Internal Penetration Testing: Assumed-Breach, Lateral Movement and Containment
Perimeter defences fail eventually — a phished credential, a compromised laptop, a malicious insider. Internal penetration testing measures what happens next: how far an attacker can move, how quickly they can escalate to administrator, and whether your segmentation actually contains them. Matproof Sentinel runs assumed-breach internal testing, proves the lateral-movement and privilege-escalation paths that exist, and reports detection gaps mapped to MITRE ATT&CK. You get an audit-ready report mapped to ISO 27001, NIS2 and DORA. Report from €149.
Why assumed-breach testing is the question that actually matters
Most security spending tries to prevent the initial compromise — but the breaches that make headlines are rarely about a clever way in; they are about how much damage was possible once the attacker had any foothold at all. Internal penetration testing starts from the realistic assumption that prevention failed: an attacker has a standard user's access or a single compromised host. The test then measures the things that determine whether that becomes a minor incident or a catastrophic breach — can they reach the data stores, can they escalate to domain or cloud-admin, does segmentation contain them, and would your monitoring even notice. This is where 'we have a firewall' meets reality. Segmentation that looks clean on a diagram frequently isn't enforced; service accounts are over-privileged and their credentials reused; detection rules cover the front door but not lateral movement. NIS2 Art. 21 and DORA Art. 24 expect testing of these internal controls, and cyber-insurers increasingly require assumed-breach evidence at renewal — because containment, not just prevention, is what limits their payout.
- Containment is the real risk metric: the difference between a contained incident and a full breach is how far an attacker moves after the first foothold — exactly what assumed-breach testing measures.
- Segmentation is frequently aspirational — internal testing reveals whether a compromised host can actually reach crown-jewel systems or is genuinely isolated.
- Over-privileged and credential-reusing service accounts are the most common privilege-escalation path; they never show up in a perimeter scan.
- Detection gaps matter as much as vulnerabilities: the test records which actions your monitoring would (and would not) catch, mapped to MITRE ATT&CK, so your SOC can close the blind spots.
- NIS2 Art. 21, DORA Art. 24 and ISO 27001:2022 A.8.22 (segregation of networks) expect tested internal controls; insurers increasingly require assumed-breach evidence at renewal.
What Matproof tests in an internal penetration test
- Lateral movement from an assumed-breach foothold: reachable hosts, services and segments across the internal estate
- Segmentation containment: whether compromised corporate/dev segments can reach production and sensitive data systems
- Privilege escalation: local and domain/cloud escalation paths, weak service accounts, credential reuse, token/secret exposure on hosts
- Identity attacks where applicable: Kerberoasting, AS-REP roasting, pass-the-hash exposure, over-permissive Active Directory / cloud IAM roles
- Credential hygiene: secrets in files and scripts (CWE-312/CWE-798), shared local-admin passwords, exposed CI/CD and cloud credentials
- Sensitive data reachability: which data stores a foothold can read or exfiltrate, and whether DLP/segmentation prevents it
- Detection coverage: which actions generate alerts vs go unnoticed, documented against MITRE ATT&CK tactics (Lateral Movement, Privilege Escalation, Exfiltration)
- Findings risk-rated with CVSS 3.1 and mapped to ISO 27001 A.8.2/A.8.3/A.8.22, NIS2 Art. 21 and DORA Art. 24 for audit-ready evidence
Sample finding
Reused local-admin password enabled domain-wide lateral movement
From a single compromised workstation, Sentinel recovered the local administrator password hash and found the identical local-admin password set on every workstation in the estate (no LAPS or equivalent). Using pass-the-hash, the same credential authenticated to dozens of other hosts, several of which cached domain-admin credentials in memory — providing a clear path from one phished laptop to full domain compromise. Shared local-admin credentials are one of the most common and highest-impact internal findings, and they are entirely invisible from the perimeter.
Fix: Deploy a managed local-admin password solution (e.g. Windows LAPS) so every host has a unique, rotated local-admin password. Restrict workstation-to-workstation SMB/RPC where not required. Enable credential-guard protections to limit credential caching, and tier administrative accounts so domain-admin credentials are never used on standard workstations. Re-test pass-the-hash reachability after remediation. Sentinel records the reduced lateral-movement surface in the report as evidence for ISO 27001 A.8.2 (Privileged Access Rights).
Reference: CWE-798 Use of Hard-coded/Shared Credentials · MITRE ATT&CK T1550.002 Pass the Hash · ISO 27001:2022 A.8.2 Privileged Access Rights · NIS2 Art. 21 technical measures
Internal pentest: free scan vs Matproof Sentinel vs traditional consultancy
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Internal penetration testing pricing
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about internal penetration testing
What is internal penetration testing?
Internal penetration testing assesses what an attacker could do once they already have a foothold inside your network — a compromised user account or host. Rather than trying to break in, it measures lateral movement, privilege escalation, segmentation containment and detection coverage from an 'assumed-breach' starting position. It answers the question that determines breach severity: how bad is it once prevention fails?
What does 'assumed breach' mean?
Assumed-breach testing starts from the realistic premise that an attacker has already achieved initial access — for example via phishing or a stolen credential — and focuses entirely on what they can do next. It is far more informative than hoping the perimeter never fails, because it directly measures containment and blast radius, which is what actually limits the damage of a real incident.
How is internal testing different from external testing?
External testing starts from the public internet with no access and targets your perimeter (see our external penetration testing page). Internal testing starts inside and measures movement and escalation. They are complementary: external reduces the chance of initial compromise; internal limits the damage when compromise happens anyway.
How much does internal penetration testing cost?
Internal engagements vary with estate size and complexity; traditional consultancy internal tests typically start around £5,000 and scale up for large or multi-site environments, over several weeks. Matproof Sentinel scopes internal assumed-breach testing on the Growth plan (€799/month), which also includes authenticated and infrastructure testing; see our penetration testing cost guide for the full picture.
Go deeper — related blog articles
Find out how far an attacker could actually get
Start with a free external scan, or scope an internal assumed-breach penetration test — lateral movement, privilege escalation and containment, mapped to ISO 27001, NIS2 and DORA — with Matproof Sentinel.
Run free scan