Internal Attack Surface

Why It Matters and What Guard Does

The Assume Breach Reality

Here's the uncomfortable truth about enterprise security: your perimeter will be breached. It's not a matter of if — it's a matter of when and how bad it gets afterward.

Most enterprise networks are like M&Ms — hard crunchy shell on the outside, soft chewy middle on the inside. Organizations spend millions on firewalls, WAFs, EDR, and email gateways to harden that outer shell. But once an attacker gets past it — and they will — they land in an environment that was never designed to resist an internal adversary.

The numbers bear this out. The vast majority of successful breaches begin with social engineering — a convincing phishing email, a vishing call to the help desk, a credential stuffed from a previous breach. These techniques don't require zero-days or sophisticated exploits. They require a single employee to click, and they succeed at scale. Once an attacker has that initial foothold — a workstation, a set of domain credentials, a VPN session — the question stops being "can they get in?" and becomes "how far can they go?"

The answer, in most environments, is disturbingly far.

A single set of domain credentials typically gives an attacker visibility into every user, group, and computer in Active Directory. From there, it's a matter of following the paths — overprivileged service accounts, misconfigured Group Policy, vulnerable certificate templates, plaintext passwords sitting on file shares. In a typical enterprise environment, an experienced attacker can go from a compromised workstation to domain admin in hours, not weeks.

This is your internal attack surface. Not just the services running inside your network, but the trust relationships, permission chains, and configuration weaknesses that connect them. Guard maps this entire landscape — showing you the blast radius of a compromised credential before an attacker ever gets one.

Why Enable the Internal Attack Surface

Because the perimeter isn't the battle anymore

The security industry spent two decades building better walls. Attackers responded by going through people instead. Social engineering, credential theft, and supply chain compromise bypass perimeter defenses entirely. Assume breach isn't pessimism — it's the operating model that every mature security program adopts. Guard gives you visibility into what happens after that initial compromise.

Because Active Directory is the skeleton key

Active Directory is the single most consequential piece of infrastructure in most enterprises. It controls who can access what, which machines trust which accounts, and how security policy propagates across thousands of endpoints. A misconfiguration in AD doesn't just create a vulnerability — it creates an attack path that can cascade across your entire organization.

The challenge is that AD environments are complex, organic, and constantly changing. Users get added, permissions get granted "temporarily" and never revoked, certificate templates get created by teams that don't understand the security implications. Over time, the gap between your intended security posture and your actual security posture widens invisibly. Guard continuously measures that gap.

Because the blast radius is what matters

When a security team asks "what's our risk?" — the real question is "if someone gets in, how bad does it get?" The answer depends entirely on the internal attack surface: How many paths lead to domain admin? How many shares contain credentials? How many database servers accept default passwords? How isolated are your network segments actually?

Guard quantifies the blast radius so you can reduce it before it matters.

Attack Path Visualization

One of Guard's most powerful capabilities for the internal attack surface is attack graph analysis — a visual, queryable map of every relationship in your Active Directory environment and the paths an attacker could follow through it.

How It Works

Guard collects a comprehensive graph of your AD environment: every user, group, computer, session, ACL, trust relationship, and local admin right. This data is stored as a relationship graph that can be queried and visualized, showing:

Shortest paths to domain admin — The minimum number of steps from any compromised account to full domain control
Tier zero asset exposure — Which accounts and groups have direct or indirect control over domain controllers, the AD schema, and enterprise admin groups
Kerberoastable accounts — Service accounts with SPNs that can be targeted for offline credential cracking
Unconstrained delegation risks — Machines that can impersonate any user to any service, creating invisible privilege escalation
Cross-domain trust abuse — Where trust relationships between domains or forests create unexpected access paths
Local admin chains — Sequences of machines where local admin on one gives credentials that grant local admin on the next, creating a chain to high-value targets

Why This Changes the Conversation

Traditional vulnerability scanning tells you "this server is missing a patch." Attack path analysis tells you "if this help desk user clicks a phishing link, an attacker is three hops from domain admin through this specific chain of group memberships, local admin rights, and session reuse."

That's a fundamentally different — and far more actionable — kind of finding. It shifts the conversation from "patch everything" to "fix these specific relationships that create the most dangerous paths." You can't fix every misconfiguration in a 10,000-user AD environment, but you can break the five chains that lead to domain admin.

Guard's attack graphs work similarly to how security teams use tools in managed Windows environments to map Azure AD and hybrid identity relationships — but applied continuously and integrated directly into your risk management workflow.

How Internal Scanning Works

Unlike external scanning which runs from the cloud, internal scanning requires a lightweight agent deployed inside your network. Guard uses a purpose-built agent that runs as a system service on Windows or Linux machines within your environment.

Agent Deployment

Download an installer — Guard generates platform-specific installers (Windows MSI, Linux DEB/RPM) pre-configured with your organization's credentials
Install on a host — Run the installer on one or more machines inside your network. The agent runs as a system service with the permissions needed for security assessment
Agent connects to Guard — The agent establishes an encrypted connection back to Guard's management infrastructure using mutual TLS authentication
Capabilities are deployed remotely — Guard pushes scanning capabilities to agents on demand. No manual configuration required

Supported Platforms

Platform	Installer	Agent Service
Windows (Server 2008+, Windows 7+)	MSI package	Windows Service
Linux (Debian/Ubuntu)	DEB package	systemd service
Linux (RHEL/CentOS)	RPM package	systemd service

What Guard Discovers and Tests

Active Directory Security Assessment

Guard provides deep visibility into Active Directory misconfigurations and attack paths — the most common vector for lateral movement and privilege escalation in enterprise environments.

Capability	What It Does	Why It Matters
AD Graph Collection	Maps users, groups, computers, sessions, ACLs, trust relationships, and local admin rights across the domain	Produces the attack path graph described above — the foundation for understanding your true internal risk posture
AD Security Posture Assessment	Analyzes domain configuration against security best practices with risk scoring and remediation recommendations	Identifies weak authentication policies, missing security controls, and configuration drift — the issues that compliance audits catch too late
Certificate Services Vulnerability Scanning	Enumerates AD Certificate Services (ADCS) configuration and identifies vulnerable certificate templates (ESC1-ESC8)	Misconfigured certificate templates are one of the fastest paths to domain admin. A single vulnerable template can allow any domain user to impersonate any other user
GPO Security Auditing	Scans Group Policy Objects for misconfigurations, unsafe permissions, credential exposure, and privilege escalation vectors	GPOs control security policy for every domain-joined machine. A misconfigured GPO can push plaintext passwords, create backdoors, or weaken security controls domain-wide
Logon Script Analysis	Inspects logon scripts for plaintext credentials, unsafe file permissions, exploitable paths, and administrative users with scripts	Logon scripts frequently contain hardcoded passwords and run with elevated privileges — a common and easily exploited weakness
AD DNS Enumeration	Enumerates Active Directory-integrated DNS records to discover internal infrastructure	Maps the internal network topology and reveals services that may not appear in asset inventories
Domain Controller SMB Signing Check	Verifies whether domain controllers enforce SMB signing	Without SMB signing enforcement, attackers can intercept and relay authentication to gain unauthorized access to domain controllers
AD Configuration Rules Assessment	Evaluates Active Directory against a library of security configuration rules with category-based filtering	Provides targeted assessment against specific compliance frameworks or security domains

Guard supports both Windows-native collection (running directly on domain-joined machines) and Linux-based collection (using domain credentials from a non-domain machine), giving flexibility in how agents are deployed.

Network Security Testing

Capability	What It Does	Why It Matters
Internal Port Scanning	Scans internal IP ranges and CIDRs for open ports with service version detection	Maps the internal attack surface — discovers services that shouldn't be exposed and validates that only expected services are running
Network Segmentation Validation	Tests whether network isolation controls are working by scanning target ranges from the agent's network position	Validates that firewall rules and VLANs are actually preventing unauthorized cross-segment access — the most common gap between security policy and reality

Network segmentation testing supports three modes: quick scan (top 100 ports — only reports if services are reachable), comprehensive scan (top 1000 ports — full results), and custom port ranges for targeted validation.

SMB File Share Assessment

Capability	What It Does	Why It Matters
Sensitive File Discovery	Crawls accessible SMB shares across the domain, analyzing file contents for passwords, API keys, certificates, and other credentials	Credentials stored in file shares are a top lateral movement vector. Attackers routinely find domain admin passwords in scripts, configuration files, and documentation on open shares
Share Enumeration & Permission Analysis	Maps all network shares across the domain with access permissions and identifies overly permissive configurations	Reveals which shares are world-readable, which contain sensitive directories, and where access controls don't match security policy
SMB Share Secret Scanning	Performs deep content analysis of files on SMB shares using pattern-based secret detection	Finds plaintext credentials, API keys, certificates, and configuration secrets buried in files across the domain

Database Security Assessment

Capability	What It Does	Why It Matters
SQL Server Domain Discovery	Queries Active Directory to find all SQL Server instances registered via Service Principal Names	Discovers database servers that may not be in your asset inventory — shadow IT databases are common in large enterprises
SQL Server UDP Discovery	Discovers SQL Server instances via UDP broadcast on the local network	Finds database instances that aren't registered in AD but are accessible on the network
SQL Server Security Assessment	Comprehensive assessment covering authentication, linked servers, stored procedures, CLR integration, SQL Agent, and SCCM database access	Identifies SQL Server misconfigurations that enable data access, command execution, or privilege escalation — linked server chaining alone can traverse entire environments

Internal Web Application Scanning

Capability	What It Does	Why It Matters
Internal Vulnerability Scanning	Runs template-based vulnerability detection against internal web services covering CVEs, misconfigurations, default credentials, and exposed admin panels	Internal web applications often lack the security scrutiny of public-facing services, yet they frequently contain sensitive data and administrative interfaces

Both Windows and Linux agents support internal web scanning, with template categories including CVEs, exposed panels, default logins, misconfigurations, network services, SSL/TLS, and DNS issues.

Credential Testing

Guard includes a multi-protocol credential testing engine that validates whether internal services are protected by strong authentication:

24 supported protocols including SSH, RDP, SMB, LDAP, WinRM, MySQL, PostgreSQL, MSSQL, MongoDB, Redis, and more.

Key features for internal testing:

Default credential detection per protocol — tests the passwords attackers try first
Known-bad SSH key identification — finds devices shipping with compromised private keys
Rate-limited execution — configurable to avoid account lockouts
Manual-only execution — runs only when explicitly triggered by a security operator

How It All Connects: The Internal Discovery Chain

Agent Deployed Inside Network
  │
  ├─→ AD Graph Collection ─→ Users, groups, computers, trusts mapped
  │     ├─→ Attack path analysis ─→ Privilege escalation routes visualized
  │     ├─→ Overprivileged accounts ─→ Excessive permissions flagged
  │     ├─→ Kerberoastable SPNs ─→ Offline cracking targets identified
  │     └─→ Trust relationships ─→ Cross-domain risks assessed
  │
  ├─→ AD Security Assessment ─→ Configuration weaknesses scored
  │     ├─→ GPO Auditing ─→ Policy misconfigurations found
  │     ├─→ Certificate Services ─→ Vulnerable templates identified
  │     ├─→ Logon Script Analysis ─→ Hardcoded credentials found
  │     └─→ SMB Signing Check ─→ Relay attack risk assessed
  │
  ├─→ Network Scanning ─→ Internal services discovered
  │     ├─→ Segmentation Validation ─→ Isolation gaps found
  │     └─→ Service Fingerprinting ─→ Versions and vulnerabilities matched
  │
  ├─→ File Share Assessment ─→ Shares enumerated
  │     ├─→ Sensitive File Discovery ─→ Exposed credentials found
  │     └─→ Permission Analysis ─→ Overly permissive shares flagged
  │
  └─→ Database Discovery ─→ SQL Servers found
        ├─→ Security Assessment ─→ Misconfigurations identified
        └─→ Linked Server Analysis ─→ Lateral movement paths mapped

Every finding feeds back into the attack graph. A credential discovered on a file share connects to the user it belongs to. That user's group memberships reveal what systems they can access. Those systems' local admin rights reveal the next hop. Guard connects these dots automatically — turning isolated findings into a map of real attack chains.

What Users See in the Platform

Agent Management

A dedicated agent management console showing:

All deployed agents with hostname, IP addresses, and online/offline status
Agent health monitoring (system resources, connectivity, service status)
One-click installer downloads for each supported platform
Deployment instructions for each operating system

Attack Path Graphs

Interactive graph visualizations showing:

Relationships between AD objects (users, groups, computers, domains)
Highlighted attack paths from compromised accounts to high-value targets
Queryable graph for exploring specific "what if" scenarios (e.g., "what can this service account reach?")
Prioritized remediation — which single change breaks the most attack paths

Internal Asset Inventory

Internal assets appear in the same unified asset inventory as external assets, classified with the "Intranet" attack surface label. Users can filter by attack surface to focus on internal-only assets.

Risk Management

Internal findings follow the same lifecycle as external findings:

Severity rating with risk scoring
Triage workflow (Triage → Open → Remediated/Accepted)
Proof data from the scanning tool
Remediation recommendations specific to internal findings (AD hardening, GPO fixes, share permissions, etc.)

Capability Summary

Guard's internal attack surface scanning provides 25+ agent-deployed capabilities organized by domain:

Category	Capabilities	Platforms
Active Directory	AD graph collection and attack path analysis, security posture assessment, certificate services scanning, GPO auditing, logon script analysis, DNS enumeration, SMB signing checks, configuration rules assessment	Windows + Linux
Network Security	Port scanning, network segmentation validation	Windows + Linux
File Shares	Sensitive file discovery, share enumeration, permission analysis, secret scanning	Windows + Linux
Database	SQL Server domain discovery, UDP discovery, comprehensive security assessment	Windows
Web Applications	Internal vulnerability scanning with template-based detection	Windows + Linux
Credentials	Multi-protocol credential testing across 24 protocols	Cloud + Agent

All capabilities execute through Guard's agent infrastructure with encrypted communication, multi-tenant isolation, and centralized result aggregation. Results integrate directly into the attack path graph — so every finding is contextualized not just as an isolated issue, but as part of the broader picture of what an attacker could actually do inside your network.

The goal isn't to find every vulnerability. It's to understand the paths that matter — and break them.