Assumed Breach Testing
Skip the perimeter. Test what matters.
Skip the initial access phase and focus testing on post-compromise objectives. We start with simulated access and demonstrate what an attacker could accomplish once inside your environment.
Overview
Assumed breach testing bypasses the initial access phase and places our testers inside your environment from day one. Rather than spending engagement time attempting to breach your perimeter, we start with simulated access—a compromised workstation, valid credentials, or a network implant—and focus entirely on what an attacker could accomplish once inside. This approach is ideal when your perimeter is already mature, you've made significant infrastructure changes you want to validate, or you want maximum post-compromise testing within your budget. We work with you to define realistic starting points and objectives that match your threat model.
What We Test
Our assumed breach testing engagements cover these key areas:
Compromised Workstation
Full access to a standard employee workstation. Simulates successful phishing or malware infection—the most common starting point for assumed breach.
Valid Credentials
Domain credentials without dedicated hardware. Tests what an attacker with stolen credentials can accomplish and validates identity-based controls.
Network Implant
Dropbox device placed on internal network segment. Simulates physical breach or compromised IoT device and tests network segmentation effectiveness.
VDI/Remote Access
Access through your virtual desktop infrastructure. Tests controls around remote workforce scenarios and validates VDI isolation and breakout prevention.
Lost Laptop
Recovered corporate device with or without credentials. Tests disk encryption, cached credentials, and local data exposure in device theft scenarios.
Custom Scenario
Tailored starting point based on your threat model. We'll work with you to match specific threat actors or breach scenarios relevant to your organization.
Our Approach
Once access is established, we pursue objectives defined by your threat model—not a generic checklist. Every assumed breach engagement starts with a scoping conversation to align testing activities with what matters most to your organization.
Scenario Definition
We collaborate to define the starting point, access level, and constraints. Together we establish objectives—domain compromise, crown jewels, detection validation, or specific control testing—and agree on rules of engagement.
Environment Familiarization
From the attacker's perspective, we map the network, enumerate accessible systems, shares, and services, and identify privilege escalation opportunities and lateral movement paths.
Objective Pursuit
We execute against defined objectives using real attacker techniques, documenting every action, tool, and finding while maintaining operational security appropriate to engagement goals.
Detection Correlation
Optionally, we coordinate with your security team post-engagement to correlate our activity timeline with your alerts and logs, identifying detection gaps and missed indicators.
Common Findings
These are issues we frequently discover during assumed breach testing engagements:
Excessive Local Admin Rights
CriticalUsers with local administrator on their workstations enabling credential harvesting and lateral movement across the environment.
Weak Active Directory Permissions
HighOverly permissive delegation, group memberships, or ACLs enabling privilege escalation paths to domain admin.
Insufficient Network Segmentation
HighFlat networks allowing unrestricted lateral movement between business units or sensitivity zones.
Credential Exposure
HighCached credentials, password reuse, or credentials stored in accessible locations like scripts, shares, or Group Policy Preferences.
Missing or Misconfigured EDR
MediumEndpoint detection tools not covering all systems or configured with gaps that attackers can exploit to evade detection.
Inadequate Logging
MediumSecurity-relevant events not captured or forwarded, making detection and forensic analysis difficult or impossible.
Common Questions
How is this different from internal penetration testing?
Internal testing typically starts with network access but no credentials or system access—we're looking for that first foothold. Assumed breach skips ahead: you give us a foothold (workstation, credentials, implant) and we focus entirely on post-compromise objectives.
What do you need from us to get started?
We'll work together to define the scenario. Depending on what we agree, you might provide a workstation, credentials, VDI access, or physical access to place a network device. We handle the rest.
Can you test our detection capabilities without telling the SOC?
Yes. We can run 'purple team blind' where your security team doesn't know testing is happening. After the engagement, we correlate our activity with what they detected (or missed).
How long does an assumed breach engagement take?
Typically 1-2 weeks of active testing depending on scope and objectives. Focused engagements testing a specific control change can be shorter.
Other Penetration Testing Options
External Penetration Testing
We attack your perimeter the way real adversaries would—scanning for exposed services, testing authentication mechanisms, and attempting to breach your internet-facing systems.
Internal Penetration Testing
Simulating a compromised workstation or rogue insider, we test how far an attacker could move laterally through your network and what sensitive data they could access.
Wireless Security Testing
We assess your wireless networks for rogue access points, weak encryption, and attack vectors that could give adversaries a foothold into your environment.
Physical Penetration Testing
Combining physical security testing with social engineering, we evaluate whether attackers could gain physical access to sensitive areas and systems.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873