Internal Network & Active Directory Assessment
PENTRA enables structured penetration testing of internal network and Active Directory environments — executing MITRE ATT&CK techniques at the individual technique level, with engineer-validated findings, real-time detection tracking, and a measurable Security Score per tactic.
PENTRA can be used by internal security teams as a platform or delivered as a fully managed service by Reacts — using the same structured methodology, technique library, and evidence-based execution model.
Test Your Internal Network the Way a Real Attacker Would — Under Controlled Conditions
Internal network penetration testing evaluates how attackers move within an environment after initial access, focusing on lateral movement, privilege escalation, and Active Directory compromise.
Internal network assessments simulate what happens after an adversary has crossed the perimeter — whether through phishing, a compromised vendor, or a malicious insider. PENTRA executes MITRE ATT&CK techniques across the full kill chain: from Initial Access through Persistence, Privilege Escalation, Lateral Movement, and Impact.
The critical difference from an ad-hoc internal pentest: every technique is executed through a controlled agent, validated by the engineer before being recorded, and tracked against the full technique scope for the engagement. No technique can be skipped without an explicit Not Applicable marking.
Engagement Methodology
| Phase | Activities |
|---|---|
| Scoping & Planning | Define engagement scope · Select MITRE ATT&CK tactics and techniques in scope · Establish rules of engagement · Configure PENTRA project and assign Blue Team |
| Reconnaissance | Map internal network services, applications, and Active Directory structure · Identify attack surface |
| Controlled Technique Execution | Deploy PENTRA agent on target systems · Execute MITRE ATT&CK techniques individually · Engineer validates each result before recording finding with evidence |
| Lateral Movement & Privilege Escalation | Simulate attacker progression through the internal environment — tracking each step in the PENTRA attack path builder |
| Post-Exploitation Validation | Validate the extent of access achievable from confirmed footholds · Document data exposure and impact potential |
| Reporting | Generate on-demand reports at any engagement stage — MITRE ATT&CK-mapped findings, attack walk-through, Detection Rate per tactic, mitigation recommendations |
| Retest | Validate that remediations are effective and confirm reduction in residual risk |
How PENTRA Structures This Engagement
This capability is delivered through the PENTRA platform using structured technique execution, human validation, and evidence-based reporting.
Learn how this capability fits into the full PENTRA platform →
Initial Access through Impact — complete tactic and technique coverage for internal and external network assessments.
Windows agent deployment with unique TLS certificates per agent — each cryptographically identified to the C2 server.
Technique-level execution with real-time output streaming via WebSocket — engineer validates exploitability per technique before recording.
Diagram editor documenting attacker progression with evidence per step — showing the full lateral movement chain from entry point to impact.
Security Score and Detection Rate computed per MITRE ATT&CK tactic in real time — updated as techniques are validated and findings recorded.
100% technique scope coverage enforced — engagement cannot close until all in-scope techniques are validated or marked Not Applicable.
Live execution feed to Blue Team Portal — Blue Team marks detection per technique with evidence for PT++ engagements.
Executive Summary, Technical Report, and Blue Team Detection Report — generated at any engagement stage in PDF and Word format.
PT++: Purple Team Internal Network Assessment
PT++ engagements run the Red Team and Blue Team simultaneously through PENTRA's dual-portal system. As the engineer executes MITRE ATT&CK techniques against the internal network, the Blue Team Portal streams a live feed to your SOC — who mark detection per technique in real time with evidence. The result is a combined report showing security posture, Detection Rate per tactic, and an evidence-backed mitigation backlog.
| Capability | Description | Tags |
|---|---|---|
| Insider Threat Simulation | Structured emulation of insider threat behavior — lateral movement, Active Directory abuse, and privilege escalation — using validated MITRE ATT&CK techniques. | Insider Threat · AD Security |
| Lateral Movement Tracking | Technique-level tracking of every lateral movement step with evidence — documented in the attack path builder. | Lateral Movement · Path Documentation |
| Active Directory Assessment | Structured testing of AD misconfigurations, Kerberoasting, Pass-the-Hash, and privilege escalation paths — mapped to ATT&CK techniques. | AD Testing · Privilege Escalation |
| Scope Coverage Enforcement | 100% coverage of selected ATT&CK techniques — enforced by the Open Points tracker before engagement close. | TTP Coverage · Scope Validation |
| SOC Detection Validation | Live Blue Team Portal feed · Manual detection marking per technique · Detection Rate computed per ATT&CK tactic | Purple Team · SOC Calibration |
| Metric | What It Reflects |
|---|---|
| Security Score (per tactic) | Percentage of ATT&CK techniques the environment successfully resisted — validated by engineer |
| Detection Rate (per tactic) | Percentage of executed techniques the Blue Team marked as detected — validated manually |
| Scope Coverage | 100% — enforced before engagement close |
What You Receive
| Deliverable | Description |
|---|---|
| Executive Summary | Security Score per tactic, severity distribution, and key findings — formatted for CISO and board audiences. |
| Technical Report | All findings mapped to MITRE ATT&CK TTPs · Engineer-validated findings with evidence · Attack walk-through with path diagram · Mitigation recommendations per finding |
| Blue Team Detection Report (PT++ only) | Detection Rate per tactic · Evidence gallery of detected and undetected techniques · Mitigation backlog |
| Delivery Discussion | Presentation of critical findings and business impact with the Reacts engineering team. |
Why Structured Internal Testing Matters
| Outcome | Why It Matters |
|---|---|
| Compliance Evidence | Demonstrate MITRE ATT&CK coverage to auditors, regulators, and clients with an evidence-backed report. |
| Residual Risk Quantification | Know which threats your controls already stop — and which ones they don't. |
| SOC Calibration | Use Detection Rate per tactic to identify which ATT&CK phases your SOC detects reliably and where additional detection engineering is needed. |
| Security Investment Validation | Compare Security Scores across engagements to validate whether security investments are reducing the attack surface. |
Prefer a Fully Managed Engagement?
Reacts delivers this capability as a managed service — executed by certified engineers and powered by the PENTRA platform.
Request a Managed Assessment