Skip to main content
Most security testing focuses on what’s externally reachable. But the majority of real-world breaches don’t stop at the perimeter. An attacker who compromises a single endpoint, phishes a developer, or exploits an exposed service is now inside your network, and the damage they do from there depends entirely on how your internal environment is configured. Internal networks are where privilege escalation happens, where lateral movement goes unchecked, and where attackers reach the systems that actually matter: databases, admin panels, CI/CD pipelines, secrets stores, and internal APIs that were never designed to face hostile traffic. Most organizations have limited visibility into what an attacker can reach once they’re past the perimeter, because internal pentesting is expensive, disruptive, and happens infrequently at best.

How Neo Solves This

Neo conducts internal network assessments by simulating post-compromise scenarios: starting from a foothold inside your network and systematically testing how far an attacker can go, what they can access, and what damage they can inflict.
  1. Establishes a starting position — Neo begins from a defined entry point inside your network: a compromised workstation, a developer laptop, a container within your cluster, or any segment you want to test from. This simulates realistic breach scenarios where an attacker has already bypassed perimeter defenses.
  2. Discovers internal services and assets — from the starting position, Neo maps the internal network: identifying reachable hosts, open ports, running services, internal APIs, databases, management interfaces, and infrastructure components. It builds a picture of what’s accessible from the compromised vantage point.
  3. Tests for privilege escalation — Neo probes internal services for weaknesses that enable escalation: default credentials on management interfaces, misconfigured service accounts, overly permissive IAM roles, unpatched internal services with known CVEs, weak authentication on internal APIs, and exposed secrets in configuration files or environment variables.
  4. Maps lateral movement paths — when Neo gains access to one internal system, it tests what that access enables. Can it reach other network segments? Can it access databases or secrets stores? Can it pivot from a development environment to production? Neo traces these paths to demonstrate how a single compromise cascades across your internal infrastructure.
  5. Assesses post-compromise impact — Neo doesn’t stop at proving access. It demonstrates what an attacker can do with that access: extracting sensitive data, modifying configurations, accessing customer records, reaching CI/CD systems, or compromising deployment pipelines. The findings reflect real business impact, not theoretical risk.
  6. Tests segmentation and controls — Neo validates whether your network segmentation, firewall rules, and access controls actually prevent lateral movement. It identifies gaps where controls are configured but not enforced, where segmentation exists on paper but not in practice, and where trust relationships between services create unintended access paths.

What This Looks Like in Practice

You ask Neo to simulate an internal breach scenario: 
Simulate an attacker who has compromised a developer workstation 
on our internal network.

Starting point: 10.0.1.50 (developer VLAN)
Credentials: standard developer AD credentials (provided via env vars)

Map what's reachable from this position, test for privilege 
escalation, and see how far you can move laterally toward 
production systems and sensitive data stores.
Neo begins from the developer VLAN, discovers 140+ reachable internal services, and identifies that the internal Jenkins instance at 10.0.2.30 accepts the developer’s AD credentials with no additional authentication. From Jenkins, Neo accesses stored deployment credentials, uses them to authenticate to the production Kubernetes cluster, and demonstrates read access to production database secrets. The full attack chain (developer workstation to Jenkins to deployment credentials to production cluster to database secrets) is documented with evidence at every step and specific remediation for each link in the chain.

What You Get

  • Realistic breach simulation — testing that starts from a credible internal foothold rather than an external scan, reflecting how real attacks unfold after initial compromise
  • Lateral movement mapping — complete documentation of how far an attacker can move from a given starting position, with every hop validated and evidenced
  • Privilege escalation paths — confirmed escalation routes through misconfigured services, weak credentials, exposed secrets, and unpatched internal software
  • Segmentation validation — evidence of whether your network controls and segmentation actually prevent lateral movement between environments and trust zones
  • Real impact demonstration — findings that show what an attacker can access and do, not just which services are reachable, including data exposure, configuration tampering, and pipeline compromise
  • Chained attack narratives — multi-step attack paths documented end to end with evidence at each stage, making it clear how individual weaknesses combine into critical exposure

Common Internal Testing Scenarios

Developer Workstation Compromise

Simulates an attacker who has phished a developer or compromised their laptop. Tests what internal systems a developer’s credentials and network position can reach, whether escalation to production systems is possible, and how effective segmentation is between development and production environments.

Container Escape and Cluster Pivoting

Starts from a compromised container within your Kubernetes or Docker environment. Tests for container escape paths, access to the node’s host system, cluster-level privilege escalation via misconfigured RBAC, and lateral movement to other workloads, namespaces, or the underlying cloud infrastructure.

Post-Phishing Lateral Movement

Simulates the aftermath of a successful phishing attack on a non-technical employee. Tests what an attacker can reach with standard corporate credentials: internal applications, file shares, admin panels, and whether they can escalate from a low-privilege position to systems containing sensitive data.

CI/CD Pipeline Compromise

Assesses what an attacker who gains access to your build and deployment infrastructure can do: injecting code into builds, accessing deployment secrets, modifying production configurations, or using the pipeline as a pivot point to reach production systems directly.

Trust Boundary Validation

Systematically tests the boundaries between network segments, environments (development, staging, production), and trust zones. Validates that firewall rules, network policies, and access controls prevent unauthorized cross-boundary access in practice, not just in configuration.

Setup

To run internal network pentesting:
  1. Configure Neo’s network access to reach your internal environment. This may involve VPN configuration, agent deployment on an internal host, or VPC peering depending on your network architecture. Contact our team for guidance on the best approach for your setup.
  2. Define the starting position and scope in Settings → Environments — which network segment, host, or role Neo should start from, and which systems are in scope for testing.
  3. Provide internal credentials via Settings → Environment Variables to simulate specific compromise scenarios (developer credentials, service account tokens, standard employee access).
  4. Start a new conversation describing the scenario you want to test, or set up a scheduled assessment for recurring internal testing.