02 / Network

Network
Penetration Testing

The wall looks solid. We find the door.

Every network looks hardened from the outside. We test it from the inside out — mapping segmentation failures, trust relationships, and the paths that lead from a foothold to full domain compromise. Methodical. Documented. Actionable.

Request Scoping CallView Pricing ↓
MethodologyPTES + NIST SP 800-115
Primary toolNessus Pro + Metasploit
AD analysisBloodHound + SharpHound
ComplianceSOC 2 · PCI DSS · HIPAA
Retest30-day free on Critical/High
Methodology

How we test.

External Recon
  • ASN and IP range enumeration
  • DNS brute-force and zone transfer
  • Certificate transparency mining
  • Shodan / OSINT surface mapping
External Exploitation
  • CVE validation against all live services
  • VPN and remote access testing
  • Email gateway security (SPF/DKIM/DMARC)
  • Exposed management interfaces
Internal Discovery
  • Network segment mapping
  • Service and protocol enumeration
  • SMB/RPC/LDAP anonymous access
  • Default credential testing
Active Directory
  • Kerberoasting and AS-REP roasting
  • BloodHound attack path analysis
  • ACL/ACE abuse (GenericAll, GenericWrite)
  • Delegation attack chains (unconstrained, S4U2Proxy)
Lateral Movement
  • Pass-the-Hash / Pass-the-Ticket
  • NTLM relay (Responder, ntlmrelayx)
  • WMI/PSExec/DCOM pivoting
  • VLAN hopping and segmentation testing
Impact Analysis
  • Domain/forest compromise path
  • Sensitive data reachability from breach point
  • Privilege escalation to Domain Admin
  • Persistence mechanism identification
Tooling

What we use.

Nessus Professional
Authenticated and unauthenticated vulnerability scanning across all network hosts.
Metasploit Framework
Exploit framework for vulnerability validation and proof-of-concept exploitation.
BloodHound + SharpHound
Active Directory attack path mapping and privilege escalation analysis.
Responder + ntlmrelayx
LLMNR/NBT-NS poisoning and NTLM relay attack execution.
CrackMapExec + Impacket
SMB/RPC enumeration, credential spraying, and lateral movement.
Nmap + Masscan
Fast port scanning and service fingerprinting across large IP ranges.
Sample findings

What we find.

Representative findings from past engagements. Client details redacted.

CRITICAL
Domain Admin via Kerberoastable Service Account
Weak password on SQL service account allowed offline cracking and full domain compromise within 4 hours.
HIGH
SMB Relay Attack — Lateral Movement to Finance VLAN
LLMNR poisoning enabling NTLMv2 relay to pivot from guest WiFi segment into internal finance servers.
HIGH
Firewall Rule Permits Direct Access to Domain Controller
Perimeter rule allowed external RDP to DC on non-standard port. Not detected for 18 months.
MEDIUM
Excessive ACL Delegation — GenericWrite on 40% of AD Objects
Service accounts with GenericWrite permissions enabling targeted Kerberoasting escalation paths.
Pricing

Engagement tiers.

Essentials
$3,000 – $8,000
SMB / external-only
  • External perimeter testing
  • Open port and service enumeration
  • CVE validation against live services
  • Executive summary + findings report
  • 30-day retest on Critical/High
External scope only. No on-site or VPN access required.
Get a Quote
Most common
Standard
$15,000 – $30,000
Mid-market / SOC 2 / internal scope
  • External + internal testing
  • Active Directory assessment
  • Network segmentation testing
  • Lateral movement simulation
  • Compliance-ready report
  • 30-day retest included
Full manual methodology. VPN or on-site access required for internal.
Get a Quote
Enterprise
$30,000 – $75,000+
Large org / complex AD / multi-site
  • Multi-site external + internal
  • Full AD attack path analysis via BloodHound
  • Assumed breach scenario
  • Purple team debrief session
  • Executive + technical report package
Scoped per engagement. Multi-week active testing window.
Get a Quote
FAQ

Common questions.

Do you need to be on-site for internal testing?
Not necessarily. We can work over a VPN connection with a pivot host on your internal network. On-site is available for engagements where physical presence is preferred or required.
How disruptive is active testing?
We test carefully and coordinate with your team on testing windows. We avoid denial-of-service style testing unless explicitly in scope. Critical findings are reported in real-time so you can respond immediately.
What do you need from us before testing starts?
A signed SOW, rules of engagement, and authorization letter. For internal testing: VPN credentials or a jump host. For Active Directory: a low-privileged domain user account is standard for assumed-compromise scenarios.
What if you find something critical during testing?
We stop and call you. Critical findings are never held until the final report — we escalate immediately to your designated point of contact and document the finding in Cyver Core.
Start an engagement

Ready to see what's really there?

No commitment, no pitch deck. A direct conversation about your threat surface and what a DALI engagement looks like.

Request Scoping Call →
ResponseAll scoping inquiries answered within one business day.
NDA firstMutual NDA signed before any scoping conversation begins.
ComplianceSOC 2, PCI DSS, and HIPAA report-ready engagements.
Contacthello@dali.security
Begin Engagement →