Uncovering Hidden Risk Through Internal Penetration Testing

The customer had already taken meaningful steps to secure its external-facing infrastructure, deploying automated penetration testing against its external IP addressing to generate regular insights and visibility into both new and existing threats. Having seen the value of that programme, attention naturally turned to the internal network.

The business went into this next phase with a high degree of confidence. Their internal environment was considered well secured, the result of years of investment, capable people, and established processes. The question was less whether they were exposed and more whether anything had been quietly overlooked over time.

That confidence is common among well-run organisations, and it is precisely why internal penetration testing matters. The challenge most often picked up by internal testing is not the headline misconfiguration, but the unseen, forgotten pieces of infrastructure that have been set up at a point in time and then quietly faded from view. Security systems, video conferencing units, generic IoT devices, categories of technology that rarely sit at the top of an IT team's radar but which can offer an easy backdoor into an organisation. Once authenticated onto a network, an attacker exploiting these "invisible" devices can often travel a great deal further than the business realises.

Formation Tech were engaged to extend their penetration testing programme into the customer's internal network, applying the same rigorous methodology that had already delivered value externally. The objective was straightforward: validate the assumption that the internal environment was secure, and surface anything that had been missed.

During the process, the testing identified a test switch that had been installed in the customer's lab and had inadvertently ended up sitting on the core network. The switch was protected only by a very basic administrative password. In isolation it looked unremarkable, exactly the kind of device that gets set up for a short-term purpose and is then forgotten, but its position on the core network made it materially significant. Once compromised, it would have exposed the network to reaches far wider than the business would have expected.

Formation Tech reported the finding, worked with the customer to validate the impact, and supported the steps required to remediate the exposure and bring the device under proper control.

The engagement delivered exactly what internal penetration testing is designed to deliver: independent validation, and surfacing of the kind of overlooked exposure that is almost impossible to identify from inside the team responsible for managing the environment. A single forgotten switch with a weak password was all it would have taken to give an attacker meaningful lateral access. Identifying and resolving it closed down a significant route into the business.

More broadly, the case illustrates why regular internal penetration testing has become an essential discipline for organisations of any scale, particularly those that operate across multiple sites or have grown through acquisition. New devices, inherited infrastructure, temporary lab setups and IoT estates all change the internal attack surface in ways that are easy to lose track of over time. Doing internal testing on a regular cadence is what allows businesses to understand when these changes happen, rather than discovering them after a breach.

For the customer, the outcome has been twofold: a specific, material risk addressed and resolved, and a broader programme of internal visibility that complements their existing external testing, extending Formation Tech's role as the partner responsible for validating their security posture on both sides of the perimeter.