Think your business is secure? Why assumed breach testing is the real test

23/05/25 Chris Watt
Think your business is secure? Why assumed breach testing is the real test placeholder thumbnail

It’s widely recognised that organisations worldwide face relentless external cyber threats from a variety of threat actors, but far less consideration is given to threats that may be coming from inside an organisation itself.

Insider threats can originate from a variety of sources, including malicious or disgruntled employees, or even external attackers who have compromised internal users through phishing or exploiting internal vulnerabilities. Furthermore, and more significantly, depending on the specific nature of the attack or breach, some threat actors can maintain prolonged access to any compromised internal systems, giving them endless opportunities to explore the internal networks and any valuable assets.

Why an assumed breach or rogue user exercise is essential

This is where advanced internal security testing such as an assumed breach, or rogue user exercise would come into play, unlike other forms of internal penetration test, including:

  • where the assessment could either be performed from a fully unauthenticated perspective, simulating an attacker who had managed to simply connect into the network and “see what they could see”, investigating and attacking as much as possible in the time available.
  • scanning the organisation’s networks and assets for patching and misconfigurations from an administrative perspective.

An assumed breach or rogue user assessment focuses on what an internal rogue user with standard domain user privileges could do within the network, rather than patching levels or other similar misconfigurations on various devices.

Such an assessment should consider multiple possible scenarios, as described above, particularly in terms of initial access, but the overall final objective is generally the same: Can such a rogue internal user, such as a disgruntled employee, or other threat actor who has managed to compromise the network through other means and can maintain their access, elevate their privileges, access sensitive data, or otherwise compromise the network further in some meaningful way?

 

How is an assumed breach assessment different from an unauthenticated internal penetration test?

While an assumed breach assessment can sometimes be considered an extension of a completely unauthenticated Internal penetration test (where an attacker simply plugs in an unknown laptop, or other remote device and begins exploring with no credentials), the boundary between these usually lies in whether an attacker can gain any form of authenticated foothold into the network, from an initial unauthenticated perspective. Since this is often a time-consuming practice, an assumed breach exercise can be regarded as a cost-effective middle ground, especially when budgets are tighter but organisations want to evaluate real internal risks.

What’s the difference between Red Team vs. assumed breach?

Some may ask how and where this differs from a Red Team engagement. The answer to this lies in the scope (breadth) and noise generated from such a test:

  • Red Teams generally assess a broader area of potential entry points, combining multiple forms or otherwise different tests into one engagement (OSINT, Social-Engineering, External Infrastructure, Web App, VPN etc), but also generally aim to be “quieter”, flying under the radar to avoid detection for as long as possible. However, this attempted detection avoidance normally means that things can take longer, hence Red Team engagements generally being spread over a longer period.
  • Assumed breach/ rogue user assessments on the other hand are still conducted within a much smaller commercial time window and need to be “louder” to still ensure good coverage.

What’s tested on an assumed breach assessment?

The type of testing you can do with a standard domain or low-privileged user account depends on how you want to simulate the attack, and ultimately whether there are any particular objectives to be attained. If the test is run from an organisation-owned device, such as a corporate laptop connected to the VPN, security policies might limit what the attacker can do. But if the test is done from an attacker-owned device with full admin rights, connected via VPN, this provides a broader and more accurate assessment - especially if this approach can be consistently repeated.

Assessments typically examine:

  • Number of users present on the domain
  • Domain’s password policy
  • The presence of any accounts whose sensitive password data may be retrievable by other domain users, via the design of Active Directory
  • Whether any such accounts are highly privileged, and/or whose plaintext passwords are retrievable (crackable) within a reasonable time
  • Quantity and identities of domain admin accounts
  • Examination of any networks shares available, and whether any sensitive data is contained within

Real-world lessons from insider-related attacks

Many organisations have experienced domain compromises due to misconfigurations or not following best practice - allowing even standard domain users to escalate privileges and take control of entire networks. These vulnerabilities are prevalent both on-premises and via virtual machines and networks in the cloud, emphasising that internal security is as vital as external defences.

Ready to strengthen your internal security?

An assumed breach or rogue user assessment provides invaluable insight into how well your defences hold up against internal threats. By simulating real-world scenarios, we identify weaknesses before malicious insiders or compromised accounts do.

If you would like to learn more about how we identify vulnerabilities with our range of services, including penetration testing, get in touch.

Chris Watt Picture

About the author

Chris Watt has been in the penetration testing arena for over 12 years, specialising in web application and API security. For the last few years he has been steadily branching out into other types of security, including advanced infrastructure and mobile app testing.

Cyber Security, Red Team, Assumed Breach

Latest blogs

See all posts
ransomware
Top ransomware protection tips for everyone

Secure your personal data We are all personally, ransomware targets, so we're taking the time to offer some top tips, that each and every one of us can follow to protect our personal data from a ransomware attack. Imagine turning on your computer to find a startling message: all your files - family photos, tax documents, everything - are locked. You cannot open a single one. To get them back, a stranger on the internet is demanding hundreds of pounds. This isn’t a scene from a movie; it’s a real and increasingly common threat called ransomware.

Read more
sd-wan
SD-WAN benefits for education: enhance school, college and university networks

Online learning platforms, cloud-based applications, virtual classrooms, and bandwidth-heavy multimedia resources have become essential to modern education. As these demands grow, many institutions are turning to SD‑WAN (Software-Defined Wide Area Networking) to support their digital transformation.

Read more
it in education
Best IT support for schools: enhance education

The right IT support services help schools and colleges operate smoothly, prevent downtime, and enhance the overall learning experience. This guide breaks down the most effective IT solutions for educational institutions and explains how to choose the right IT partner. Why IT support is essential in modern education Schools and colleges depend on technologies such as cloud platforms, WiFi networks, learning management systems (LMS), and safeguarding tools. Without strong IT support, everyday learning can easily be disrupted. High‑quality IT support ensures: Consistent uptime for learning platforms Secure protection for student and staff data Smooth operation of classroom hardware Reliable connectivity across campus A strategic roadmap for future IT improvements Top IT support services for schools and colleges 1. Managed IT support Managed IT support gives schools access to a fully equipped technical team without needing an in‑house department. Typical features include: 24/7 help desk Device and server management Cyber security monitoring Backup and disaster recovery Software updates and patch management This approach reduces costs, increases system reliability, and frees educators to focus on learning—not technical issues. 2. Student technology support Students rely on devices and online platforms every day. Student tech support ensures they can access lessons without interruption. Common services include: Device troubleshooting (laptops, tablets, Chromebooks) Login and password resets Connectivity support Assistance with online learning platforms Safety filtering guidance This support is especially vital in hybrid or remote learning environments. 3. Classroom technology solutions Modern classrooms need fully supported and integrated digital tools. Classroom IT solutions typically include: Interactive whiteboards Projectors and AV systems Classroom management software WiFi optimisation Digital collaboration tools These technologies make lessons more engaging and interactive. 4. Microsoft education support Microsoft remains one of the most widely used platforms in schools. Supporting these tools effectively helps ensure seamless digital learning. Key areas include: Office 365 management Teams for Education Intune device management Azure cloud services Identity and access management 5. Microsoft education training Empower your teaching and facilitate innovative learning for your students with Microsoft education training. Key areas include: Microsoft 365 Education Tools Training Microsoft's Showcase School Programme How to choose the right IT support provider When evaluating IT support services, schools should consider: Budget and funding constraints Current IT infrastructure Scalability needs Security and compliance requirements Provider’s education-sector experience Availability of both remote and on‑site support Choosing a specialist with education experience ensures better safeguarding compliance, user-friendly solutions, and long‑term value. The benefits of outsourcing IT support Practical and operational benefits More schools now outsource IT due to benefits in security, performance, management and cost: Lower long‑term costs Access to specialist expertise Faster response and issue resolution Stronger cyber protection A strategic, future-proof technology plan Learning benefits Technology is enabling and facilitating better learning experiences and outcomes, empowering teachers, increasing pupil engagement and enriching the classroom experience: Personalised learning paths Instant access to learning resources Better collaboration among students Support for SEND and diverse learning needs Preparation for a digital workforce Schools that invest wisely in IT create stronger educational outcomes. The growing demand for IT skills in education As digital transformation accelerates, technology is playing a key role in enhancing learning and schools increasingly require IT professionals skilled in: Networking Cyber security Cloud infrastructure EdTech implementation Support and troubleshooting Online IT certification programmes are helping build the next generation of education‑sector IT specialists. Wavenet: A trusted IT partner for UK schools and the public sector For educational institutions seeking a reliable and experienced IT services provider, We are one of the UK’s leading education technology specialists. With over 30 years of experience delivering designed‑for‑schools solutions, we supports more than 4,000 education establishments nationwide across cloud platforms, cyber security, communications, safeguarding, and network services. We provide ICT services, broadband, WiFi, audio‑visual systems, remote support, and fully managed IT services - all delivered by DBS‑checked staff and supported with clear, transparent SLAs. By partnering with us, schools gain access to expert guidance, best‑practice ICT strategy, robust cybersecurity, and a long‑term technology roadmap - helping them create a connected, secure, and future‑ready educational environment.

Read more
managed security services provider
What is a Managed Security Services Provider (MSSP)?

Managed Security Service Providers (MSSPs) offer outsourced monitoring, management, and protection of an organisation’s security infrastructure. Their services typically include managed threat detection, continuous security monitoring, incident response, and vulnerability management. By partnering with an MSSP, businesses can leverage specialist expertise and advanced technologies to safeguard their digital assets more effectively.

Read more
UK digital infrastructure connectivity
Higher ROI for firms investing in infrastructure

Digital infrastructure is now a national and commercial priority For UK C-suite leaders, the growth conversation has fundamentally shifted. The latest UK infrastructure analysis1. shows that 2026 marks a major shift from policy vision to project delivery, unlocking billions in digital infrastructure, fibre connectivity, grid upgrades, and modernisation programmes. This shift positions digital infrastructure as a core driver of competitiveness, innovation, and long-term business ROI.

Read more