensure our methodology was followed and all evidence was properly collected/analyzed. This is followed by a thorough documentation QA to ensure our reports are consistent and actionable.
Once the reports are complete, we will share them with you via our secure portal. Finally, we will jump on a deliverable presentation to meet with your team to review all findings and answer any questions you may have.
At Triaxiom Security, our primary goal is to make your organization more secure. As part of that, any findings identified during our test that you wish to remediate can be included in a one-time retest within 90 days of report delivery, free of charge. The team will validate that your remediation efforts were effective and will update the reports to reflect your heightened security posture.
Deliverables
Each internal penetration test concludes with a comprehensive report that clearly outlines your organization’s security posture and testing results. Key features of the report include:
- Executive summary highlighting strengths, risks, and takeaways
- Detailed results from the internal penetration testing
- Clear descriptions of risks, affected systems, evidence, and prioritized remediation recommendations
- Visual summaries and a risk rating scale
- Roadmap to gradually improve security posture
Internal Pen Test FAQs
For almost every penetration testing service, this question boils down to time. The most expensive operating cost of any penetration testing firm is the salary of their engineers. In an internal penetration test, that time estimate basically boils down to the number of systems that need to be tested, and the more devices that have an IP address on your network, the more time an engineer must spend to provide a thorough test and the higher the cost will be. With that being said, a small to midsize business can expect to pay around $13,000.
Much like cost, the time required to perform an internal penetration test can vary based on the size and complexity of the target network. With that said, most internal penetration tests take around two weeks.
At Triaxiom Security, we do everything we can to give you a holistic view of your risk by emulating the real-world attacks you are likely to face. However, we also understand the impact that outages can cause and do everything we can to avoid any disruptions. We do not exploit any denial-of-service vulnerabilities and do not perform any stress/load testing.
With that said, there is always a small chance of accounts getting locked out or an unstable sytem experiencing an outage. When that happens, we stop all testing, figure out what caused the issue, and work with you to identify any root causes of instability and adapt our testing going forward to meet your needs.
Our engineers have industry leading certifications including:
- PCI Qualified Security Assessor (QSA)
- Certified Information Systems Security Professional (CISSP)
- Certified Ethical Hacker (C|EH)
- Offensive Security Certified Professional (OSCP)
- Offensive Security Web Expert (OSWE)
- GIAC Security Essentials Certified (GSEC)
- GIAC Certified Incident Handler (GCIH)
- GIAC Web Application Penetration Tester (GWAPT)
Get An Internal Pen Test Quote
Find and fix vulnerabilities that ACTUALLY impact your business and compliance goals faster.
