Professional Network Penetration Testing Services
At Trilight Security, we provide comprehensive internal and external network penetration testing services for organizations across the USA and the EU, including a strong focus on Germany. Our certified experts simulate real-world attacks against your network perimeter, internal infrastructure, Active Directory environment, firewalls, VPNs, and connected systems — uncovering exploitable vulnerabilities before attackers do. Get in touch with Trilight Security to discover how our network pentesting services can strengthen your infrastructure security, reduce your attack surface, and demonstrate compliance with applicable regulations.
External Network Penetration Testing
We simulate attacks launched from outside your organization — the way a threat actor would approach your environment. With no or limited prior knowledge of your internal architecture, we probe your publicly accessible infrastructure including firewalls, routers, VPN gateways, exposed services, email servers, and web-facing systems. Our goal is to determine what an external attacker could discover, access, and exploit from the internet, and to what extent an initial compromise of the perimeter could be used to gain deeper access.
Internal Network Penetration Testing
We simulate an attacker who has already gained a foothold inside your network — whether through a phished employee, a compromised endpoint, a rogue device on a guest network, or a malicious insider. Starting from a low-privilege position within your environment, our experts attempt to escalate privileges, move laterally across network segments, access sensitive data, and reach your most critical assets including domain controllers, servers, and crown-jewel systems. This assessment reveals the true blast radius of a perimeter breach and validates the effectiveness of your internal segmentation and access controls.
Our Offering
Black Box Pentesting
We provide black box penetration testing services, where we have no prior knowledge of your network architecture or internal systems, and simulate the perspective of an external attacker relying solely on publicly available information, open ports, and observable behavior.
Grey Box Pentesting
We conduct grey box pentests with limited info about the target environment — such as IP ranges, network diagrams, or a set of user-level credentials — but without full visibility. This approach reflects the threat posed by an attacker with partial access through phishing, credential theft.
White Box Pentesting
We conduct white box pentests where we have full access to network docs, firewall rule sets, AD configurations etc. It is the most thorough examination of the environment and is best suited for compliance-driven assessments or when vulnerability coverage is a top priority.
Why Network Penetration Testing?
Corporate networks are among the most targeted attack surfaces in any organisation. A single unpatched service, a misconfigured firewall rule, or a set of weak credentials can give an attacker a foothold that leads to full domain compromise within hours. Network penetration testing goes beyond automated vulnerability scanning — our experts actively exploit identified weaknesses, chain multiple vulnerabilities together, and demonstrate exactly what an attacker could achieve against your environment. By identifying these weaknesses proactively, we help you prevent unauthorised access and data breaches, validate the effectiveness of your segmentation and access controls, support compliance with NIS2, PCI-DSS, ISO/IEC 27001, and other applicable frameworks, and generate the documented evidence regulators and auditors require.
For organisations in the EU, network penetration testing has become a core requirement under Article 21 of the NIS2 Directive, which mandates that essential and important entities implement risk management measures and regularly assess their effectiveness through security testing. Our assessments produce the evidence chain — methodology, findings, remediation records, and retest confirmation — that auditors expect to see..
External Attack Surface
Our external network penetration tests assess all internet-facing components of your environment, including:
- Perimeter firewalls and routers
- VPN gateways and remote access infrastructure
- Exposed web, mail, FTP, and other public-facing services
- DNS configuration and zone transfer security
- Cloud-hosted assets and hybrid connectivity endpoints
- MFA implementation and bypass resistance on external-facing systems
- Password spraying resistance against Office 365, Azure AD, and other cloud identity providers
Internal Network & Active Directory
Our internal assessments target the infrastructure an attacker could reach after a perimeter breach or insider compromise, including.
- Active Directory — account enumeration, Kerberos attack techniques (Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket, DCSync), GPO abuse, and ACL misconfigurations
- Active Directory Certificate Services (AD CS) misconfigurations
- Network segmentation and VLAN boundary enforcement
- Internal services — SMB shares, databases, legacy protocols (LLMNR/NBT-NS poisoning)
- Credential exposure — cleartext passwords in scripts, file shares, and memory
- Wireless network segmentation and security controls
- Printers, IoT devices, and other network-connected endpoints frequently overlooked in standard assessments
Penetration Testing Process
We use a combination of manual techniques and automated tooling to simulate real-world attacks against network infrastructure. Our approach is adapted to the specific architecture, risk profile, and compliance requirements of each engagement. Typically, network penetration testing projects include the following stages:
- Information Gathering & Reconnaissance: We collect detailed intelligence about your network environment using both passive and active techniques. For external assessments this includes DNS enumeration, OSINT, certificate transparency analysis, WHOIS data, and identification of publicly exposed services and technologies. For internal assessments this includes network discovery, host enumeration, service fingerprinting, and mapping of Active Directory structure, trust relationships, and privilege configurations.
- Vulnerability Analysis: Using industry-standard scanning tools alongside manual inspection, we identify vulnerabilities across all in-scope hosts — including unpatched services, misconfigured protocols, weak authentication, insecure network shares, overprivileged accounts, and exploitable trust relationships within Active Directory. All automated findings are manually reviewed and validated to eliminate false positives before inclusion in the report.
- Exploitation: We attempt to actively exploit identified vulnerabilities to determine the real-world impact of each weakness. This phase includes attacks such as credential brute-forcing and password spraying, exploitation of known CVEs in unpatched services, man-in-the-middle attacks on unencrypted protocols, abuse of misconfigurations in firewalls and network devices, and exploitation of Active Directory weaknesses including Kerberoasting, AS-REP Roasting, Pass-the-Hash, and Pass-the-Ticket.
- Privilege Escalation: Once initial access is established, we systematically attempt to escalate privileges within the network — moving from a standard user or low-privilege service account toward domain administrator or equivalent access. This phase demonstrates the potential impact of each initial compromise and tests whether your access control model would contain an attacker or allow them to reach your most critical systems.
- Lateral Movement: We assess how far an attacker could move across your network from their initial foothold. This includes testing network segmentation boundaries, probing for trust relationships between systems and domains, attempting to pivot through jump hosts and VPN connections, and evaluating whether your internal network controls would detect and contain an attacker moving toward sensitive data or critical infrastructure.
- Maintaining Access: We evaluate the feasibility of an attacker establishing persistence within your network — including the planting of backdoors, creation of rogue accounts, abuse of scheduled tasks and startup mechanisms, and use of living-off-the-land techniques that blend with normal administrative activity. This phase highlights detection gaps and tests the visibility of your monitoring and alerting capabilities.
- Reporting: Our reports are thorough, actionable, and written to be useful for both technical teams and executive stakeholders. Each report includes:
-
- A detailed attack narrative describing how each compromise path could unfold, with step-by-step documentation of the techniques used and the access achieved.
- Specific, prioritised remediation recommendations for every identified vulnerability, ordered by risk severity and exploitability.
- Compliance mapping to applicable frameworks including PTES, NIST SP 800-115, MITRE ATT&CK, NIS2, PCI-DSS, ISO/IEC 27001, and others as required.
Our Benefits
Top Certifications
Our experts have deep skills proven by years of success in demanding enterprise environments and top industry certifications such as OSCE, OSCP, BSCP, eCPPT, CREST, etc.
Top Methodologies
PTES (Penetration Testing Execution Standard), NIST SP 800-115, MITRE ATT&CK Framework, OSSTMM, CREST, and others.
Rich Deliverables
We provide comprehensive pentest reports with detailed findings, attack narratives, PoC evidence, remediation advice, compliance mapping, and other content.
Cost Efficiency
We have access to top-tier cybersecurity and IT talent — delivered at competitive, transparent pricing that makes expert-led testing accessible to our customers.
Penetration Testing Methodologies
Our network penetration testing services follow established industry methodologies to ensure thorough, consistent, and reproducible assessments. We apply the Penetration Testing Execution Standard (PTES) as the overarching framework for engagement structure and scope, NIST SP 800-115 for compliance-aligned technical documentation, and the MITRE ATT&CK Framework for adversary simulation — mapping all identified attack paths to real-world threat actor techniques and tactics. Network-layer testing follows OSSTMM principles for structured, measurable security assessment.
For Active Directory and Windows environment testing, our methodology incorporates current offensive techniques targeting Kerberos, certificate services, Group Policy, and credential storage. Compliance-driven engagements are aligned to NIS2 Article 21, ISO/IEC 27001, PCI-DSS, HIPAA, SOC 2, and DORA as applicable to the client’s regulatory obligations..
Tools
Our experts select and configure their toolset based on the engagement type — black box, grey box, or white box — and the specific characteristics of the target environment. For network discovery and vulnerability scanning we use Nmap, Nessus, and Masscan. Exploitation frameworks include Metasploit and custom scripts developed for specific vulnerabilities identified during the engagement. Active Directory assessment relies on BloodHound and SharpHound for attack path visualisation, Impacket for Kerberos and SMB protocol attacks, CrackMapExec (NetExec) for credential testing and lateral movement simulation, and Responder for credential capture via LLMNR/NBT-NS poisoning. Network traffic analysis is conducted with Wireshark and tcpdump. Password attacks use Hashcat and John the Ripper. All automated output is manually reviewed and validated by experienced testers before inclusion in the report..
Our Certifications
Deliverables
- Executive Summary: A high-level overview of the assessment results and overall risk exposure, written for management and non-technical stakeholders, including a clear statement of the most critical findings and their potential business impact.
- Test Plan: A document outlining the agreed scope, objectives, testing methodology, rules of engagement, and timeline for the engagement.
- Detailed Technical Report: A comprehensive report documenting all findings, including vulnerability descriptions, CVSS risk ratings, step-by-step proof-of-concept attack walkthroughs, and prioritised remediation guidance for each identified issue.
- Attack Path Diagrams: Visual representations of the attack paths identified during the engagement — illustrating how an attacker could move from initial access to critical assets and demonstrating the real-world impact of chained vulnerabilities.
- Vulnerability Assessment: A full inventory of all vulnerabilities identified during the engagement, including asset details, severity ratings, and exploitability assessment.
- Evidence: Screenshots, command outputs, traffic captures, and other supporting artefacts for all findings, providing reproducible documentation of every vulnerability.
- Compliance Mapping: A structured mapping of findings and remediation recommendations to applicable frameworks and regulatory requirements.
- Action Plan: A structured remediation roadmap with recommended actions, suggested timelines, and responsible parties for each identified issue.
A presentation or briefing for relevant stakeholders — including a summary of findings, risk exposure, and recommended next steps — can be prepared upon request. After a follow-up retest to confirm that all identified vulnerabilities have been remediated, we issue a Pentest Certificate, which can be used for compliance audits, vendor due diligence, and customer communications.
Read more here:
Types of Penetration Testing
Penetration Test Report Sample
Penetration testing is a must for any business using digital services. We use different comprehensive tools, methodologies, and models for pentesting. DOWNLOAD our penetration test report sample and learn more.
FAQ
Network penetration testing is a security assessment in which our experts simulate real-world attacks against your network infrastructure — attempting to exploit vulnerabilities in the same way a real attacker would — to identify security weaknesses before they can be used against you.
External network penetration testing targets systems accessible from the internet — firewalls, VPN gateways, exposed services, and cloud-hosted infrastructure — simulating an outside attacker with no prior access. Internal network penetration testing is conducted from within your network perimeter and simulates the threat posed by a compromised insider, a phished employee, or an attacker who has already breached the perimeter. Both types are typically recommended together for a complete picture of network risk.
Vulnerability scanning is an automated process that identifies known weaknesses using signature-based detection. Network penetration testing goes further: our experts actively attempt to exploit identified vulnerabilities, chain multiple weaknesses together to demonstrate realistic attack paths, escalate privileges, and move laterally across the network — showing the true impact of each vulnerability rather than simply listing it. Automated scanning alone routinely misses configuration weaknesses, logic flaws, and complex attack chains that only become visible through manual testing.
Depending on the scope agreed at the start of the engagement, our assessments can cover external perimeter infrastructure, internal network segmentation and access controls, Active Directory and identity infrastructure, VPN and remote access security, wireless networks, network devices such as routers and switches, cloud-connected environments, and any other network-accessible systems within the defined scope.
Active Directory (AD) is the identity and access management backbone of most enterprise Windows environments, and it is one of the most commonly exploited attack vectors in network compromises. Our internal assessments include dedicated AD testing covering Kerberos attack techniques, misconfigured permissions and Group Policy Objects, overprivileged service accounts, credential exposure, and attack paths toward Domain Admin. A successful AD compromise typically means complete control of the entire Windows environment — making it a critical area of focus in any internal network assessment.
Yes. We conduct penetration testing across on-premises, cloud (AWS, Azure, GCP), and hybrid network environments, assessing both the cloud-native configurations and the security of connectivity between on-premises and cloud infrastructure — including VPN tunnels, ExpressRoute and Direct Connect links, and identity federation configurations.
Our network penetration testing follows PTES, NIST SP 800-115, the MITRE ATT&CK Framework, and OSSTMM. For compliance-driven engagements, we align findings and documentation to NIS2 (Article 21), ISO/IEC 27001, PCI-DSS, HIPAA, DORA, SOC 2, and other applicable regulatory frameworks.
The EU NIS2 Directive (Directive 2022/2555) requires essential and important entities across a wide range of sectors — including energy, healthcare, transport, digital infrastructure, finance, and managed security service providers — to implement appropriate risk management measures and regularly assess their effectiveness. Penetration testing is explicitly recommended by ENISA’s Technical Implementation Guidance as the primary method for demonstrating that controls work under real attack conditions. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover for essential entities, with personal liability for senior management. Our assessments produce the documented evidence chain — methodology, findings, remediation records, and retest confirmation — that auditors and national supervisory authorities require.
Testing is conducted in a controlled manner agreed upon upfront within clearly defined rules of engagement. For production environments, we work within maintenance windows and agreed testing intensity parameters to minimise any risk of service disruption. We establish out-of-band communication channels before testing begins and maintain ongoing contact throughout the engagement so that any unexpected issues can be addressed immediately.
Duration depends on the size and complexity of the environment, the number of in-scope hosts and network segments, the depth of Active Directory testing required, and whether the engagement covers external, internal, or both. A typical engagement ranges from one to three weeks. We provide a detailed scoping estimate prior to any engagement.
We recommend conducting network penetration testing at least annually, as well as after significant infrastructure changes, new system deployments, network architecture updates, mergers and acquisitions, or in response to emerging threats and newly disclosed vulnerabilities. Many compliance frameworks — including NIS2, PCI-DSS, and ISO/IEC 27001 — mandate regular penetration testing as part of a continuous security assurance programme.
For external testing we typically require only written confirmation of the in-scope IP ranges and domains. For internal testing we may also require network diagrams, VLAN information, Active Directory details, and access to a network connection point within the environment. The level of information sharing for grey and white box engagements is agreed at scoping. All information shared with us is handled in accordance with our ISO 27001-aligned security practices.
Yes. Remote internal network penetration testing can be conducted using a VPN connection or a lightweight testing appliance installed at your site, allowing us to simulate an inside-attacker position without requiring physical presence. Where physical access testing is required — for example to assess building entry controls or local network access points — we can also conduct on-site engagements.
Yes. Our network penetration tests can be scoped and documented to satisfy requirements under NIS2, DORA, GDPR, HIPAA, PCI-DSS, ISO/IEC 27001, SOC 2, and other applicable regulatory and contractual frameworks. We provide compliance-mapped reporting that aligns findings and remediation guidance directly to the relevant control requirements.
Yes. Our team is available to consult on remediation efforts, clarify findings, provide technical guidance on specific fixes, and advise on architectural improvements to network segmentation, access controls, and monitoring capabilities to ensure that identified vulnerabilities are effectively closed.
Pricing depends on the scope, the number and complexity of in-scope hosts and network segments, the type of testing (external, internal, or both), and the depth of Active Directory and specialist testing required. Given that the average cost of a data breach in Europe exceeded €4 million in 2024, a network penetration test represents a proportionate investment in risk reduction. Contact us for a detailed, obligation-free quote tailored to your environment and compliance requirements.
Our Recognition
