db
Sign inSign up
← All Cyber Security services
Site auditInternal auditPhishingArchitectureIncident negotiationDarknet monitoring
Home /Cyber Security /Internal audit
Internal Audit · /cyber-security/internal-auditAD · KERBEROS · SOC

From the eyes of an attacker who's already inside

We simulate an attack from an "assumed breach" position: what can an attacker do once they're past the perimeter? Active Directory, Kerberoasting, lateral movement, SOC maturity.

With a Mitre ATT&CK-style report and an optional Purple Team workshop for the SOC.

DEMO · #IA-2204
active

AD attack chain · corp.example.com

Step 1LLMNR poisoning · 2 hashes
Step 2Kerberoasting · 1 service
Step 3DCSync · DA obtained
Detected by SOC0 / 3
Time to DA47 min
What we check

Active Directory, access, segmentation and SOC

Full cycle from first compromise to domain admin — every step recorded.

Active Directory

LLMNR/NBT-NS poisoning, Kerberoasting, AS-REP roasting, DCSync, misconfigured ACLs and GPOs.

Access management

Privilege escalation, password reuse, forgotten service accounts, over-privileged regular users.

Network segmentation

Checking the boundaries between VLANs, zones and segments. Access to critical systems from the user segment.

SOC maturity

Do SOC and SIEM see you? Do alerts trigger on typical Mitre ATT&CK techniques? Time to detect and respond.

Techniques

Mitre ATT&CK — from initial access to exfiltration

Initial foothold

We simulate the entry point: compromised regular user account or phishing with a device inside the network.

Discovery & recon

Hunting for critical systems, shares, service accounts, domain controllers and paths to target assets.

Lateral movement

Pass-the-Hash, Pass-the-Ticket, RDP-hopping, using compromised caches and tokens.

Persistence & exfil

Persistence in the infrastructure, hidden backdoors, simulated data exfil — all to assess real SOC readiness.

Who it's for

Internal audit is for mature teams with their own infrastructure

/ 01

Corporate IT

Active Directory, domains, network segmentation, Windows and Linux servers, RDP access, domain controllers.

/ 02

Mature SaaS

Production environments, internal services, engineer access, separate dev/stage environments.

/ 03

Fintech & finance

Regulatory requirements on internal controls, segregation of duties, privileged access audit.

/ 04

Teams with a SOC

Detection maturity check: does SIEM see your actions, how does the SOC respond, how fast does it escalate.

How it goes

Five steps from inquiry to report

1

Inquiry and scope

We agree on boundaries: network, domains, exclusions, test windows, escalations.

2

NDA and access

Sign the NDA, agree on a low-privilege starting account (assumed breach).

3

Active phase

Simulating an attacker inside the perimeter. Privilege escalation and lateral movement.

4

SOC coverage

We assess what SIEM saw, how the SOC reacted, which alerts fired and how fast.

5

Report + workshop

We deliver the report with attack timeline and hardening recommendations, optionally a Purple Team workshop.

Inquiry

Request an internal audit

Describe your infrastructure — scale, working format, focus. We discuss details in DevBay's secure chat.

  • NDA + isolation of the test environment
  • Mitre ATT&CK-style attack simulation
  • Report with timeline and recommendations
  • Optional Purple Team workshop

Tell us about the infrastructure

After submission we open a dialog in the internal chat — that's where we continue.

By submitting the form you agree to our data processing policy and the DevBay terms of service.

What's next: after submission a dialog opens in the internal chat. We sign the NDA and agree on scope, time windows and focus there.

Ready to see what an attacker would see inside?

Describe the infrastructure — we'll align scope, sign NDA and test how ready your perimeter is for an inside-out breach.