TL;DR: Most enterprises have invested heavily in perimeter defenses — firewalls, WAFs, EDR, external vulnerability scanning. But the dominant real-world attack pattern is phishing to endpoint compromise, followed by extended lateral movement inside the network. Assumed breach testing skips the front door entirely and answers the more important question: once an attacker is inside with a standard domain user account, how long before they own your crown jewels?
The Perimeter Obsession Problem
Enterprise security budgets tend to concentrate on the perimeter. External vulnerability management programs, WAF deployments, firewall rule reviews, DDoS protection — these controls are visible, measurable, and easy to justify. When a CISO presents to the board, firewall logs and external scan clean bills of health are tangible evidence of security investment.
The problem is that perimeter defense does not reflect how the majority of significant breaches actually unfold. The dominant attack pattern in enterprise breaches over the past decade has been consistent: phishing email leads to endpoint compromise, which provides a low-privilege foothold inside the network, which then serves as a launching point for lateral movement and privilege escalation over days or weeks until the attacker reaches their objective — ransomware deployment, data exfiltration, or persistent espionage access.
An external penetration test validates whether your perimeter would stop a breach. An assumed breach test asks a far more consequential question: if the perimeter fails — which the statistics suggest it eventually will — what happens next?
What Assumed Breach Testing Actually Means
In an assumed breach engagement, the security team and the client agree on a starting position that represents a realistic post-initial-access scenario. Typically this is one of:
- Low-privilege domain user credentials — an account with the same access as a standard employee, simulating a phished credential or a compromised endpoint belonging to a non-administrative user
- VPN or network access without credentials — simulating a compromised remote access solution or physical network access, where the tester must first enumerate the environment before exploiting it
- Endpoint foothold — access to a domain-joined workstation as a standard user, allowing realistic enumeration of the local system and network environment
From that starting position, the assessment focuses on three primary questions: What can be reached from this position? What can be escalated to? And how much of that escalation path would be detected by existing monitoring?
In the majority of assumed breach assessments, testers reach Domain Admin within 4–8 hours of starting from a standard domain user account. The typical path involves one or two steps: a Kerberoastable service account with a weak password, an ACL misconfiguration granting write access to a privileged group, or an unpatched internal system that the perimeter scanner never reaches.
What Gets Tested in an Assumed Breach Assessment
Lateral Movement Paths
From a domain user foothold, testers enumerate the network to identify reachable hosts, open services, and potential pivot points. Flat internal networks — where any domain-joined workstation can reach any server on any port — are extremely common and dramatically accelerate attacker movement. Network segmentation that limits workstation-to-server and server-to-server traffic is one of the highest-impact controls an enterprise can implement to slow lateral movement.
Active Directory Privilege Escalation
Active Directory misconfigurations are consistently the highest-severity findings in internal assessments. Common paths include Kerberoasting (requesting service tickets for crackable service account passwords), AS-REP roasting (accounts with pre-authentication disabled), ACL abuse (misconfigured permissions on AD objects that allow privilege escalation), unconstrained delegation, and ADCS (Active Directory Certificate Services) template misconfigurations. BloodHound analysis of the AD graph frequently reveals privilege escalation paths that were never intentionally created and have existed for years.
Access to Crown Jewels
The assessment defines the "crown jewels" in scope based on the client's environment — typically: domain controller access, production database servers, backup infrastructure, secrets management systems, and executive workstations. Testers document exactly how far they can reach from the starting position and what data or systems would be accessible to a real attacker.
Detection and Response Capability
A critical component of assumed breach testing is evaluating whether the security team's monitoring would detect the activity. Testers check whether tooling like Mimikatz, BloodHound, or common C2 frameworks trigger alerts, and whether lateral movement between hosts generates SIEM detections. This evaluation is often the most eye-opening part of the assessment for security teams who have invested in SIEM and EDR tooling but have not validated its efficacy against real attack techniques.
Comparing Assessment Types
| Assessment Type | Starting Position | Duration | Primary Focus | Best For |
|---|---|---|---|---|
| External Pentest | No access — internet only | 1–2 weeks | Perimeter exposure, internet-facing vulnerabilities | Validating perimeter controls; compliance requirements |
| Assumed Breach | Low-privilege domain user or VPN access | 1–2 weeks | Lateral movement, AD escalation, crown jewel access, detection efficacy | Understanding post-compromise risk; annual internal assessment |
| Full Red Team | No access — full kill chain from recon to objective | 4–12 weeks | End-to-end attack simulation including initial access, persistence, detection evasion | Mature security programs testing people, process, and technology holistically |
The Most Common Findings
Across assumed breach assessments, Lorikeet Security consistently identifies a predictable set of high-severity findings. These are not exotic vulnerabilities — they are configuration debt and architectural decisions that accumulate over years of network growth:
- Flat internal network architecture — workstations can reach servers on all ports; no lateral movement barriers between business units
- Kerberoastable service accounts — service accounts with SPNs and weak passwords, crackable offline in minutes with commodity hardware
- ACL misconfigurations in Active Directory — permissions on user objects, groups, or OUs that allow standard users to add themselves to privileged groups or reset admin passwords
- Over-privileged service accounts with Domain Admin — application service accounts granted Domain Admin because it was "easiest at deployment time"
- Unpatched internal systems — legacy servers running services never exposed externally and therefore excluded from the external scan program, but reachable from any internal workstation
- Absent internal detection coverage — no SIEM detections for Mimikatz, no alerts for Kerberos TGS request anomalies, no lateral movement baselines
If you want to understand your organization's actual exposure from the most realistic threat model available, our internal penetration testing engagements are structured specifically around the assumed breach methodology. We also offer attack surface management to continuously monitor the external exposure that feeds the initial access phase.
Making the Business Case
For security leaders building the case for an assumed breach assessment, the ROI argument is straightforward: the cost of finding a Domain Admin escalation path in a controlled assessment is a fraction of the cost of discovering it through a ransomware incident. The average enterprise ransomware recovery — including downtime, forensics, remediation, and reputational impact — costs millions. An assumed breach assessment typically costs five figures.
Beyond cost, the assessment provides actionable, prioritized findings: specific accounts to fix, specific ACL misconfigurations to correct, specific detection logic to implement. Unlike theoretical risk models, assumed breach findings are demonstrated — the tester either reached Domain Admin or they didn't, and the evidence is in the report.
Find Out What an Attacker Could Do Inside Your Network
Lorikeet Security's internal penetration testing and assumed breach assessments give you a clear, evidence-based picture of your lateral movement risk, Active Directory exposure, and detection capability — before an attacker finds it first.
