Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Network & Infrastructure Security

Network Penetration Testing.
Simulate attackers. Eliminate vulnerabilities.

Active Directory. Lateral Movement. Privilege Escalation. Firewall Bypass. We test your network infrastructure from inside and outside - before attackers do.

Request pentest What we test
OSCP-Certified ISO 27001 Pentest Box 100% in-house testers

Organizations that trust AWARE7 to protect their network infrastructure

Pentests completed
500+
Years of experience
8+
critical findings per test
Avg 8
in-house testers
100%

Two Perspectives

External or internal network pentest?

Both tests simulate different attacker perspectives and deliver complementary findings. For a complete picture we recommend combining both.

External Pentest

Attacker from the internet

Simulates an attacker with no prior access to your infrastructure. The starting point is the public internet - exactly like a real attack.

  • Exposed services: web servers, mail servers, FTP, RDP, SSH
  • VPN gateways for known CVEs and misconfigurations
  • DNS configuration: zone transfers, subdomain enumeration, DNSSEC
  • Firewall rules and port filtering for bypass opportunities
  • Mail security: SPF, DKIM, DMARC, open relay, SMTP enumeration
  • Port scanning, service enumeration and vulnerability assessment
Duration: 5-10 business days from EUR 6,000

Internal Pentest

Insider or compromised endpoint

Simulates an attacker with internal network access - whether a malicious insider, a device compromised via phishing, or an attacker after initial breach.

  • Active Directory: full analysis of all attack paths
  • Network segmentation: VLAN hopping, broadcast attacks
  • Lateral movement: pivoting through the network after initial access
  • Privilege escalation: local and domain-wide elevation of privilege
  • NTLM relay, Kerberoasting, Pass-the-Hash, DCSync
  • Executable remotely via AWARE7 Pentest Box - no travel required
Duration: 8-15 business days from EUR 8,000

Our recommendation: Combine both tests for a complete picture. External perimeter and internal network are two sides of the same attack surface - viewed separately, blind spots emerge.

Active Directory Pentest

Active Directory: The Keys to the Kingdom

In 9 out of 10 internal pentests, the path to full domain compromise runs through Active Directory misconfigurations. We systematically check all known attack paths - from Kerberoasting to DCSync.

KRB

Kerberoasting

Service accounts with SPNs allow Kerberos tickets to be requested without admin rights. Weak passwords can be cracked offline - often within seconds.

ASR

AS-REP Roasting

Accounts without Kerberos pre-authentication yield AS-REP hashes without valid credentials. Hashcat and John the Ripper crack weak passwords offline.

PTH

Pass-the-Hash / Ticket

Stolen NTLM hashes or Kerberos tickets enable lateral movement without a plaintext password. Impacket and Mimikatz are the standard tools.

NTR

NTLM Relay

LLMNR/NBT-NS poisoning with Responder captures authentication attempts. Ntlmrelayx forwards them onward - often directly to the domain controller.

DCS

DCSync

With sufficient replication rights, all password hashes in the domain can be extracted - without local access to the domain controller.

GT

Golden / Silver Ticket

With the KRBTGT hash, arbitrary Kerberos tickets can be forged (Golden Ticket) - unlimited, persistent domain access without knowing any password.

GPO

GPO & ACL Abuse

Misconfigured Group Policy Objects and ACL entries allow privilege escalation. BloodHound automatically visualizes all attack paths.

ADCS

ADCS - Certificate Services

Active Directory Certificate Services (ESC1-ESC8): misconfigured certificate templates allow privilege escalation and persistent domain access.

BloodHound-powered attack path analysis

We use BloodHound to collect all AD objects, permissions and delegations and visualize them in a directed graph. This reveals attack paths that remain hidden in manual analysis - including chained privilege escalation across multiple hops.

Request AD assessment

Scope

Full attack surface coverage

From the external perimeter to the domain controller - we cover all attack vectors in your network infrastructure.

Network Protocols & Services

SMBv1/v2, RPC, LDAP, Kerberos, NTP, SNMP, IPMI/BMC. Legacy protocols, default credentials and insecure service configurations are identified and verified.

Network Segmentation

VLAN hopping, 802.1Q double tagging, ARP spoofing, DHCP starvation and spoofing, misconfigured trunking ports. We verify whether segments are actually isolated.

Wireless / Wi-Fi

WPA2/WPA3 weaknesses, rogue access points, evil-twin attacks, guest network isolation, client isolation, RADIUS configuration and captive portal bypasses.

VPN & Firewall

VPN gateways (IPSec, SSL/TLS, WireGuard) for known CVEs, weak cipher suites and misconfigurations. Firewall rules for excessive permissions and bypass opportunities.

IDS/IPS Evasion

Testing whether attacks are detected by deployed intrusion detection and prevention systems. Fragmentation, obfuscation and low-and-slow techniques against signature-based systems.

Lateral Movement

Simulation of network spread after initial access: pivoting through compromised systems, command-and-control paths, persistence mechanisms and data exfiltration scenarios.

AWARE7 Pentest Box

Internal pentest - without travel.

The AWARE7 Pentest Box eliminates the need for on-site visits: the hardware device is connected to your network once. Our OSCP-certified experts then conduct the full internal penetration test entirely remotely - at the same quality level as an on-site engagement.

Device connected to your network once - by post or a brief on-site visit

Encrypted mobile back-channel: no VPN, no firewall changes required on your side

After completion: return the device - no permanent remote access remains

Request Pentest Box

No travel costs

No day rate for travel and accommodation - typical saving of EUR 500-1,500

Highly secure

End-to-end encryption, no permanent access, hardware-secured mobile channel

Same quality

Identical depth as an on-site engagement - the same experts, the same tools

Typical Findings

What we regularly find

Real finding types from our network pentests - anonymized, but representative of what we encounter in practice.

Critical CVSS 9.8
Active Directory

Domain Admin via Kerberoasting

Weak passwords on service accounts enable offline brute-force of stolen Kerberos tickets. Full Active Directory compromise demonstrated in under 4 hours - starting from a standard domain user account.

Kerberoasting Service Account Privilege Escalation
High CVSS 8.8
Network

NTLM Relay to Domain Controller

LLMNR/NBT-NS poisoning with Responder captures authentication attempts. Ntlmrelayx relays the hashes directly to the domain controller - result: domain admin access without knowing a single password.

NTLM Relay LLMNR Poisoning Domain Controller
High CVSS 7.5
Segmentation

Missing Segmentation Enables Lateral Movement

Unrestricted access from the development network to production and from the guest network to internal server segments. A compromised developer machine grants full access to production infrastructure.

Lateral Movement VLAN Firewall Rules
Medium CVSS 5.3
Protocol

Legacy SMBv1 Signing Active

SMBv1 without message signing active on multiple servers - prerequisite for EternalBlue exploits (MS17-010) and NTLM relay attacks. The protocol has been considered insecure since 2017 and should be disabled.

SMBv1 EternalBlue MS17-010

Pricing

Transparent fixed prices

No hourly rate risk. No surprise costs. Binding fixed-price quote within 24 business hours.

External Pentest

from 6,000 EUR

5-10 business days

  • Perimeter analysis (all public IPs)
  • VPN / Firewall / DNS / Mail
  • CVSS report + management summary
  • Free retest included
Request quote

Internal Pentest

from 8,000 EUR

8-15 business days

  • Active Directory analysis
  • Lateral movement / privilege escalation
  • Pentest Box optional (no extra charge)
  • Free retest included
Request quote
Recommended

Combined - internal & external

from 12,000 EUR

12-20 business days

  • External + internal pentest
  • Full AD assessment
  • Consolidated report + roadmap
  • NIS-2 / ISO 27001 compliance evidence
Request combined package

Custom

On request

Scope as needed

  • Large or complex network
  • Multi-site / group structures
  • Red team / adversary simulation
  • Free initial consultation
Schedule consultation

Security Retainer - plan ahead, not react

Quarterly or semi-annual network pentests at reduced rates, a fixed slot in the project schedule, and a familiar team. Ideal for NIS-2-affected organizations and critical infrastructure operators.

Enquire about retainer

Compliance

Meet regulatory requirements

Network penetration tests are explicitly required or recognized as an accepted verification measure in several regulatory frameworks.

NIS2

NIS-2 Directive

Article 21 of the NIS-2 Directive requires essential and important entities to implement technical security measures, including vulnerability testing and penetration testing as recognized risk-management practices.

ISO27k

ISO 27001:2022

Control A.8.8 (Vulnerability Management) requires the active identification and treatment of technical vulnerabilities. Network pentests are the recognized means of demonstrating compliance.

TISAX

TISAX

The ENX/VDA standard for the automotive industry (TISAX assessment level 2+) requires regular security reviews of IT infrastructure as a supplier requirement.

DORA

DORA

The EU Digital Operational Resilience Act (DORA, Articles 26-27) mandates threat-led penetration testing (TLPT) for financial entities. Our network pentests provide the technical foundation and documented evidence.

Why AWARE7 for your network pentest

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Referenzen aus der Praxis

Pentesting & Schwachstellenscans

Sill Optics GmbH

Feststellung der Angriffsfläche bei Sill Optics GmbH

Pentesting & Schwachstellenscans

XignSys GmbH

Whitebox-Penetrationstests eines Authentifizierungsdienstes als Mobile- und Web-Anwendung

Pentesting & Schwachstellenscans

TWINSOFT GmbH & Co. KG

Externer Penetrationstest einer iOS-Applikation

How we start

Three steps to your network pentest

From first contact to a running pentest typically takes 5-10 business days.

01

Initial consultation

A free 30-minute call with one of our security experts. We clarify scope, objectives and open questions - no commitment, no sales pressure.

02

Fixed-price quote

Within 24 business hours you receive a binding fixed-price quote with a clearly defined scope, timeline and deliverables. No hourly rate, no hidden costs.

03

Pentest starts

After contract signing we coordinate all details with your IT team. Kick-off meeting, Rules of Engagement, emergency contacts - then the pentest begins at the agreed date.

Schedule free consultation

FAQ

Frequently asked questions about network pentests

Everything you need to know before your initial consultation.

An external network pentest simulates an attacker from the internet with no prior access. It covers publicly reachable services, VPN gateways, mail servers, DNS configuration and firewall rules. An internal pentest simulates a compromised employee or insider who already has access to the internal network. The focus is on Active Directory, network segmentation, lateral movement and privilege escalation. Our recommendation: combine both tests, as most real-world attacks traverse both phases.
A focused external network pentest typically takes 5-10 business days. An internal pentest with Active Directory analysis requires 8-15 business days depending on complexity. The combined package (external + internal + AD) is designed for 12-20 business days. In the free initial consultation we clarify the exact scope, and you receive a binding fixed-price quote within 24 business hours.
The AWARE7 Pentest Box is a physical hardware device that we send you by post or briefly connect on-site. The device connects exclusively via an encrypted mobile back-channel to our security team - without VPN access, without firewall changes, and without leaving any permanent remote access on your side. Our OSCP-certified experts then carry out the full internal penetration test entirely remotely. The result is qualitatively equivalent to an on-site engagement - without travel and accommodation costs.
An Active Directory assessment systematically examines all known AD attack paths: Kerberoasting (offline cracking of weak service account passwords), AS-REP Roasting (accounts without Kerberos pre-auth), Pass-the-Hash and Pass-the-Ticket (lateral movement with stolen credentials), DCSync (extraction of all password hashes), BloodHound analysis of all delegation paths, GPO misconfigurations, and attacks on Certificate Services (ADCS, ESC1-ESC8). The goal is to uncover every possible path to Domain Admin compromise.
We rely on a combined toolkit: Nmap and Masscan for port scanning and service enumeration, Metasploit Framework for exploitation, BloodHound and SharpHound for Active Directory analysis, Impacket for NTLM relay and Kerberos attacks, Responder for LLMNR/NBT-NS poisoning, CrackMapExec for lateral movement, and Burp Suite for services with web interfaces. What matters most, however, is the manual judgment of our experts - tools provide data, humans find attack paths.
No. We work exclusively according to recognized standards (PTES, OSSTMM) and agree on all tests in writing upfront. We only conduct destructive tests such as denial-of-service in isolated test environments. Before testing in production environments we recommend current backups - this is stipulated contractually. All testers are ISO 27001 Lead Auditors and operate within contractually fixed Rules of Engagement.
Preparation is minimal: you designate a technical contact person who can be reached in an emergency. For internal tests we ask for a network connection and a standard domain user account (no admin). For external tests a written test authorization is sufficient. We handle the rest: scope definition, Rules of Engagement, and coordination with your IT team. Typical lead time from contract signing: 5-10 business days.
Our network pentest report contains: a management summary (2-3 pages) for executive and supervisory audiences with risk assessment and investment recommendations; a complete finding list with CVSS scores (v3.1), technical details, screenshots, reproducible proof-of-concepts, and concrete remediation guidance; an attack path documentation showing how individual findings can be chained into a full compromise; and a prioritized remediation roadmap. On request you receive an anonymized sample report in advance.
At minimum annually; for critical infrastructure or after major network changes, more frequently. After mergers, acquisitions or major IT projects we recommend a timely pentest of the new environment. NIS-2-affected organizations and critical infrastructure operators should test at least semi-annually. Many of our clients use our retainer model: planned, regular tests at reduced rates with a fixed slot in the project schedule.
Yes - for all three. The NIS-2 Directive requires essential and important entities to implement technical security measures; penetration testing is explicitly recognized as a risk-management measure under Article 21. ISO 27001:2022 Control A.8.8 requires active management of technical vulnerabilities. For critical infrastructure sectors, regular network pentests are expected as part of cybersecurity obligations under sector-specific regulations. Our reports are designed as compliance evidence for auditors and certification bodies.

Aus dem Blog

Weiterführende Artikel

Fixed-price quote in 24 hours

Tell us briefly about your infrastructure - we'll prepare a binding quote for your network penetration test. No hourly rate, no hidden costs.

Request pentest

Kostenlos · 30 Minuten · Unverbindlich

Certifications & Standards

OSCP Offensive Security
ISO 27001 Lead Auditor
PTES Pentest Standard
OSSTMM Open Source Security
Pentest Box Remote Solution
T.I.S.P. Certified Training Provider