What "assumed breach" means
We start the engagement assuming an attacker is already on your network — phished an employee, plugged in a malicious USB, walked a guest-Wi-Fi pivot. The question is: what can they reach from there? The internal walk maps the blast radius.
What gets tested
- SMB share exposure — which file servers are reachable without auth, which have anonymous read, which have stored credentials in scripts.
- Password spray exposure — with one valid set of credentials provided by you (or harvested from a controlled phish), how far can horizontal movement go?
- Active Directory misconfigs — weak service-account passwords, unconstrained delegation, kerberoast-able service accounts, ASREP-roastable users, AdminSDHolder ACL drift.
- Printer / scanner admin — default-cred admin panels on networked printers (a top-3 small-business breach vector). Often expose AD service accounts via "scan to file."
- IoT devices — smart TVs, badge readers, IP cameras, thermostats. Each is a foothold.
- Camera access from unsegmented Wi-Fi — if your guest Wi-Fi can ping your IP cameras, that's a finding.
- Workstation EDR coverage — do your workstations actually have working endpoint protection? We try a simple test payload (with your authorization) and see if EDR catches it.
- Backup tamper-resistance — if an attacker reaches Windows admin, can they delete the backups too? Modern ransomware always tries.
How the drop-box works
- Small Linux device (~Raspberry Pi 5 sized) you plug into an open Ethernet port at the start of the engagement.
- Outbound-only connection back to my workbench. Nothing inbound to your network.
- Read-only by default. Active testing only on items the ROE explicitly authorizes.
- Removed at the end. Cleanup attestation signed.
Pricing
Internal-only walk: from $2,000. 1 week elapsed time. Drop-box on-site for ~3-5 days, report + debrief.
External + internal combined: from $2,800 (most-popular). See the main pentest page.