People picture a breach as the moment an attacker gets in. In our experience, getting in is the easy part. What happens next is what turns a foothold into a disaster — and it’s the part most organisations have never watched closely.
Here’s roughly how the first hour goes once an attacker has access to a single machine on your network.
They look around, quietly. The first goal isn’t damage — it’s understanding. What machine is this? What’s it connected to? What other systems can it reach? Most internal networks answer these questions far too freely.
They look for credentials. Passwords saved in files, cached login tokens, service accounts with more access than they need. On many networks, one compromised machine quickly yields the keys to several others.
They move sideways. Using what they’ve found, they hop from the first machine to more valuable ones — file servers, domain controllers, anything that widens their control. This is “lateral movement,” and it’s where a contained problem becomes a company-wide one.
They aim for the centre. In a Windows environment, that usually means Active Directory — the system that controls who can access what. Control that, and an attacker effectively controls the network.
The reason this works so often isn’t clever exploits. It’s that internal networks tend to trust anyone already inside them. Segmentation is weak, accounts have more privilege than they need, and credentials are lying around.
An internal assessment walks this exact path on purpose — with permission, carefully, and without the damage — so you can see how far someone could get and close the routes before a real attacker uses them.
