12 min read
By: RedLegg Blog
What happens if an attacker bypasses your security defenses and compromises your internal network? Organizations spend significant financial and staff resources preventing this scenario, but many lack a clear plan for defending their internal environment or identifying where the greatest risks reside. That’s where internal penetration testing comes in.
Internal assessments are a powerful way to evaluate your environment through the lens of an attacker. They help uncover vulnerabilities, misconfigurations, and blind spots, while providing an honest risk assessment and actionable recommendations.
RedLegg specializes in these internal network assessments. “You’ll find that there are a good number of organizations out there that have what is commonly known as the ‘M&M model,’” says Erin Rosa, a Senior Security Consultant with RedLegg who leads internal pentests. “That means their external attack surface is tough on the outside, but when you get into the internal network, the security can be soft on the inside.”
The first week of an internal network penetration test is foundational. It sets the pace and direction of the engagement, helping ensure that the assessment delivers real value
Understanding the Internal Attack Surface
Unlike external assessments, internal penetration testing involves navigating a wider, more trusted environment. It’s not uncommon for these networks to include tens of thousands of hosts, unmonitored services, and legacy protocols.
“Internal systems tend to be much larger and more complex. It’s the lifeblood of the organization, where the work gets done,” says Rosa.
Before anything else, the testing team needs to understand scope and scale. This isn’t just about IP ranges, it’s about pinpointing where real risk lives and how an attacker could move laterally within the network.
Enumeration & Visibility – The Core of Week One
Most of week one is dedicated to enumeration, scanning, and mapping. This process is all about building visibility.
Key activities include:
- Launching vulnerability scans in parallel (Nmap, Nessus, nuclei)
- Identifying exposed services, open ports, and misconfigurations
- Passively monitoring internal traffic to understand behavior
“We run scans concurrently while keeping the availability and reliability of the network environment as a top priority. This saves time and helps us gain visibility fast,” Rosa explains.
Enumeration ensures testing isn’t done blindly. If the team doesn’t know what exists in the environment, it can’t assess risk effectively.
Common Vulnerabilities Found Early
The first week often uncovers impactful vulnerabilities without even needing active exploitation.
Examples include:
- Relay attacks: Lack of protocol signing (SMB, LDAP) that allows impersonation
- Guessable credentials: Reused or default logins across systems
- Active Directory Certificate Services (AD CS): Certificate misconfigurations enabling privilege escalation
- Flat networks: No segmentation between critical assets
- Lack of monitoring: Unnoticed lateral movement and suspicious traffic
These issues may seem small, but when combined, they can open the door to full Domain Admin access.
Week One Timeline: What Happens Each Day
Here’s how a typical internal test progresses during its first week:
- Day 1–2: Scope validation, vulnerability scan kickoff, environment mapping
- Day 3–4: Deeper enumeration, discovery of lateral movement, and privilege escalation paths
- Day 5: Prioritization of exploitation routes and offensive attack strategy planning
%20-%2084%20(4).jpg?width=843&height=443&name=Linkedin%20post%20(1080x1350)%20-%2084%20(4).jpg)
By the end of the week, the pentesting team has a solid map of the attack surface and a targeted plan for deeper testing.
Ethical Boundaries in Action
Pentesting isn’t about proving how far you can go. It’s about helping organizations understand risk in a safe, controlled way. Rosa shared cases where the team had the technical ability to escalate access or trigger disruptions but chose not to.
“There are moments when you technically can, but you don’t,” she says. “We’re here to test systems, not break trust or make life harder for the people using and maintaining the network. That’s why we provide regular updates and notify clients of active testing hours.”
This type of transparency and restraint builds credibility and strengthens relationships.
How Clients Can Prepare for Internal Testing
According to Rosa, the most valuable tests are those that mirror a real-world scenario.
To prepare:
- Test in representative environments: Avoid isolating testers in unrealistic segments
- Limit awareness: Only inform stakeholders who need to know
- Coordinate with detection teams: Expect scan traffic, and make sure it’s distinguishable
Preparation directly impacts the quality and value of the final findings.
Week One Outcomes
By the end of week one, your organization will have:
- A mapped internal environment and high-value target list
- A prioritized list of misconfigurations and vulnerabilities
- Identified lateral movement and escalation paths
- A validated, realistic attack path for further testing
These insights drive the remaining phases of the assessment and serve as the basis for remediation.
The First Week Shapes the Entire Engagement
The first week of internal penetration testing isn’t just prep work. It’s where the most important discoveries happen.
With the right planning, collaboration, and ethical approach, this initial phase helps organizations get meaningful, measurable value from their assessments.
Want to get more value out of your internal network penetration testing? Talk to RedLegg’s team to learn how to scope your next assessment for deeper impact.

Want more? Read about...