Network Penetration Testing
OSCP-led external and internal network penetration testing — including Active Directory attacks, lateral movement, and real exploitation. Not a vulnerability scan. Not a checkbox report.
What it is
A network penetration test is a real-world attack simulation against your external-facing infrastructure, internal network, and Active Directory domain — performed manually by certified offensive security practitioners.
We do not run a vulnerability scanner and hand you the output. We start where the scanner stops: chaining findings together, escalating privileges, moving laterally, and demonstrating the actual business impact of the weaknesses we find. Where exploitation is feasible, authorised, and safe, we exploit — because the only way to know whether an issue matters is to see what an attacker can do with it.
Every engagement ends with a prioritised remediation plan, a live walkthrough session with your team, and one free re-test of the critical findings after you've remediated.
What this is not
Who this is for
You're probably here because one of these is true:
What you get
- Scoping document (1 – 2 pages) — rules of engagement, IP scope, credentials, timeline, escalation contacts, blackout windows.
- Findings report (typically 30 – 60 pages) — every finding with CVSS score, reproduction steps, screenshots, business impact, and specific remediation guidance.
- Executive summary (1 – 2 pages) — CISO / board / audit-committee consumable. Plain English. No jargon.
- Live remediation walkthrough (90 minutes) — your technical team + our lead tester go through every critical and high finding on screen.
- Free re-test of remediated critical and high findings within 30 days — we validate that the fixes actually work and issue a re-test report.
- Clean-up evidence — every artefact we placed on your systems during testing is removed and documented.
Reports are delivered as signed PDFs — and as an editable .docx if your auditor needs it.
How we deliver
Typical total: 2 – 3 weeks from signed scoping to delivered report. Expedited delivery (1.5 weeks) available on request with a 20% expedite fee.
Pricing
Published range
Per engagement. Scoping call + written quote within 48 hours.
What drives the price:
- Number of live hosts in scope
- External-only vs. internal-only vs. combined
- Active Directory domain size & trusts
- Timeline (standard vs. expedited 1.5-week)
- Re-test iterations beyond the included first re-test
Commercial terms
- Deposit: 50% at signing; balance on final report
- Net terms: Net-30 from invoice date
- Quote validity: 30 days
- Re-test: 1 × critical/high re-test included
- Scope changes: require written change request
- No surprise charges. Ever.
Your cert-backed team
Every engagement is led by a named practitioner with documented offensive security credentials — never handed to an anonymous junior.
Lead Penetration Tester
Nelson Durairaj
OSCP · eJPT · CEH · BlackHat Linux · HTB Omniscient
Focus: External + internal network testing, Active Directory exploitation, lateral movement, privilege escalation.
Supervising Practitioner
Manoj Prabhakaran
CPTS · CDSA · Security+ · Azure Cloud Security · ISO 27001 Lead Auditor · HTB Omniscient
Focus: Engagement oversight, report quality review, complex engagements, audit-evidence alignment.
Frequently asked questions
How is this different from a vulnerability scan?
A vulnerability scan produces a list of potential issues — often thousands, many false-positive. A penetration test validates which issues are actually exploitable, chains them together, and demonstrates real business impact. We use scanners as part of the toolkit because they're fast at coverage — but the testing is manual and the report is human-written.
Do you use automated tools?
Yes — Nmap, Nessus, Nuclei, BloodHound, Responder, Impacket, Metasploit, and others, alongside custom tooling. Tools don't write the report or decide what to exploit next — our testers do.
What's the typical timeline from signed scope to final report?
2 – 3 weeks is the standard cadence for a mid-market engagement (20 – 100 hosts, single AD forest). Larger environments or combined external + internal + cloud scopes can extend to 4 – 5 weeks. Expedited delivery in 1.5 weeks is available with a 20% expedite fee.
What happens if you find a critical vulnerability during testing?
We contact your nominated escalation point — immediately if the issue is actively exploitable from the internet, otherwise within business hours. You can choose to pause testing, keep testing, or remediate in parallel. Your call.
Can you test production systems?
Yes. We define safe testing windows, exclude known-fragile systems from active exploitation, and use rate-limiting and careful exploitation on production. Most mid-market clients test production — it's where the real risk lives.
What do you need from us to get started?
A signed Rules of Engagement and Authorisation Letter, an in-scope IP list, escalation contacts, blackout windows, and — for internal testing — VPN access or a staged test device on your internal network.
Is the first re-test always included?
Yes. One re-test of remediated critical and high findings within 30 days of the final report is included in the base fee. Additional re-tests are charged separately.
Are your reports suitable as ISO 27001 or SOC 2 audit evidence?
Yes. Our reports include scope definition, methodology, testing dates, named testers and their credentials, CVSS-scored findings, remediation status, and re-test validation — all the elements auditors look for.
You might also need
Ready to see what an attacker would actually find?
Book a 30-minute scoping call. We'll scope your engagement, give you a price range in writing within 48 hours, and answer any question you have about the methodology, timeline, or deliverables.
