Find out what an attacker can do once they're already inside.
BreachBrain deploys a lightweight agent on your internal network to simulate a compromised device or insider threat — identifying lateral movement paths, privilege escalation risks, and internal exposures before an attacker finds them.
Most breaches don't stop at the perimeter.
Attackers who breach your perimeter — whether through phishing, a compromised vendor, or a stolen credential — immediately pivot to your internal network. The question is how far they can go and how quickly.
Internal penetration testing answers that question directly. BreachBrain's agent runs from inside your network, replicating what an attacker can do with a single compromised endpoint — without requiring a consultant on-site.
Inside
testing from within your network — replicating what's possible from a single compromised device or stolen credential.
Agent
based — a lightweight agent runs the tests automatically. No consultant on-site. No manual steps required.
Analyst
reviews every finding before your report is released — validating severity and removing false positives.
The paths an attacker takes after the initial breach.
Deploy once. Tests run automatically.
No consultant on-site. No manual testing steps.
86 tests across 8 security domains.
Every internal penetration test runs the full catalog automatically. Expand any domain to see exactly what gets tested and why it matters.
A Asset & Host Discovery 5 tests ›
Live Host Discovery
ARP and ICMP ping sweep to identify all live hosts on the network segment. You can't protect what you can't see — discovers every active device, including unauthorized or unmanaged assets, before an attacker does.
Network Subnet Enumeration
Maps all active subnets and network interfaces reachable from the agent. Reveals the true network topology, including segments that may be improperly isolated or forgotten.
Gateway Identification
Identifies the default gateway and routing configuration. Exposes the network's exit path — a compromised or misconfigured gateway can intercept all traffic.
IPv6 Discovery
Scans for live IPv6-addressed hosts. IPv6 is frequently enabled but unmonitored — attackers exploit it to bypass IPv4-only security controls.
SNMP Discovery
Probes for SNMP-enabled devices using common community strings. SNMP exposes device configuration, network topology, and credentials to anyone who knows the community string.
B Identity & Access Security (Active Directory) 16 tests ›
Domain Controller Discovery
Locates domain controllers via DNS SRV records and LDAP. Domain controllers are the crown jewel of a Windows environment — knowing where they are is step one for any attacker.
Domain Info Enumeration
Retrieves domain name, forest structure, and functional level. Domain configuration details reveal upgrade gaps and trust relationships that attackers exploit.
User Account Enumeration
Enumerates all domain user accounts via LDAP. A full user list enables targeted credential attacks — organizations often don't know how many accounts exist.
Security Group Enumeration
Enumerates all security groups in the domain. Reveals the group structure attackers use to understand privilege boundaries and escalation paths.
Privileged Group Membership Audit
Audits membership of privileged groups (Domain Admins, Enterprise Admins, etc.). Excessive membership in privileged groups is one of the most common paths to full domain compromise.
Group Policy Object Enumeration
Discovers all Group Policy Objects and their links. GPOs control security settings across the domain — misconfigured GPOs can push malicious settings or expose credentials.
Organizational Unit Mapping
Maps the Organizational Unit hierarchy. OU structure governs where GPOs apply — understanding it reveals administrative boundaries and gaps.
Domain Trust Enumeration
Identifies domain and forest trust relationships. Trusts create lateral movement paths between domains — a compromise in a trusted domain can cascade to yours.
Kerberoastable Account Detection
Detects service accounts with SPNs vulnerable to Kerberoasting. Kerberoasting lets attackers request encrypted tickets offline and crack service account passwords without any alerts.
AS-REP Roastable Account Detection
Finds accounts with pre-authentication disabled. These accounts expose password hashes without requiring any credentials — a trivial offline cracking opportunity.
Unconstrained Delegation Detection
Detects computers or accounts configured with unconstrained Kerberos delegation. Unconstrained delegation allows any authenticated user's Kerberos ticket to be captured and reused for impersonation.
Constrained Delegation Analysis
Identifies constrained and resource-based constrained delegation. Improperly scoped delegation grants can be abused to impersonate privileged users against target services.
Password Policy Audit
Reads the domain password policy (length, complexity, lockout thresholds). A weak password policy is an open invitation to credential stuffing and brute-force attacks.
Admin Account Audit
Audits privileged accounts including stale, default, and built-in admin accounts. Stale admin accounts and enabled default accounts are common initial access vectors.
SYSVOL Credential Scan
Scans SYSVOL and NETLOGON shares for Group Policy Preferences and script credentials. GPP historically stored credentials in readable XML on SYSVOL — a well-known but still-common exposure.
C Endpoint Controls 6 tests ›
Windows Defender Audit
Checks Windows Defender status, real-time protection, and definition currency. Disabled or outdated AV leaves endpoints fully exposed to commodity malware and ransomware.
BitLocker Encryption Audit
Audits BitLocker encryption status on all fixed volumes. Unencrypted drives mean a stolen or decommissioned machine hands attackers all its data.
macOS Firewall Audit
Checks macOS application firewall state and stealth mode. An inactive host firewall exposes every listening service on the machine to the local network.
FileVault Encryption Audit
Verifies FileVault full-disk encryption is enabled. Without FileVault, physical access or a lost Mac gives an attacker direct access to all data.
Gatekeeper & XProtect Audit
Confirms Gatekeeper and XProtect enforcement status. Disabled Gatekeeper allows unsigned or malicious applications to run without any warning.
macOS Software Update Audit
Checks for pending macOS and App Store updates. Outdated macOS versions expose known vulnerabilities that exploit kits actively target.
D Network Exposure & Lateral Movement 24 tests ›
TCP Quick Port Scan
Scans the top 1,000 most common TCP ports across discovered hosts. Quickly surfaces the most commonly exposed services — web, SSH, RDP, SMB — that are most frequently attacked.
Full TCP Port Scan
Full 65,535-port TCP scan across all discovered hosts. Finds services running on non-standard ports that are often forgotten and left unpatched.
UDP Port Scan
Scans the top 200 UDP ports. UDP services like DNS, SNMP, and TFTP are frequently overlooked but carry significant risk.
Service Version Detection
Banner-grabs identified services to determine version and product. Version information drives vulnerability matching — running an unpatched version of a known-vulnerable service is a critical gap.
OS Fingerprinting
Fingerprints the operating system of each discovered host. Knowing the OS helps target OS-specific exploits and identifies unsupported systems no longer receiving patches.
SMB Host Discovery
Discovers all hosts with SMB accessible. SMB is the most common lateral movement protocol in Windows environments and must be inventoried.
SMB Share Enumeration
Enumerates accessible SMB shares on discovered hosts. Open shares are a primary data exfiltration path and often contain sensitive files accessible to all users.
SMB Null Session Testing
Tests for anonymous (null session) access to SMB/IPC$. Null sessions allow unauthenticated attackers to enumerate users, groups, and shares.
Anonymous Share Access Testing
Tests whether shares can be accessed without credentials. Publicly accessible file shares are a direct path to sensitive data with zero authentication required.
SMB Signing Check
Verifies SMB signing is required on all hosts. Without mandatory SMB signing, attackers can perform NTLM relay attacks to gain authenticated access to any machine.
SMB OS Discovery
Extracts OS version information from SMB negotiation. Identifies unpatched and end-of-life Windows systems based on protocol negotiation responses.
Internal Web App Discovery
Discovers internal web applications by scanning for HTTP/HTTPS listeners. Internal web apps are frequently unpatched, poorly configured, and outside the scope of regular vulnerability management.
Web App Fingerprinting
Identifies frameworks, CMS platforms, and server software powering internal apps. Technology fingerprinting enables targeted vulnerability matching against known-vulnerable versions.
Admin Panel Detection
Probes common administrative URL paths across discovered web applications. Admin panels exposed on the internal network without additional authentication controls are high-value targets.
Default Credential Testing (Web)
Tests web applications for default or weak credentials. Factory-default passwords on internal management interfaces are responsible for a significant proportion of breaches.
Web Directory Listing Detection
Detects web servers returning directory listings. Directory listing exposes the full file structure of a web application, aiding reconnaissance and file discovery.
Web Security Header Audit
Checks for missing security headers (CSP, HSTS, X-Frame-Options, etc.). Missing security headers enable clickjacking, XSS, and protocol downgrade attacks against internal applications.
WinRM Detection
Identifies hosts with Windows Remote Management exposed. WinRM is a remote command execution channel — exposure across the network dramatically widens the attack surface.
WMI / DCOM Detection
Detects hosts with DCOM/WMI accessible on port 135. WMI is a native Windows remote execution capability and a primary tool in attacker lateral movement playbooks.
RDP Detection & NLA Check
Discovers hosts with RDP accessible and checks Network Level Authentication. Exposed RDP is the single most targeted remote access service — NLA absence removes a key authentication barrier.
Pass-the-Hash Path Mapping
Maps credential reuse pathways using local admin accounts across the network. A single compromised credential with local admin rights on multiple machines enables full network takeover.
Lateral Movement Risk Summary
Aggregates all lateral movement risk indicators into a prioritized summary. Provides a consolidated view of the paths an attacker would use to traverse from initial access to full compromise.
Legacy Protocol Risk Assessment
Assesses risk from legacy or insecure network protocols (LLMNR, NetBIOS, WPAD, etc.). Legacy protocols create name resolution poisoning and credential relay opportunities that are trivially exploited.
LLMNR / NBT-NS Detection
Passively detects LLMNR and NBT-NS broadcast traffic. LLMNR and NBT-NS poisoning is one of the most reliable ways to capture NTLM credentials on a local network.
E Patching & Vulnerability Posture 10 tests ›
PrintNightmare (CVE-2021-1675)
Checks for PrintNightmare exposure. PrintNightmare allowed any authenticated user to gain SYSTEM privileges — unpatched systems remain trivially exploitable.
ZeroLogon (CVE-2020-1472)
Tests for ZeroLogon vulnerability. ZeroLogon allowed attackers to take over any domain controller in seconds with no credentials.
PetitPotam (CVE-2021-36942)
Detects PetitPotam exposure. PetitPotam forces domain controllers to authenticate to attacker-controlled servers, enabling NTLM relay to AD CS.
Unquoted Service Path Detection
Identifies Windows services with unquoted paths containing spaces. Unquoted service paths allow an attacker with write access to a parent directory to achieve SYSTEM-level code execution.
Weak Service Permission Audit
Finds services with weak ACLs that allow modification by non-admin users. Writable service binaries or configurations let low-privileged attackers escalate to SYSTEM.
AlwaysInstallElevated Detection
Detects the AlwaysInstallElevated registry misconfiguration. When set, any MSI package runs as SYSTEM — a trivial privilege escalation for any local user.
EternalBlue / MS17-010 (CVE-2017-0144)
Probes for EternalBlue vulnerability — the exploit behind WannaCry and NotPetya. Unpatched systems remain vulnerable to remote code execution.
BlueKeep (CVE-2019-0708)
Checks for BlueKeep vulnerability. BlueKeep enables unauthenticated remote code execution on RDP-exposed Windows systems without a single credential.
Linux Package Update Inventory
Inventories pending security and non-security package updates via apt/yum/dnf. Unpatched packages are the leading cause of exploitable vulnerabilities.
Windows Patch Audit
Audits installed Windows hotfixes and Windows Update configuration. Unpatched Windows systems are the primary target of ransomware operators and nation-state actors.
F Configuration Hardening 13 tests ›
Linux SSH Configuration Audit
Audits sshd_config for insecure settings: root login, password auth, empty passwords, weak protocols, X11 forwarding, and MaxAuthTries. SSH is the primary remote access method on Linux — a single misconfiguration can allow root access without a password.
Linux Kernel Version Audit
Records the running kernel version and OS distribution. Out-of-date kernels contain known privilege escalation vulnerabilities actively exploited by attackers post-access.
Linux Sudo Rules Audit
Parses sudoers rules to identify unrestricted NOPASSWD entries and overly broad command grants. Passwordless sudo grants give any process running as that user instant root.
Linux Open Port Enumeration
Enumerates all listening ports and their associated processes. Services listening on all interfaces that should only be local are a common misconfiguration exposing attack surface.
SUID Binary Scan
Scans the filesystem for SUID-bit binaries that enable privilege escalation. SUID binaries run as root regardless of who executes them — unexpected SUID files are a classic local privilege escalation path.
Linux Firewall Audit
Checks the status of ufw, iptables, and firewalld. A disabled host firewall means all listening services are reachable with no network-layer filtering.
Linux Failed Login Analysis
Analyzes auth logs for failed login attempts in the past 24 hours. Sustained failed login patterns indicate active brute-force attacks in progress that may not yet have generated alerts.
macOS Sudoers Audit
Parses macOS sudoers configuration for NOPASSWD and unrestricted command entries. Passwordless sudo grants any process running as that user instant root on macOS.
macOS SSH Audit
Reviews macOS Remote Login (SSH) service status and sshd_config settings. macOS SSH is often enabled for convenience and left with insecure defaults, exposing the machine to remote access attacks.
Windows Service Account Audit
Audits Windows service startup types and the accounts under which they run. Services running as SYSTEM or LocalSystem with weak permissions are primary privilege escalation and persistence vectors.
Windows Registry Security Audit
Checks critical registry keys for security-relevant misconfigurations. Registry settings control UAC, credential caching, and autorun behavior — misconfiguration enables numerous attacks.
Windows Local User Audit
Enumerates local user accounts, administrator membership, and password policy. Unexpected local admin accounts and weak local password policies are common attacker persistence mechanisms.
Windows Firewall Profile Audit
Checks Windows Firewall state across all profiles (Domain, Private, Public). A disabled Windows Firewall removes the host-level network protection layer that blocks unauthorized inbound connections.
G Credential Attacks & Defense Evasion 5 tests ›
Kerberoasting Execution
Requests TGS tickets for SPN-registered accounts and evaluates crackability. Kerberoasting is one of the most common Active Directory attacks — it works against any domain user and leaves minimal logs.
AS-REP Roasting Execution
Extracts AS-REP hashes for accounts with pre-authentication disabled. AS-REP Roasting requires zero credentials and yields offline-crackable password hashes for affected accounts.
Password Spraying
Performs policy-aware, low-rate password spraying against domain accounts. Password spraying bypasses lockout policies by trying one common password across many accounts — it reliably finds weak credentials.
Local Admin Credential Spray
Tests for credential reuse by attempting local admin authentication across discovered hosts. Reused local admin passwords are the most reliable lateral movement technique in Windows networks.
NTLM Hash Capture Exposure Assessment
Assesses the environment's exposure to NTLM relay and hash capture attacks. NTLM relay attacks turn captured authentication attempts into authenticated sessions — no password cracking required.
H Data Exposure & Sensitive Service Access 7 tests ›
Database Service Discovery
Scans for exposed database services (MySQL, MSSQL, PostgreSQL, MongoDB, Redis, Elasticsearch). Databases are the primary target of data breaches — any database reachable on the network without authentication is critical.
MSSQL Enumeration
Probes MSSQL instances for unauthenticated access, version, and linked servers. MSSQL linked servers and xp_cmdshell can enable full OS-level command execution from a database connection.
MySQL Enumeration
Tests MySQL instances for anonymous access and weak credentials. MySQL with anonymous access or default credentials exposes the entire database without authentication.
MongoDB Enumeration
Checks MongoDB instances for unauthenticated access. MongoDB has a history of being deployed without authentication — exposed instances have led to large-scale data breaches.
Redis Enumeration
Tests Redis instances for unauthenticated access and configuration exposure. Unauthenticated Redis can be abused to write SSH keys, cron jobs, or web shells — achieving remote code execution.
Elasticsearch Enumeration
Probes Elasticsearch for open access and index enumeration. Elasticsearch clusters deployed without authentication have exposed billions of records in publicly reported breaches.
PostgreSQL Enumeration
Tests PostgreSQL for weak credentials and the COPY TO/FROM FILE privilege. PostgreSQL's file copy commands can read arbitrary files from the server filesystem when credentials are weak.