Skip to main content
CERT-In Empanelled · External + Internal + AD + Wireless

Network Penetration
Testing

Perimeter to crown jewels. AD attack-path mapping. Lateral movement. MITRE ATT&CK-aligned, regulator-accepted, three-layer reviewed.

Request a Scoping Call Our Methodology
6,700+
Assessments
MITRE ATT&CK
Aligned
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Scope

We confirm CIDR ranges, segments in scope, test windows, and escalation contacts in Lemon.

STEP 02

Test

5–18 days of recon, perimeter testing, internal exploitation, AD attack-path mapping, and three-layer QA.

STEP 03

Deliver

Executive + technical reports with infrastructure-level fixes, MITRE ATT&CK mapping, retest, and certificate.

What Is Network Penetration Testing?

Network penetration testing is a structured assessment where certified experts simulate real attacker techniques against your network — external perimeter, internal segments, Active Directory, wireless, and remote-access — to find exploitable weaknesses before an attacker does. Required by RBI Cybersecurity Framework, SEBI CSCRF, PCI DSS v4.0 Req 11.4, and CERT-In annual audits.

Beyond vulnerability scanning

Manual exploitation, attack-path mapping, and lateral movement — what scanners can't simulate.

External Perimeter

Public-facing infra, exposed services, management interfaces, weak crypto

Internal Lateral Movement

Assumed-breach simulation, segmentation testing, crown-jewel reachability

Active Directory

Tier-0 attack paths, BloodHound-driven analysis, Kerberos abuse, AD CS

Wireless & VPN

Rogue AP, WPA2/3 enterprise, RADIUS abuse, VPN replay, captive-portal bypass

Privilege Escalation

OS-level escalation, kernel exploits, mis-configurations, vulnerable services

Segmentation Validation

IT/OT, prod/non-prod, CDE/non-CDE — does the firewall actually do what the diagram says

OT-Aware Testing

Manufacturing, utilities, transport — passive-by-default, IT/OT segmentation focus

Remote-Access & MFA

VPN concentrators, jump boxes, bastion hosts, MFA bypass, session takeover

Related: Red Team Assessment → · Related: Cloud Security Assessment →

Methodology

9 steps. Attack-path complete.

Every engagement runs through Lemon, our audit-management platform — informed by 6,700+ prior assessments and consistent across the team that delivers it.

Discovery
01

Scoping & Rules of Engagement

Confirm scope (external CIDR ranges, internal segments, OT/IT, third-party shared infrastructure), test windows, escalation contacts, and safe-words. Lemon stages all artifacts.

02

Asset Discovery & Enumeration

Passive recon, DNS / certificate-transparency mining, host enumeration, port and service identification. Output: complete attack-surface inventory cross-checked with your CMDB.

03

Service Fingerprinting & Vulnerability Mapping

Version detection on every reachable service, mapped against current CVE corpus and our 6,700+ engagement memory. Lemon flags previously-seen weakness patterns specific to your stack.

Testing
04

External Perimeter Testing

Public-facing infra: web servers, mail, VPN, remote-access, exposed APIs and management interfaces. Misconfigurations, weak crypto, default creds, exposed admin panels.

05

Internal Network & Lateral Movement

Post-foothold simulation. Internal segmentation, file-share exposure, credential reuse, kerberos abuse, AD attack paths (BloodHound-driven), and lateral movement to crown-jewel assets.

06

Active Directory Assessment

Tier-0 attack-path mapping, privileged-access review, GPO abuse, AD CS misconfigurations, Kerberoasting, AS-REP roasting. Findings mapped to MITRE ATT&CK techniques.

07

Wireless & VPN

Where in scope: rogue-AP detection, WPA2/WPA3 enterprise weakness, RADIUS abuse, captive-portal bypass, VPN auth/replay, and split-tunnel exposure.

Delivery
08

Three-Layer QA Review

L1 network auditor → L2 senior consultant → L3 security architect. Every finding validated, every reproduction reviewed, every CVSS scored consistently.

09

Reporting & Re-test

Executive + technical reports with infrastructure-specific remediation, retest rounds, and security assessment certificate. MITRE ATT&CK mapping included.

Compliance-Ready

Audit-ready reporting for every framework

Network testing reports satisfy the technical-VAPT clauses your regulator, acquirer, or auditor will check — RBI, SEBI, CERT-In, PCI DSS Req 11.4, ISO 27001 Annex A.

CERT-In Annual Audit
Mandatory for critical infrastructure
RBI Cybersecurity Framework
Banks, NBFCs, payments
SEBI CSCRF
Stock exchanges, brokers, AMCs
PCI DSS v4.0
Requirement 11.4 — annual VAPT
ISO 27001
Annex A 8.8 + 12.6
IEC 62443
OT / industrial control systems
SOC 2
Trust service criteria — security
IRDAI Cybersecurity
Insurance sector mandate

Common engagement scopes

What clients ask us to test

Across 700+ enterprise customers, network engagements tend to fall into a handful of well-defined patterns — each sized for our 5–18 day delivery window.

BFSI external + internal Branch network, AD, internet-facing infra
PCI DSS Req 11.4 CDE segmentation + external + internal
OT / SCADA segmentation Manufacturing, utilities — IT / OT boundary
Active Directory tier-0 BloodHound-driven privilege-path mapping
Cloud + hybrid network AWS/Azure VPC + on-prem perimeter
Wireless + remote-access WPA enterprise, VPN, jump-host, MFA

Deliverables

What you get

Two reports for two audiences, MITRE ATT&CK mapping, and infrastructure-specific remediation — firewall rule examples, GPO settings, IAM policies, and segmentation diagrams.

Request sample report → Read network-related case studies →

Executive Report

Risk overview, critical findings, business impact, remediation priorities. Board-ready.

Technical Report + ATT&CK Map

POCs, screenshots, packet captures, CVSS, MITRE ATT&CK technique mapping, infra-specific fixes.

Retest & Walkthrough

Multiple retest rounds at no extra cost. Live walkthroughs with your network and security teams.

Security Certificate

Formal certificate for compliance, customer assurance, and vendor due diligence.

FAQ

Common questions

Can't find what you're looking for? Talk to our network-security lead.

Contact us
What is network penetration testing? +
Network penetration testing (also called network VAPT or infrastructure pen testing) is a structured assessment where certified experts simulate real attacker techniques against your network — external perimeter, internal segments, Active Directory, wireless, and remote-access — to find exploitable weaknesses before an attacker does. Goes beyond vulnerability scanning to include manual exploitation, lateral movement, and privilege escalation chains.
External vs internal testing — which do I need? +
Most enterprises need both. External validates what an unauthenticated attacker on the internet can do — perimeter is the obvious target. Internal simulates assumed-breach scenarios — what happens once an attacker has phishing-grade access. Combined coverage matches the way real intrusions actually unfold and is what RBI / SEBI / CERT-In annual audits expect.
Zero-knowledge (black-box) or assumed-breach (grey-box) starting point? +
Configurable per engagement. Zero-knowledge external mirrors a real adversary with no prior info. Assumed-breach grey-box gives us a low-privilege internal foothold and tests "given we got in, how far can we move" — a much more useful question for most enterprise threat models. We typically recommend a combination across an engagement.
Do you test OT, SCADA, or industrial control networks? +
Yes — with controls. We have OT-aware auditors, run passive-only by default in production OT, and require explicit authorisation before any active probe. Segmentation validation between IT and OT is a core service for our manufacturing and utilities customers.
How long does a network pen test take? +
External-only: typically 5–8 business days. Internal + AD: 7–12 days depending on environment size. External + internal + AD + wireless: 12–18 days. Lemon enforces daily progress tracking with a status update each working day.
Is network testing required for RBI / SEBI compliance? +
Yes. The RBI Cybersecurity Framework, SEBI CSCRF, and CERT-In annual audit all explicitly require network VAPT for regulated entities. PCI DSS v4.0 Requirement 11.4 mandates internal + external network testing at least annually. Security Brigade has been CERT-In empanelled since 2008.
Will the test impact production? +
No, by design. We default to non-disruptive techniques in production. Anything DoS-class, fuzzing, or actively destructive is opt-in only with explicit authorisation and out-of-band escalation paths agreed in writing during scoping. Lemon logs every probe so you have a full audit trail.
Do you provide remediation guidance? +
Yes — reports include infrastructure-specific remediation (firewall rule examples, GPO settings, IAM policies, segmentation diagrams) plus an open call with your network team to walk through fixes. Retest rounds confirm closure.

Test your network the way attackers traverse it.

Whether it's a perimeter spot-check, a full external + internal + AD engagement, or an OT-aware segmentation validation — talk to our network-security lead.

Request a Scoping Call View All Services