AssumedBreached Testing

Assumed breach testing operates on the premise that attackers have already gained initial access to your network. Instead of testing perimeter defenses, we focus on your ability to detect lateral movement, contain threats, respond to incidents, and prevent data exfiltration. This approach tests your defensive depth, detection capabilities, and incident response procedures—critical capabilities for stopping sophisticated attacks.

Penetration testing starts from the outside and tests perimeter defenses. Assumed breach testing starts from inside your network (simulating an attacker who has already breached the perimeter) and focuses on detection, containment, and response. Pentests validate external security controls, while assumed breach tests evaluate your ability to detect and respond to threats that bypass perimeter defenses—like insider threats, phishing, or supply chain attacks.

We test lateral movement across network segments, privilege escalation, credential theft, Active Directory attacks, persistence mechanisms, data exfiltration methods, detection evasion techniques, and incident response procedures. Scenarios include simulated ransomware attacks, insider threats, compromised credentials, and advanced persistent threat (APT) behaviors. We customize scenarios based on your specific threat model and concerns.

That depends on your objectives. For testing pure detection capabilities, we recommend not informing your SOC team so we can evaluate their ability to detect threats in real-time. For collaborative engagements focused on improving detections, we work directly with your security team (purple team approach). We always inform executive leadership and establish escalation procedures for safety.

We work with you to establish realistic starting points. Common approaches include: simulated phishing compromise (credential provided), VPN access as a remote employee, workstation access as an insider, or compromised service account. We don't actually compromise your systems—you provide us with legitimate access that simulates a breach scenario. This allows us to focus the engagement on detection and response rather than initial access.

You receive a comprehensive report detailing: what we accessed, how we moved laterally, what your team detected (or missed), timeline of activities, detection gaps, recommendations for improving monitoring and response, and specific detection rules you can implement. We also provide a debrief session to walk through the attack path, discuss findings, and help your team improve detection and response capabilities.