Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Security Testing

Infrastructure penetration tests

01. Basics02. Our Services03. Your Benefit

Infrastructure penetration tests examine your network and system landscape for real attack vectors — from publicly accessible services to internal network segments and identity services. This allows you to identify how attackers could actually penetrate your infrastructure and move laterally.

Modern IT infrastructures are heterogeneous: on-prem, data centers, hybrid cloud setups, VPNs, Active Directory/domain environments, container and Kubernetes platforms, and numerous network and security devices. Each component can become an entry point.

In contrast to pure vulnerability scans, infrastructure penetration tests simulate realistic attacks and demonstrate in a practical manner which paths an attacker would use. Our goal is not the maximum exploitation, but the reliable identification and verification of vulnerabilities, as well as the elimination of false positives. The result: a manageable, prioritized action plan for administrators and those responsible.

Our Services

Offer

We offer modular infrastructure penetration tests tailored to your environment, including:

  • External (Internet-Facing) Testing: Examination of publicly accessible services (web servers, mail, VPN gateways, APIs) for vulnerabilities and misconfigurations.
  • Internal Testing: Examination of internal network segments, servers, workstations, WLAN, printers, IoT/OT components, and lateral movement options.
  • Identity & Directory Testing: Active Directory/LDAP/SSO security, password and authorization concepts, Kerberos/NTLM analyses.
  • Perimeter & Network Devices: Analysis of firewalls, load balancers, VPN configurations, IDS/IPS bypass scenarios.
  • Wireless & Remote Access: Tests of WLAN security concepts, captive portals, RDP/SSH exposures.
  • Cloud-/Hybrid-Checks: Examination of cloud network configurations, security groups, IAM policies (if agreed).
  • Credentials-based & Post-Exploit Analyses: (if commissioned) Use of authorized test accesses, privilege escalation, and lateral movement simulations.
  • Brute-Force & Password-Hash-Analysis: Targeted brute-force of login services and optional password cracking (GPU cluster) to validate the threat.
  • Tabular Findings & Machine Processing: In addition to the classic finding documentation, we provide machine-readable tables/CSV with findings per server for automated further processing.
  • Retest & Verification: Examination of the corrections after the elimination of critical findings.

Approach

Transparency and methodology guarantee reproducible, reliable results:

  1. Kick-off & Scoping: Define scope (external/internal/with/without credentials), time window, approved IP ranges, communication channels, and emergency contacts.
  2. Recon & Information Gathering: Scans, service fingerprinting, DNS/Whois analyses, identification of open services and patch levels.
  3. Vulnerability Research & Validation: Research of known vulnerabilities, configuration checks and manual validation to eliminate false positives.
  4. Attack Simulation & Post-Exploit: Targeted exploitation (within the permitted scope), privilege escalation, lateral movement scenarios and impact analysis.
  5. Special Procedures: Brute-force tests of login services and optional hash cracking in a controlled environment to assess real risks.
  6. Reporting: Technical report with reproducible PoC, executive summary, prioritized measures and CSV/table export for automated processes.
  7. Remediation Support & Retest: Assistance with fixing and verification of resolved findings.

Checkpoints

During the test, we check, among other things:

  • Hardening and patch status of publicly accessible services (web, mail, API).
  • Authentication & Authorization: Password policy, MFA, service accounts, permission structure.
  • Active Directory / LDAP security: Delegation, ACLs, Kerberos/NTLM vulnerabilities, LAPS.
  • Network segmentation, firewall rules, security groups and access control.
  • Misconfigurations in VPNs, proxies, load balancers and CDN setups.
  • Vulnerabilities in servers, endpoints, container runtimes and management interfaces.
  • Exposed services such as RDP/SSH/databases and “Shadow IT”.
  • WLAN security, rogue access points and remote access mechanisms.
  • Logging, monitoring and forensics maturity (detectability of attacks).
  • Backup/restore concept and permission assignment for data access.
  • Vulnerabilities in LLM and AI components
  • Risks according to OWASP LLM Top 10 and Mitre ATLAS
  • Security of application and cloud environments
  • Securing APIs, data flows, and integrations
  • Lifecycle and architecture analysis (design, deployment, operation)
  • Effectiveness of existing protection and governance measures

Your Benefit

With a professional infrastructure penetration test, you gain a realistic picture of the attack paths and receive prioritized, actionable recommendations for the sustainable hardening of your infrastructure.

Our tests not only deliver technical findings, but also instructions for administrators and a summarized risk assessment for management and those responsible. The reports are cleared of false positives and additionally prepared in a machine-readable format — ideal for integration into ticket systems or GRC pipelines. Through our certified testers, standardized methodology (PTES, BSI) and optional retests, you can achieve a demonstrable improvement in your security posture.

  • Tests by certified experts (e.g. OSCP) according to PTES/BSI concept
  • Realistic simulations of external and internal attackers
  • Targeted validation instead of mere scan results (false positive elimination)
  • Optional password cracking analyses in the GPU cluster for risk assessment
  • Machine-processable findings (CSV/tables) for automation of post-processing
  • Prioritized measures with business impact assessment
  • Retest service for verifying fixes
  • Support for compliance and audit requirements

Björn Kirschner

Take the first step and get in touch.

E-mail

mgm DeepDive

Kickoff checklist

To ensure a smooth and legally compliant start to the test, please use the following checklist as a basis for the kickoff:

  • Contact persons
    • Project manager (name, role, email, phone)
    • Technical contact / administrator (name, email, phone)
    • Emergency contact (available 24/7 in case of possible side effects)
  • Scope & approvals
    • Target systems / IP ranges (exact) and domains
    • Scope (external, internal, cloud, WLAN, OT)
    • Approval letter/POC for execution (legal clearance)
  • Test parameters
    • Permitted test types (e.g., brute-force, hash cracking, exploitation level)
    • Time window for intrusive tests (e.g., maintenance window)
    • Blackout IPs/services that must not be tested
  • Access data (if credentials-based)
    • Test users / accounts (user, password, roles)
    • Information on privileged accounts (only if explicitly permitted)
    • Information on MFA/SSO, test MFA tokens or exception rules
  • Network information & architecture
    • Network diagram (ideal: current topology)
    • Information on VPNs, firewalls, load balancers, proxy chains
    • Location details of critical servers (on-prem / cloud / third-party)
  • Logging & monitoring
    • Contact for SIEM/Logging (Contact)
    • Notes on any expected alarms and whitelisting (e.g. IPs of testers)
  • Data protection & compliance
    • Dealing with data found (e.g. accounts, passwords, personal data)
    • Agreed retention periods for test artifacts and reports
  • Reporting format & export requirements
    • Desired format of the results report (PDF, DOCX, Excel)
    • Need for machine-readable exports (CSV/JSON) for ticketing/GRC
  • Miscellaneous
    • Approved tools/methods (if required by the client)
    • Agreed SLA times for report delivery and retest turnaround