Network VAPT: How Network Vulnerability Assessment and Penetration Testing Work

Your web applications have been tested. Your APIs passed their last assessment. Your cloud configuration was reviewed last quarter. But when did someone last test whether your actual network infrastructure, the firewalls, routers, switches, VPN gateways, segmentation, and wireless access points connecting all of those systems, actually resists attack?

Network VAPT is vulnerability assessment and penetration testing applied specifically to network infrastructure. It combines systematic identification of network-level vulnerabilities (assessment) with active exploitation validating which weaknesses an attacker could actually use to breach, traverse, or compromise your network (penetration testing).

The distinction matters because network-level weaknesses create different risk than application-level weaknesses. A SQL injection compromises one database. A network segmentation failure gives an attacker access to every system on the network. An authentication bypass exposes one application's data. A flat internal network with harvested credentials exposes everything: domain controllers, databases, backup systems, management interfaces, and every system connected to the same uncontrolled network highway.

Network VAPT evaluates whether your network architecture, configurations, and controls prevent the initial access, lateral movement, and privilege escalation that transform individual system compromises into complete infrastructure takeover.

This guide covers how network VAPT works across external, internal, and wireless network layers, the methodology testers follow, the tools they use, common findings, what deliverables you receive, and how network VAPT fits within your broader security testing programme.

What Is Network VAPT?

Network VAPT combines two complementary testing approaches applied to network infrastructure.

Network vulnerability assessment systematically identifies security weaknesses across network devices, services, and configurations through automated scanning and manual review. Assessment discovers missing patches on network devices, misconfigured firewalls and security groups, weak protocols and encryption, unnecessary exposed services, default credentials, and network architecture weaknesses.

Network penetration testing actively exploits validated network vulnerabilities using techniques real attackers employ. Testing demonstrates which network weaknesses are genuinely exploitable and what an attacker achieves through exploitation: perimeter breach, lateral movement, privilege escalation, and access to critical systems.

Together, network VAPT delivers what neither component provides alone. Assessment identifies the breadth of network weaknesses. Penetration testing validates which ones matter by proving exploitability and demonstrating impact.

For detailed comparison of these components, see our guide on vulnerability assessment vs penetration testing.

Network VAPT Layers: What Gets Tested

Network VAPT covers three distinct network layers, each with different threat models and testing techniques.

External Network VAPT

External network VAPT evaluates your network perimeter from an attacker's perspective on the internet. Testing targets everything reachable from outside your network.

What external network VAPT tests:

Perimeter device security. Firewalls, edge routers, and load balancers tested for known vulnerabilities, configuration weaknesses, and bypass techniques. Firewall rule analysis identifies overly permissive rules accumulated over years of changes.

Service exposure. Every port and service accessible from the internet is identified and evaluated. Critical findings include administrative ports (RDP 3389, SSH 22, database ports) exposed without source IP restriction, unnecessary services running on internet-facing systems, and legacy services with known exploitable vulnerabilities.

VPN and remote access. VPN gateways tested for authentication weaknesses (brute-force susceptibility, missing MFA, known CVEs), configuration issues (split tunnelling risks, excessive network access post-authentication), and protocol vulnerabilities.

DNS security. Zone transfer restrictions, DNSSEC implementation, subdomain enumeration revealing hidden services, and DNS poisoning susceptibility.

SSL/TLS configuration. Protocol versions (TLS 1.2 minimum), cipher suite strength, certificate validity, and configuration weaknesses across all internet-facing services.

Mail server security. SPF, DKIM, and DMARC configuration preventing email spoofing. SMTP, IMAP, and POP3 services tested for vulnerabilities and configuration issues.

IDS/IPS effectiveness. Testing whether intrusion detection and prevention systems detect and block scanning, exploitation attempts, and evasion techniques.

For detailed external testing methodology, see our external penetration testing guide.

Internal Network VAPT

Internal network VAPT evaluates your network from inside, simulating an attacker who has gained initial access through compromised credentials, phishing, physical access, or vendor connection.

What internal network VAPT tests:

Network segmentation. The highest-impact internal testing area. Testers attempt communication between network segments that should be isolated: workstation VLANs to server VLANs, user networks to management networks, guest WiFi to corporate infrastructure, and development to production environments. Flat networks without effective segmentation allow unrestricted lateral movement from any compromised system to every other system.

Active Directory security. AD controls authentication and access for every domain-joined system. Network VAPT evaluates Kerberoasting exposure, pass-the-hash attacks, delegation abuse, ACL permissions, Group Policy security, trust relationships, and AD Certificate Services misconfigurations. AD compromise typically means complete network compromise.

Lateral movement. Testing how an attacker moves between systems using captured credentials, protocol exploitation (SMB, WMI, WinRM, RDP), and trust relationships. Each compromised system provides new credentials and broader network access.

Privilege escalation. Attempting to escalate from standard user to local administrator (through local vulnerabilities, misconfigured services) and from domain user to domain administrator (through AD attack paths).

Internal service security. Databases, internal web applications, management interfaces (iLO, iDRAC, vCenter), file shares, and print servers tested for authentication weaknesses, default credentials, known vulnerabilities, and excessive access permissions.

Legacy protocol exposure. LLMNR, NBT-NS, and WPAD protocols enabling credential capture through network poisoning. These protocols are enabled by default on most Windows networks and provide reliable credential harvesting.

Network device security. Switches, routers, and wireless controllers tested for default credentials, unnecessary management protocols (Telnet, SNMPv1/v2c), and configuration weaknesses.

For detailed internal testing methodology, see our internal penetration testing guide.

Wireless Network VAPT

Wireless VAPT evaluates Wi-Fi, Bluetooth, and RF security.

What wireless network VAPT tests:

Wi-Fi encryption and authentication. WPA3 or WPA2-Enterprise validation. WPA2-Personal (PSK) strength assessment. Legacy protocol identification (WEP, WPA-TKIP).

Rogue access point detection. Scanning for unauthorised wireless access points on the corporate network bypassing wired security controls.

Guest network isolation. Validating that guest Wi-Fi cannot reach corporate network resources, management interfaces, or internal systems.

Evil twin susceptibility. Testing whether corporate devices connect to attacker-controlled access points mimicking legitimate SSIDs.

Signal leakage. Measuring how far corporate wireless signals extend beyond controlled physical space, defining the area from which wireless attacks are feasible.

For organisations in Singapore's high-density environments, see our wireless penetration testing Singapore guide.

The Network VAPT Process

Network VAPT follows the structured VAPT process adapted for network infrastructure.

Phase 1: Scoping and Planning

Define what network infrastructure falls within scope.

External scope: Public IP ranges, internet-facing domains, VPN endpoints, mail servers, and DNS infrastructure.

Internal scope: Network segments, IP ranges, Active Directory domains, wireless networks, and network devices. Determine starting position: compromised workstation with domain credentials (most common), network access without credentials, or vendor/contractor access level.

Compliance alignment: Identify applicable frameworks. PCI DSS Requirement 11.3 mandates network penetration testing. SOC 2 expects network access control validation. ISO 27001 requires network security assessment.

Rules of engagement: Testing hours, restricted techniques (DoS, account lockout), escalation procedures, and critical finding notification requirements.

Phase 2: Network Discovery and Reconnaissance

Map the complete network attack surface.

External reconnaissance: DNS enumeration, IP range mapping, service fingerprinting, certificate analysis, and OSINT gathering reveal the external network footprint including assets the organisation may not know are exposed.

Internal reconnaissance: Active Directory enumeration (users, groups, computers, trusts, SPNs), network scanning (live hosts, open ports, running services), service identification, file share enumeration, and internal DNS analysis.

Reconnaissance tools include Nmap for network discovery, BloodHound/SharpHound for AD attack path mapping, CrackMapExec for service enumeration, Responder for protocol analysis, and PowerView for AD enumeration.

Phase 3: Network Vulnerability Assessment

Systematically identify network-level vulnerabilities.

Automated scanning. Network vulnerability scanners (Nessus, Qualys, OpenVAS) check network devices and services against known vulnerability databases. Credentialed scanning provides deeper assessment than external-only scanning.

Configuration audit. Network device configurations compared against CIS Benchmarks, NIST guidelines, and vendor security best practices. Firewall rules, ACLs, routing configurations, and security settings evaluated for misconfigurations.

Manual validation. Security professionals review automated findings, eliminate false positives, and identify configuration issues scanners miss. Manual testing adds the contextual analysis automated tools lack.

Deliverable: Validated network vulnerability inventory with false positives removed and severity ratings considering network context.

Phase 4: Network Penetration Testing

Actively exploit validated network vulnerabilities.

External exploitation. Attempt to breach the network perimeter through identified vulnerabilities in internet-facing services, VPN gateways, and exposed management interfaces. Successful external exploitation demonstrates initial access capability.

Internal exploitation. From internal starting position, exploit network weaknesses to move laterally, escalate privileges, and reach critical systems. Credential harvesting through LLMNR/NBT-NS poisoning, Kerberoasting, pass-the-hash, and delegation abuse demonstrate realistic internal attack progression.

Segmentation testing. Actively attempt to cross network segment boundaries that should be isolated. If the tester on a workstation VLAN can reach the database server VLAN, segmentation has failed regardless of what the architecture diagram shows.

Vulnerability chaining. Chain individually minor network findings into high-impact attack paths. A medium-severity credential capture combined with a low-severity segmentation gap combined with a high-severity AD misconfiguration creates a critical attack path enabling complete domain compromise from a standard user workstation.

Phase 5: Post-Exploitation and Impact Assessment

After successful exploitation, demonstrate business impact.

Data access demonstration. What sensitive data can the attacker reach from their achieved access level? Customer databases, financial records, intellectual property, backup systems.

Domain compromise validation. Has the attack path achieved domain administrator or equivalent access? Domain compromise means the attacker controls every domain-joined system.

Persistence demonstration. Could the attacker maintain access through reboots, password changes, and remediation attempts? Persistence mechanisms demonstrate long-term compromise risk.

Blast radius assessment. From the achieved access level, what additional systems, data, and capabilities are reachable? The blast radius demonstrates the full impact of the initial network weakness.

Phase 6: Reporting

Document findings in a comprehensive network VAPT report.

Executive summary communicating network security posture to leadership. Overall risk level, critical attack paths discovered, and strategic recommendations.

Network architecture assessment evaluating segmentation design, trust boundaries, and architectural weaknesses.

Technical findings with exploitation evidence for every validated vulnerability. Screenshots, command output, captured credentials (redacted), and step-by-step reproduction for each finding.

Attack path documentation showing complete chains from initial access through lateral movement and privilege escalation to objective achievement.

Compliance mapping to applicable frameworks (PCI DSS network requirements, SOC 2 access controls, ISO 27001 network controls).

Remediation guidance with specific fixes for each finding: firewall rules to modify, configurations to harden, patches to apply, architecture changes to implement.

For reporting standards, see our penetration testing reports guide.

Phase 7: Remediation Support and Retesting

Support network remediation and validate fixes.

Remediation guidance. Answering network team questions about findings, reviewing proposed firewall rule changes, validating segmentation redesigns, and advising on configuration hardening.

Retesting. Validating that firewall rules are corrected, segmentation prevents lateral movement, credentials are rotated, patches are applied, and AD misconfigurations are resolved. Network retesting confirms that changes produce intended security improvement without breaking legitimate traffic.

Network VAPT Tools

Network Vulnerability Assessment Tools

Nessus: Industry-leading network vulnerability scanner. Credentialed scanning covers OS patches, service vulnerabilities, and configuration compliance.

Qualys: Cloud-based vulnerability management providing continuous network monitoring and compliance auditing.

OpenVAS: Open-source network vulnerability scanning providing comprehensive coverage.

Network Penetration Testing Tools

Nmap: Network discovery standard for port scanning, service enumeration, OS detection, and script-based vulnerability checking.

Metasploit: Exploitation framework with thousands of network exploit modules validating vulnerability exploitability.

BloodHound / SharpHound: AD attack path mapping visualising shortest routes from any user to domain administrator.

Mimikatz: Credential extraction from Windows memory including password hashes, Kerberos tickets, and plaintext passwords.

Responder: LLMNR/NBT-NS/MDNS poisoning capturing credential hashes from network traffic.

CrackMapExec: Credential validation and network enumeration across multiple systems simultaneously.

Hashcat: GPU-accelerated offline password cracking for captured hashes.

Impacket: Protocol-level AD attack toolkit for secretsdump, wmiexec, psexec, and DCSync.

Burp Suite: Testing internal web applications and management interfaces for web-layer vulnerabilities.

Wireless Testing Tools

Aircrack-ng: Wi-Fi security assessment suite for capture, analysis, and cracking.

Kismet: Wireless network detector and sniffer for passive reconnaissance.

Ubertooth: Bluetooth security analysis hardware and software.

Tools enable testing but expertise determines quality. Network VAPT quality depends on testers who understand network architecture, protocol behaviour, and attack chaining, not just which tools to run.

Common Network VAPT Findings

External Network Findings

Exposed administrative ports. RDP (3389) and SSH (22) accessible from the internet without source IP restriction. These ports are actively scanned by automated attack tools globally. Finding severity: High.

Firewall rule bloat. Accumulated rules including forgotten temporary exceptions, overly broad entries, and rules for decommissioned systems creating unintended access paths. Finding severity: Medium to High.

Outdated SSL/TLS. TLS 1.0 and 1.1 still enabled on internet-facing services. Weak cipher suites. Expired or misconfigured certificates. Finding severity: Medium.

Missing email authentication. Absent or misconfigured SPF, DKIM, or DMARC enabling email spoofing for phishing campaigns. Finding severity: Medium.

VPN overprovisioning. VPN granting full network access when users need only specific applications. Finding severity: Medium.

Internal Network Findings

Flat network architecture. No effective segmentation between workstations, servers, databases, and management interfaces. Every system reachable from every other system. Finding severity: High (consistently the highest-impact internal finding).

Kerberoasting. Service accounts with SPNs running with domain admin privileges using crackable passwords. One cracked password grants complete domain control. Finding severity: Critical. Prevalence: 70%+ of internal assessments.

Legacy protocol credential harvesting. LLMNR and NBT-NS enabled, allowing passive credential capture from network traffic within minutes. Finding severity: High.

Identical local admin passwords. Same local administrator password across all workstations and/or servers. Compromising one system grants admin access to every system sharing the credential. Finding severity: High.

Credentials in file shares. Passwords, connection strings, and API keys in readable network shares, scripts, and documentation. Finding severity: High.

Missing network monitoring. Firewall logs not forwarded to SIEM. No east-west traffic monitoring. Lateral movement undetected. Finding severity: Medium to High.

Wireless Findings

Guest Wi-Fi not isolated. Guest network sharing infrastructure with corporate network. Visitors can reach internal resources. Finding severity: Critical.

WPA2-Personal on corporate networks. Shared pre-shared key known by current and former staff. Finding severity: High.

Evil twin susceptibility. Devices auto-connecting to stronger signals from rogue access points. Finding severity: High.

Network VAPT for Compliance

PCI DSS

PCI DSS contains the most specific network VAPT requirements.

Requirement 1: Network security controls (firewalls, segmentation). Network VAPT validates firewall configuration and CDE segmentation.

Requirement 11.2: Quarterly external vulnerability scanning by ASV.

Requirement 11.3: Annual penetration testing including internal and external network testing. Segmentation validation required if network segmentation limits PCI DSS scope.

Network VAPT directly satisfies PCI DSS Requirement 11 obligations. See our PCI DSS penetration testing guide.

SOC 2

SOC 2 CC6 (Logical and Physical Access Controls) requires evidence that network access controls prevent unauthorised access. Network VAPT validates segmentation, firewall rules, and access controls under adversarial conditions.

CC7 (System Operations) requires monitoring and detection. Network VAPT evaluates whether monitoring covers network activity adequately. See how SOC 2 pentests support compliance.

ISO 27001

ISO 27001 A.8.20 (Networks Security) and A.8.21 (Security of Network Services) require network security controls validated through testing. Network VAPT provides evidence of control effectiveness. See our ISO 27001 penetration testing guide.

HIPAA

HIPAA Security Rule technical safeguards require network access controls and audit controls protecting ePHI. Network VAPT validates that network segmentation isolates systems processing health information.

MAS TRM (Singapore)

MAS TRM mandates regular penetration testing including network assessment for financial institutions. Network VAPT addresses MAS expectations for internal and external network security validation.

RBI (India)

RBI Master Directions require periodic vulnerability assessment and penetration testing for regulated financial institutions including network infrastructure assessment.

For comprehensive compliance mapping, see our penetration testing compliance guide.

When to Conduct Network VAPT

Annually at minimum for compliance with PCI DSS, SOC 2, ISO 27001, MAS TRM, and RBI.

After network architecture changes including segmentation redesigns, new VLAN implementations, firewall migrations, and data centre consolidations.

After cloud connectivity changes connecting cloud environments via VPN, Direct Connect, or ExpressRoute. Cloud connectivity changes network topology.

After mergers and acquisitions integrating acquired company networks creating new trust boundaries.

After deploying new network security controls (next-gen firewalls, micro-segmentation, ZTNA) validating controls function as intended.

After security incidents involving network compromise validating remediation and ensuring similar paths don't exist elsewhere.

When adding vendor network access validating that third-party segments are properly isolated.

For frequency guidance, see our guide on how often to do penetration testing.

Network VAPT Checklist

Pre-Assessment

• External IP ranges and domains documented
• Internal network segments and IP ranges identified
• AD domain structure documented
• Wireless networks in scope identified
• Compliance requirements driving assessment identified
• Starting position for internal testing defined
• Domain credentials prepared for internal testing
• Firewall whitelisting for scanning IPs configured
• SOC team informed of assessment timeline
• Previous network assessment reports gathered

External Assessment

• All public IP ranges scanned
• No administrative ports exposed without restriction
• Firewall rules reviewed for overly permissive entries
• SSL/TLS configuration validated across all services
• DNS security checked (zone transfers, DNSSEC)
• Email authentication validated (SPF, DKIM, DMARC)
• VPN tested for auth weaknesses and configuration issues
• IDS/IPS effectiveness validated

Internal Assessment

• Network segmentation tested through actual lateral movement attempts
• Active Directory attack paths assessed (Kerberoasting, delegation, ACLs)
• Credential harvesting tested (LLMNR/NBT-NS, Kerberoasting)
• Privilege escalation from standard user to domain admin attempted
• Management interfaces not accessible from user networks
• Network device credentials not using defaults
• LAPS deployment validated (unique local admin passwords)
• Legacy protocols identified for remediation

Wireless Assessment

• WPA3 or WPA2-Enterprise on corporate networks
• Guest WiFi fully isolated from corporate
• Rogue AP detection operational
• Evil twin susceptibility tested
• Signal leakage assessed

Post-Assessment

• Report reviewed within 48 hours
• Critical findings assigned for immediate remediation
• Remediation tracked through ticketing system
• Retesting scheduled after remediation
• Compliance evidence archived

How AppSecure Delivers Network VAPT

AppSecure provides comprehensive network VAPT covering external, internal, and wireless network layers through expert-led manual testing.

Complete Network Coverage

Network VAPT covers external perimeter assessment, internal network penetration testing, Active Directory security evaluation, wireless security testing, segmentation validation, and network device hardening review. Testing addresses the full network security assessment scope through combined vulnerability assessment and exploitation validation.

Active Directory Expertise

Deep AD testing evaluating Kerberoasting, delegation abuse, ACL exploitation, AD CS attacks, DCSync, and trust relationship abuse. AD compromise paths are the highest-impact findings in network VAPT, and AppSecure's testers specialise in discovering them.

Zero False Positives

Every network finding is manually validated through exploitation. Your network team receives genuinely exploitable findings, not scanner noise. Zero false positives mean zero wasted remediation effort.

Attack Path Demonstration

Individual findings are chained into complete attack narratives: from initial credential capture through lateral movement, privilege escalation, and domain compromise. Attack paths communicate network risk far more effectively than individual vulnerability lists.

Multi-Framework Compliance Mapping

Reports map findings to PCI DSS, SOC 2, ISO 27001, HIPAA, MAS TRM, and RBI requirements. Single engagement, single report, multiple compliance frameworks addressed.

3-Week Delivery

Standard network VAPT engagements deliver within three weeks. 90-day post-delivery support includes remediation guidance for network hardening and complimentary retesting.

Integration with Broader Testing

Network VAPT integrates with web application testing, API testing, cloud testing, and mobile testing for full-stack coverage. Application security assessment and offensive security testing provide end-to-end security validation. Continuous penetration testing and PTaaS maintain ongoing network security validation.

Ready for network VAPT that reveals what your network looks like to attackers?

Contact AppSecure:

• Schedule Network VAPT
• Application Security Assessment
• VAPT Testing Services

Frequently Asked Questions

1. What is network VAPT?

Network VAPT is vulnerability assessment and penetration testing applied specifically to network infrastructure. It combines systematic identification of network-level vulnerabilities (assessment) through automated scanning and manual review with active exploitation validating which weaknesses an attacker could actually use (penetration testing). Network VAPT covers external network perimeter, internal network infrastructure, Active Directory, wireless networks, and network devices. It reveals whether your network architecture, configurations, and controls prevent unauthorised access, lateral movement, and privilege escalation.

2. What is the difference between network VAPT and application VAPT?

Network VAPT tests network infrastructure: firewalls, routers, switches, segmentation, Active Directory, wireless access points, VPN gateways, and network services. Application VAPT tests software applications: web applications, APIs, mobile apps, and their underlying code. Network VAPT reveals whether attackers can breach the perimeter, move laterally, and access critical systems. Application VAPT reveals whether attackers can exploit software vulnerabilities in specific applications. Both are essential because network and application weaknesses create different but complementary attack paths.

3. What does external network VAPT cover?

External network VAPT tests everything reachable from the internet: public IP ranges for open ports and exposed services, firewall configuration and rule effectiveness, VPN gateway security, SSL/TLS configuration, DNS security, email authentication (SPF/DKIM/DMARC), and IDS/IPS effectiveness. External network VAPT answers whether an internet-based attacker can breach your network perimeter and gain initial access to your internal environment.

4. What does internal network VAPT cover?

Internal network VAPT tests your network from an assumed internal position: network segmentation effectiveness (can a compromised workstation reach servers and databases?), Active Directory attack paths (Kerberoasting, pass-the-hash, delegation abuse), lateral movement between systems, privilege escalation from standard user to administrator, internal service security, credential hygiene, legacy protocol exposure, and network device configuration. Internal VAPT reveals what an attacker achieves after gaining initial access.

5. What are the most common network VAPT findings?

The most critical findings include flat networks without segmentation (enabling unrestricted lateral movement), Kerberoastable service accounts with domain admin privileges (enabling domain compromise through password cracking), legacy protocols enabling credential capture (LLMNR/NBT-NS), identical local admin passwords across systems (enabling mass lateral movement), exposed administrative ports on the internet (RDP, SSH), accumulated firewall rule bloat creating unintended access, and guest WiFi not isolated from corporate networks.

6. How long does network VAPT take?

Standard network VAPT covering both external and internal components takes two to three weeks. External assessment takes three to five days. Internal assessment including Active Directory testing takes five to seven days. Analysis, reporting, and delivery take three to five days. Large enterprise networks with multiple segments, extensive cloud connectivity, and complex AD environments may require additional time. AppSecure delivers standard network VAPT within three weeks.

7. Which compliance frameworks require network VAPT?

PCI DSS mandates quarterly external vulnerability scanning and annual network penetration testing including segmentation validation. SOC 2 expects network access control validation. ISO 27001 requires network security assessment (A.8.20, A.8.21). HIPAA requires network safeguards for healthcare environments. MAS TRM (Singapore) mandates network testing for financial institutions. RBI (India) requires periodic network assessment for regulated entities. NYDFS requires annual penetration testing including network assessment.

8. How does network VAPT differ from a network vulnerability scan?

Network vulnerability scanning runs automated tools checking devices against known vulnerability databases. Scanning identifies potential weaknesses but doesn't validate exploitability, test segmentation through actual lateral movement, assess AD attack paths, or chain findings into attack narratives. Network VAPT includes scanning as one component but adds manual exploitation, segmentation testing through actual traffic, credential-based attacks, privilege escalation, and business impact demonstration. Scanning finds potential issues. Network VAPT proves which issues enable network compromise.

9. Should network VAPT include wireless testing?

Yes, for any organisation operating wireless networks. Wireless networks connected to corporate infrastructure represent network attack surface that wired-only testing misses. A compromised wireless connection can bypass every firewall and perimeter control protecting the wired network. At minimum, validate guest network isolation, corporate WiFi encryption, and rogue access point detection. Organisations in dense commercial buildings benefit from evil twin testing and signal leakage assessment.

10. How often should network VAPT be conducted?

Annual network VAPT at minimum for compliance. Additional testing after network architecture changes, cloud connectivity changes, mergers and acquisitions, new security control deployment, security incidents, and vendor network access provisioning. Organisations with complex networks, Active Directory environments, and high-value data benefit from semi-annual network VAPT alternating focus between external perimeter and internal network assessment.