Penetration Testing
External perimeter reconnaissance, internal network exploitation, lateral movement, and segmentation validation — delivered by a CREST-certified, OSCP/OSEP principal consultant with 15 years of offensive security experience in Toronto.
What Is Network Penetration Testing?
Network penetration testing is the disciplined practice of attacking your infrastructure the way a real adversary would — before they get the chance. At Cyber Security Pentesting Inc., our network penetration testing engagements go far beyond automated scanning. We apply hands-on, manual exploitation techniques to discover attack chains that scanners routinely miss: chained misconfigurations, protocol-level weaknesses, and logic flaws that only surface under deliberate adversarial pressure.
Every engagement is principal-led by Arturs Stay, CREST-certified and holding both OSCP and OSEP credentials, with 15 years of offensive security practice across financial services, critical infrastructure, healthcare, and enterprise technology sectors in Toronto and across Canada. You receive a clear, evidence-backed report with exploitation proof and a prioritised remediation roadmap — not a scanner dump.
External & Perimeter Testing
Your internet-facing attack surface is the first thing a threat actor investigates. We enumerate, probe, and exploit it with the same techniques and tooling used by organised criminal groups and nation-state operators — identifying every weakness before it becomes a breach.
Internet-Facing Infrastructure Assessment
Comprehensive enumeration and exploitation of all externally reachable assets: web servers, mail infrastructure, DNS services, exposed management interfaces, legacy protocols, and undocumented hosts. We map your real attack surface — not just the assets you know about — and attempt exploitation of every identified weakness with working proof-of-concept code.
OSINT Reconnaissance & Subdomain Enumeration
Passive and active open-source intelligence gathering across certificate transparency logs, DNS records, code repositories, job postings, and social media to identify shadow IT, leaked credentials, exposed secrets, and forgotten assets. Subdomain enumeration uses brute-force wordlists, DNS zone transfers, permutation scanning, and certificate log mining to maximise discovery coverage.
Subdomain Takeover Testing
Identification and proof-of-concept exploitation of dangling DNS CNAME and A records pointing to deprovisioned cloud services, CDN endpoints, hosting providers, and SaaS platforms. Subdomain takeover vulnerabilities are frequently overlooked in standard assessments but allow attackers to host malicious content under your trusted domain, enabling credential phishing and cookie theft.
VPN & Remote Access Testing
Security assessment of SSL-VPN gateways, IPSec endpoints, Citrix/RDP brokers, Pulse Secure, Fortinet, and Cisco ASA infrastructure. We test for pre-authentication vulnerabilities, credential stuffing susceptibility, MFA bypass techniques, client-side certificate weaknesses, and split-tunnel misconfigurations that permit network pivot from compromised remote sessions.
Protocol-Level Attacks
Manual exploitation of weaknesses in network protocols including SMB relay and signing attacks, NTLM coercion, DNS poisoning, BGP route injection testing (in authorised scope), SMTP relay abuse, SNMP community string extraction, and legacy protocol exploitation (Telnet, FTP, RSH). We test the protocol stack your perimeter exposes, not just the application layer.
Firewall & IDS/IPS Bypass Techniques
Evasion of perimeter controls including packet fragmentation, protocol tunnelling (DNS, ICMP, HTTP), traffic encoding, and timing-based evasion to assess whether your detection and prevention capabilities can identify and block real attacker traffic. Findings inform both firewall rule improvements and detection engineering priorities for your SOC team.
Internal Network Testing
Modern breach scenarios rarely stop at the perimeter. Once an attacker is inside — through phishing, a compromised vendor, a VPN credential, or physical access — the real damage begins. Our internal network penetration testing simulates exactly this: a determined adversary with a foothold, working to expand access, escalate privileges, and reach your most sensitive assets.
Assumed-Breach Scenarios
Starting from a realistic post-initial-access position — a standard domain workstation, a compromised service account, or a foothold on a specific network segment — we execute full attack chains toward defined objectives such as domain compromise, data exfiltration, or financial system access. This approach rapidly validates your internal defences without the time cost of external initial access testing.
Lateral Movement Techniques
Systematic traversal of your internal network using techniques including Pass-the-Hash, Pass-the-Ticket, NTLM relay, WMI/WinRM remote execution, SMB lateral movement, token impersonation, and RDP session hijacking. We map the actual paths an attacker can walk from initial foothold to crown-jewel assets, identifying detection gaps and segmentation failures along the way.
Credential Harvesting & Abuse
Memory-based credential extraction using LSASS dumping techniques, Kerberoasting and AS-REP roasting for service account credential recovery, credential spraying against internal authentication services, and SAM/NTDS.dit extraction. We assess password quality, account reuse patterns, and whether your credential storage and transmission practices create exploitable attack paths.
Privilege Escalation Through Misconfigurations
Identification and exploitation of local and domain privilege escalation paths: unquoted service paths, weak service permissions, DLL hijacking, Always-Install-Elevated policies, scheduled task abuse, token privilege exploitation, GPO misconfiguration, DACL/ACL weaknesses, and Kerberos delegation abuse. Every escalation path is demonstrated with working exploitation proof.
Network Segmentation Validation
Empirical testing of your network segmentation controls — VLANs, firewall rules, micro-segmentation policies, and zero-trust enforcement — to verify that sensitive segments (PCI-DSS cardholder data environments, OT/SCADA networks, HR systems, backup infrastructure) are genuinely isolated from compromise propagation paths and cannot be reached from user-facing network zones.
Persistence & Backdoor Testing
Assessment of your ability to detect and evict an attacker who has established persistence mechanisms: scheduled tasks, WMI subscriptions, registry Run key modifications, service installations, BITS job abuse, and account backdooring. We establish persistence, then work with your security team to validate detection capability and measure mean-time-to-detect against real attacker techniques.
Our Methodology
Every network penetration testing engagement follows a structured, repeatable methodology aligned to the Penetration Testing Execution Standard (PTES) and OSSTMM, adapted with real-world adversarial tradecraft developed across 15 years of offensive security practice. This is not a compliance checkbox exercise — it is a principled adversarial simulation designed to find what matters.
Scoping & Rules of Engagement
We define target IP ranges, domains, excluded systems, testing windows, notification procedures, and escalation paths. Clear rules of engagement protect production stability and ensure legal coverage for all testing activity.
Reconnaissance & Intelligence Gathering
Passive OSINT collection, active DNS and subdomain enumeration, service fingerprinting, and infrastructure mapping. We build a comprehensive picture of your attack surface before a single exploit attempt is made.
Vulnerability Discovery
Targeted, manual-first vulnerability identification combining authenticated and unauthenticated scanning, protocol analysis, configuration review, and version-based vulnerability research — filtered and prioritised by exploitability and business impact.
Exploitation & Chaining
Hands-on exploitation of confirmed vulnerabilities, including multi-step attack chain development where individual findings combine into critical compromise paths. Every finding is proven with working exploit code and a documented reproduction procedure.
Post-Exploitation & Pivoting
Lateral movement, privilege escalation, credential harvesting, and pivoting through network segments to demonstrate real business impact. We reach the objectives defined in scoping — domain admin, sensitive data access, critical system compromise — to make the risk tangible for decision-makers.
Reporting & Remediation
A structured, executive-and-technical dual-audience report with CVSS-scored findings, reproduction steps, root-cause analysis, and a prioritised remediation roadmap. Includes a debrief session with your technical and security leadership teams, and a free retest of critical findings after remediation.
Aligned to Industry Standards
Our network penetration testing methodology is grounded in globally recognised standards and frameworks. These references inform our testing depth, scope coverage, and reporting structure — ensuring your assessment meets the expectations of auditors, regulators, and board-level stakeholders.
PTES
Penetration Testing Execution Standard — the structural backbone of our engagement lifecycle from pre-engagement through reporting.
pentest-standard.orgOSSTMM
Open Source Security Testing Methodology Manual — systematic coverage of operational security testing across network and process channels.
isecom.org/OSSTMM.3.pdfNIST SP 800-115
Technical Guide to Information Security Testing and Assessment — federal standard for penetration testing scope, techniques, and reporting requirements.
csrc.nist.govCIS Controls
Center for Internet Security Controls — prioritised safeguards framework used to contextualise findings and structure remediation roadmaps by control category.
cisecurity.org/controlsMITRE ATT&CK (Network)
Adversarial Tactics, Techniques and Common Knowledge — our exploitation and lateral movement TTPs are mapped to ATT&CK for direct correlation with threat intelligence and detection engineering.
attack.mitre.org