Breach Impact Assessment

The question after a house fire is not whether a fire could have started - given a chip pan and bad luck, one always could. The question is whether the building had fire doors that contained it to one room, or if the whole place went up. Our Breach Impact Assessment applies that logic to a cyberattack. Rather than asking whether your perimeter can be breached - it almost always can, given a sufficiently patient and motivated adversary - it asks the question that actually determines how bad a breach becomes: once someone has a foothold, how far can they get, how fast, and what can they reach? This is your blast radius, and for most organisations, it is both among the most important and least examined dimensions of their security.

What This Assessment Is Not

Our Breach Impact Assessment is not a test of whether you can be breached. It deliberately assumes the breach has already happened and starts there, because for most organisations completely preventing breaches is not practical, while the blast radius is much more within their control - and almost never measured. By starting from an assumed foothold rather than working to earn one, it is also a far more efficient way to answer the question that matters most: we skip the uncertain initial-access phase that a Red Teaming engagement spends much of its time on, and spend the whole engagement on internal impact instead.

From Foothold To Objective

We start from an assumed-compromise position agreed with you - typically the access a successful phishing attack or a single compromised device would yield, such as the privileges of a standard user on a standard workstation. From there we behave as an attacker who has just landed: we enumerate the environment, hunt for credentials cached on the host and reachable across the network, and seek paths to escalate privilege locally and then across the domain. We map lateral movement, identify the trust relationships and misconfigurations that turn one machine into many, and pursue the objectives that represent real harm - sensitive data stores, critical systems, and the privileged accounts that confer control over everything. This work draws on the same techniques as our Network Infrastructure Assessment, Workstation Security Assessment, and Server Security Assessment, applied end to end towards a goal rather than to one surface in isolation.

Simulating Attacker Behaviour

Once our Breach Impact Assessment begins, we will try to operate much as an attacker would. We test possibilities for lateral movement and privilege escalation, and can also test the ease of evading detection by any active monitoring systems. This means that our Breach Impact Assessment can include a test of the effectiveness of an organisation's security operations centre, if it has one. We prioritise gaining pathways to targets whose compromise would be particularly damaging to an organisation or appealing to real attackers; those wishing for a more specific model of what an attacker might specifically target post-exploitation should consider our Threat Modelling offering.

We can offer a variety of options for simulating the initial foothold an attacker might possess. Our default option is remote code execution on a single staff member's device, as social engineering is the most fundamentally probabilistic form of initial attack vector: injection on a web application can be hardened technically, but, while our Social Engineering Assessment and Staff Training offerings aim to reduce the chance of a successful social engineering attack against your organisation, it is not possible to be certain of fully preventing them.

Making The Abstract Concrete

It is one thing to know in principle that a flat network is risky. It is another to see, demonstrated and documented, that a single phished employee leads in four steps to domain administrator and your entire customer database. Our Breach Impact Assessment produces exactly that demonstration, and it consistently reframes how organisations think about risk - shifting attention from keeping every attacker out, which is impossible, to ensuring that getting in does not mean getting everything, which is achievable. It is also a realistic model of a ransomware event, since ransomware is precisely an attacker who has a foothold and is racing to reach and encrypt everything before anyone stops them.

What You Receive

You receive a trace of each path from foothold to objective, prioritised by the severity of what it reaches, and the controls that would contain a breach: segmentation, privilege reduction, credential hygiene, tiered administration, and the detection that would catch lateral movement in progress. Where you have detection and response in place, we measure it along the way - what fired, what reached a human, and how the timeline of detection compared to the timeline of compromise. For organisations that want to act on the findings, the containment work itself is the remit of our Security Engineering service. The Breach Impact Assessment answers the question your leadership most needs answered, and the one insurers and regulators increasingly ask directly: not whether you will be breached, but whether a breach would be a contained incident or a catastrophe.