Loading...
Loading...
Internal assumed-breach or external black-box: Active Directory attack path mapping, lateral movement testing, and PCI DSS CDE segmentation validation. CREST-aligned methodology, RMiT-mapped reporting.
Internal and external network pentests answer different questions. Many organisations require both — PCI DSS v4.0 mandates both annually. The table below helps you decide where to start.
| Area | Internal Pentest | External Pentest |
|---|---|---|
| Starting position | Assumed-breach: consultant starts inside the network, simulating a compromised endpoint, a malicious insider, or a phishing victim who has clicked and executed a payload. | Black-box: consultant starts from the public internet with only the organisation's IP ranges and domain names, simulating a remote attacker with no prior access. |
| Primary objectives | Active Directory compromise, lateral movement to Crown Jewels, privilege escalation from workstation to domain admin, PCI CDE boundary crossing. | Foothold on internal systems via public-facing services, credential harvesting via exposed portals, exploitation of unpatched internet-facing services. |
| Key attack techniques | Kerberoasting, AS-REP roasting, Pass-the-Hash, LLMNR/NBT-NS poisoning, BloodHound AD path analysis, SMB relay, DCSync. | Service enumeration, CVE exploitation of exposed services, web application attacks on internet-facing portals, VPN/RDP credential attacks, subdomain enumeration. |
| Typical duration | 5–10 business days depending on AD complexity and number of network segments. | 3–5 business days for a defined IP range; longer for large perimeters with many services. |
| PCI DSS relevance | Internal pentest is required annually and after significant infrastructure changes to validate CDE segmentation and lateral movement controls. | External pentest is required annually to validate that the cardholder data environment is not reachable from the internet. |
| RMiT relevance | BNM technology risk examiners assess internal network security controls under RMiT's network segmentation, access control, and vulnerability management expectations. AD security and lateral movement findings are directly relevant. | External attack surface visibility is required under RMiT. Internet-facing service inventories and vulnerability management evidence are examined. |
The following illustrates the type of finding nCrypt identifies in internal network engagements. Details are anonymised and do not represent a specific organisation.
Consultant starts with a standard domain user account (assumed-breach scenario, simulating a phishing victim). No special privileges. BloodHound is used to map the AD environment: 1,200 users, 47 computers, 12 OU structures.
BloodHound identifies a service account with a Service Principal Name (SPN) configured for a legacy database application. The account has a weak password set years earlier and no password rotation policy. A Kerberos TGS ticket is requested for the SPN — normal, authorised AD behaviour — and the ticket is exported offline.
The TGS ticket is subjected to offline dictionary attack. The service account password is recovered in under four minutes. The service account is a member of a legacy group that grants local administrator rights on 23 servers, including the organisation's file server.
Using the recovered credential, consultant authenticates to the file server via SMB. A scheduled task on the file server runs under a privileged domain account — its configuration is readable. This account is identified as having DCSync rights.
The privileged account is used to perform a DCSync operation, extracting the NTLM hash of the Domain Administrator account from the domain controller without logging onto the DC itself. Credentials for all domain accounts are now extractable. The engagement is paused and the customer is notified.
Immediate: disable the Kerberoastable service account SPN, rotate the password to a 25+ character random value. Short-term: audit all service accounts for SPN misconfigurations and implement managed service accounts (MSA/gMSA). Medium-term: implement Privileged Access Workstations (PAWs) and tiered admin model.
nCrypt's network pentests follow the Penetration Testing Execution Standard (PTES), a practitioner-developed framework covering every phase from pre-engagement through reporting.
Scope definition, IP range confirmation, rules of engagement, emergency contact tree, and written authorisation. No testing begins without a signed scope document.
Passive and active reconnaissance: OSINT on the external perimeter, subdomain enumeration, ASN and IP range mapping. Internal: AD structure enumeration, share discovery, user and group inventory.
Identification of critical assets and likely attack paths before active exploitation. BloodHound graph analysis for internal engagements to map high-value AD paths before attempting lateral movement.
Authenticated and unauthenticated scanning, manual service review, CVE correlation for identified service versions. Service accounts, SPNs, and delegation configurations reviewed for AD engagements.
Controlled exploitation of confirmed vulnerabilities. Lateral movement execution with timestamped evidence. Privilege escalation attempts documented with each step. No destructive actions.
Crown Jewels access confirmation, data exfiltration proof-of-concept (agreed artefact only), persistence mechanism review (identified but not installed), and lateral movement breadth mapping.
Structured written report within 10 business days. Executive summary, kill-chain narrative, risk-rated findings register, PCI/RMiT compliance mapping, and remediation roadmap.
Common questions about network penetration testing for Malaysian enterprises, financial institutions, and PCI DSS-scope organisations.
The right starting point depends on your current risk posture and compliance obligations. If you are a PCI DSS merchant or service provider, both are required annually — start with whichever your QSA has prioritised. If you have no current compliance driver, an external pentest first identifies your internet-exposed attack surface, which is highest risk for most organisations. An internal pentest is more valuable once your external perimeter is hardened, or if you have reason to believe an adversary could already be inside (post-incident, after a phishing campaign). Many Malaysian organisations run both concurrently: external consultants test the perimeter while an internal assumed-breach engagement runs simultaneously.
An assumed-breach scenario starts the internal pentest with a standard domain user account — no special privileges — simulating what happens after a phishing email is clicked, an endpoint is compromised, or an insider acts maliciously. This is more realistic than giving the consultant local administrator or domain user privileges from the start. It answers the question: once an attacker has a foothold inside your network, how far can they get? Most organisations are surprised to find that a single standard user account, combined with common Active Directory misconfigurations, is sufficient to reach domain administrator within hours.
Kerberoasting is an Active Directory attack technique that exploits how Kerberos authentication works. Any authenticated domain user can request a Kerberos service ticket for any service account that has a Service Principal Name (SPN) configured. The ticket is encrypted with the service account's password hash. The attacker exports this ticket and subjects it to offline dictionary or brute-force attack — no interaction with the domain controller is required, and no lockout policy applies. If the service account has a weak or old password, it is crackable. Service accounts are frequently over-privileged, making a Kerberoastable account one of the highest-value targets in an Active Directory environment.
Yes. PCI DSS v4.0 Requirement 11.4 requires both internal and external penetration testing at least annually and after any significant infrastructure or application upgrade or change. The scope must include the cardholder data environment (CDE) and all systems that could affect CDE security. Segmentation controls — the network controls intended to isolate the CDE from other network segments — must be validated by penetration testing. nCrypt's PCI DSS-scoped network pentests include explicit segmentation testing: we attempt to cross from non-CDE network segments into the CDE to confirm that segmentation controls are effective.
nCrypt's network pentest report includes a dedicated regulatory mapping section that cross-references findings to the relevant BNM RMiT technology risk management and cyber resilience requirements. For internal network findings, the mapping covers RMiT's expectations for network segmentation, access control, privileged access management, and vulnerability management. For external findings, it covers RMiT's expectations for perimeter security and vulnerability management of internet-facing systems. The mapping section is formatted for use as an audit evidence document during BNM technology risk examinations.
Our rules of engagement include a notification threshold for critical findings. If we identify a finding that presents immediate, significant risk — for example, unauthenticated remote code execution on an internet-facing system, or active credential exposure — we pause exploitation of that specific path and notify the customer's designated security contact via the agreed emergency channel before continuing. The finding is documented and escalated in the report. We do not exploit critical vulnerabilities beyond the minimum required to confirm exploitability without customer notification.
Share your scope. We'll respond within 24 hours.
Share your scope. We'll respond within 24 hours.
An assumed-breach internal pentest answers the question perimeter tools cannot: once inside, how long to domain admin?
Complementary services Malaysian buyers commonly pair with network penetration testing.
Wi-Fi, rogue AP and wireless segmentation security testing.
Learn morePurdue-model OT/ICS architecture review and IEC 62443-aligned hardening.
Learn moreAuthenticated + unauthenticated VA scans with manual triage.
Learn more