Think your business is secure? Why assumed breach testing is the real test

23/05/25 Chris Watt
Think your business is secure? Why assumed breach testing is the real test placeholder thumbnail

It’s widely recognised that organisations worldwide face relentless external cyber threats from a variety of threat actors, but far less consideration is given to threats that may be coming from inside an organisation itself.

Insider threats can originate from a variety of sources, including malicious or disgruntled employees, or even external attackers who have compromised internal users through phishing or exploiting internal vulnerabilities. Furthermore, and more significantly, depending on the specific nature of the attack or breach, some threat actors can maintain prolonged access to any compromised internal systems, giving them endless opportunities to explore the internal networks and any valuable assets.

Why an assumed breach or rogue user exercise is essential

This is where advanced internal security testing such as an assumed breach, or rogue user exercise would come into play, unlike other forms of internal penetration test, including:

  • where the assessment could either be performed from a fully unauthenticated perspective, simulating an attacker who had managed to simply connect into the network and “see what they could see”, investigating and attacking as much as possible in the time available.
  • scanning the organisation’s networks and assets for patching and misconfigurations from an administrative perspective.

An assumed breach or rogue user assessment focuses on what an internal rogue user with standard domain user privileges could do within the network, rather than patching levels or other similar misconfigurations on various devices.

Such an assessment should consider multiple possible scenarios, as described above, particularly in terms of initial access, but the overall final objective is generally the same: Can such a rogue internal user, such as a disgruntled employee, or other threat actor who has managed to compromise the network through other means and can maintain their access, elevate their privileges, access sensitive data, or otherwise compromise the network further in some meaningful way?

 

How is an assumed breach assessment different from an unauthenticated internal penetration test?

While an assumed breach assessment can sometimes be considered an extension of a completely unauthenticated Internal penetration test (where an attacker simply plugs in an unknown laptop, or other remote device and begins exploring with no credentials), the boundary between these usually lies in whether an attacker can gain any form of authenticated foothold into the network, from an initial unauthenticated perspective. Since this is often a time-consuming practice, an assumed breach exercise can be regarded as a cost-effective middle ground, especially when budgets are tighter but organisations want to evaluate real internal risks.

What’s the difference between Red Team vs. assumed breach?

Some may ask how and where this differs from a Red Team engagement. The answer to this lies in the scope (breadth) and noise generated from such a test:

  • Red Teams generally assess a broader area of potential entry points, combining multiple forms or otherwise different tests into one engagement (OSINT, Social-Engineering, External Infrastructure, Web App, VPN etc), but also generally aim to be “quieter”, flying under the radar to avoid detection for as long as possible. However, this attempted detection avoidance normally means that things can take longer, hence Red Team engagements generally being spread over a longer period.
  • Assumed breach/ rogue user assessments on the other hand are still conducted within a much smaller commercial time window and need to be “louder” to still ensure good coverage.

What’s tested on an assumed breach assessment?

The type of testing you can do with a standard domain or low-privileged user account depends on how you want to simulate the attack, and ultimately whether there are any particular objectives to be attained. If the test is run from an organisation-owned device, such as a corporate laptop connected to the VPN, security policies might limit what the attacker can do. But if the test is done from an attacker-owned device with full admin rights, connected via VPN, this provides a broader and more accurate assessment - especially if this approach can be consistently repeated.

Assessments typically examine:

  • Number of users present on the domain
  • Domain’s password policy
  • The presence of any accounts whose sensitive password data may be retrievable by other domain users, via the design of Active Directory
  • Whether any such accounts are highly privileged, and/or whose plaintext passwords are retrievable (crackable) within a reasonable time
  • Quantity and identities of domain admin accounts
  • Examination of any networks shares available, and whether any sensitive data is contained within

Real-world lessons from insider-related attacks

Many organisations have experienced domain compromises due to misconfigurations or not following best practice - allowing even standard domain users to escalate privileges and take control of entire networks. These vulnerabilities are prevalent both on-premises and via virtual machines and networks in the cloud, emphasising that internal security is as vital as external defences.

Ready to strengthen your internal security?

An assumed breach or rogue user assessment provides invaluable insight into how well your defences hold up against internal threats. By simulating real-world scenarios, we identify weaknesses before malicious insiders or compromised accounts do.

If you would like to learn more about how we identify vulnerabilities with our range of services, including penetration testing, get in touch.

Chris Watt Picture

About the author

Chris Watt has been in the penetration testing arena for over 12 years, specialising in web application and API security. For the last few years he has been steadily branching out into other types of security, including advanced infrastructure and mobile app testing.

Cyber Security, Red Team, Assumed Breach

Latest blogs

See all posts
Microsoft EA Volume
Microsoft is removing EA volume discounts - what you need to know

Upcoming changes to Microsoft Volume Licensing discounts - effective 1st November 2025

Read more
MDR in cyber security
What is MDR in cyber security?

In the face of constantly evolving cyber threats, relying solely on traditional defences like firewalls and anti-virus is no longer enough. Today’s cyber landscape demands proactive detection, rapid response, and continuous oversight. This is where Managed Detection and Response (MDR) comes into play: a modern approach that empowers businesses to stay one step ahead of cyber threats - even when internal resources are stretched thin.

Read more
Placeholder thumbnail
Podcast: unpacking the evolving challenges and decisions surrounding public cloud strategy

Sharing expert insight into public cloud strategy... In the latest episode of Asanti's “In Conversation With” podcast, Asanti’s Emma Lauchlan speaks with Chris Talliss, Director of Cloud, Data and Apps at Wavenet, to unpack the evolving challenges and decisions surrounding public cloud strategy.

Read more
Microsoft 365 e3 vs e5
Microsoft 365 E3 vs E5 – what’s the difference for your business?

Choosing the right Microsoft 365 licence can make all the difference – from managing costs to ensuring security and compliance. Here’s a side-by-side comparison of the two enterprise plans, so you can decide what works best for your organisation.

Read more
Placeholder thumbnail
Webinar - Wavenet and Mitel’s vision for 2025 & beyond

Webinar summary: future-proofing business communications with Mitel & Wavenet As communication continues to evolve, choosing the right partner is essential. This exclusive webinar, hosted by Wavenet in partnership with Mitel, featured Stuart Aldridge (UK Head of Mitel), Emma Westland (Strategic Director at Zoom) and Barry Ward (Product Director at Wavenet), delivering a forward-looking session focused on the future of unified communications (UC) for Mitel, Zoom and Wavenet.

Read more
A happy house tenant is using an app on her phone to report a home issue to her housing provider
From risk to resolution: how Active Assessor helps you stay ahead of Awaab's Law

What does Awaab's Law mean and why does it matter? Damp and mould aren’t just inconvenient maintenance problems - they’re serious risks to tenant health, regulatory compliance, and the reputation of housing providers. Nearly 1 in 7 social homes in England failed to meet the Decent Homes Standard in 2023¹. On top of that, the NHS is estimated to spend £1.4 billion a year treating health issues related to cold, damp housing². And yet, more than half of tenants experiencing condensation, damp or mould don’t report it. Often, they don’t recognise the early signs, or they simply don’t believe they’ll be taken seriously. This silence leaves landlords in the dark and turns small, fixable issues into expensive, high-risk problems. From October, social landlords will be legally required to fix emergency hazards within 24 hours and investigate and repair dangerous damp and mould within set timeframes, under new legislation known as Awaab’s Law. Introduced in memory of two-year-old Awaab Ishak, who tragically died in 2020 after prolonged exposure to mould in his social housing, the law represents a major step toward improving housing safety and quality. It allows tenants to take legal action if landlords fail to comply and will be rolled out in phases, beginning with damp and mould, to ensure effective implementation. This approach aims to deliver meaningful, lasting change while honouring the efforts of Awaab’s family to secure justice. Awaab’s Law also supports the government’s broader plan for change, which includes a commitment to building 1.5 million new homes and delivering the biggest improvement to social and affordable housing in a generation. The challenge: strained teams & outdated systems Most housing providers care deeply about tenant safety. The problem isn’t willingness—it’s capacity. Maintenance teams, IT departments, and customer contact centres are already stretched thin. Spotting early-stage issues requires tools they simply don’t have. Traditional, manual inspections are expensive and slow. Reactive workflows leave little room to get ahead of problems. And despite growing demand for proactive service, only 13% of customers actually receive it. The systems many teams rely on today are fragmented, outdated, and not fit for the pressures of a post-Awaab world. The solution: Active Assessor by 8x8

Read more

Stay service-savvy

Get all the latest news and insights straight to your inbox.