IG3

Perform Periodic Internal Penetration Tests

Control Group: 18. Penetration Testing

Asset Type: N/A

Security Function: Identify

Description

Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Define penetration testing scope and rules of engagement

6

Engage qualified penetration testing team

7

Review findings and prioritize remediation

8

Validate remediation through retesting

Tool Recommendations

HackerOne Forrester Wave Leader, Bug Bounty Platforms 2024

Continuous security testing platform with bug bounty programs, managed pentesting, and vulnerability disclosure

HackerOne · Program-based subscription

Synack Forrester Wave Leader, Penetration Testing Services 2024

Crowdsourced security testing platform with vetted researchers, AI-enhanced pentesting, and continuous assessment

Synack · Asset-based subscription

Cobalt Forrester Wave Strong Performer, Penetration Testing 2024

Pentest as a Service platform with vetted pentesters, programmatic testing, and findings management

Cobalt · Credit-based subscription

Bishop Fox Cosmos Forrester Wave Leader, Penetration Testing Services 2024

Continuous attack surface management and offensive security platform combining automated scanning with expert-led pentesting

Bishop Fox · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Lateral Movement Paths Undiscovered Until Real Breach

Confidentiality

An attacker who gains initial internal access discovers and exploits lateral movement paths between network segments that would have been identified by an internal penetration test.

Internal Privilege Escalation to Domain Administrator

Confidentiality

An attacker escalates from a standard user account to domain administrator using Active Directory misconfigurations that an internal penetration test would have uncovered and flagged for remediation.

Insider Threat Exploits Internal Weaknesses

Confidentiality

A malicious insider exploits weak internal segmentation, overly permissive file shares, and misconfigured services that have never been tested from an internal attacker's perspective.

Vulnerabilities (When Safeguard Absent)

Internal Network Not Tested from Attacker Perspective

Without internal penetration testing, vulnerabilities exploitable after initial access such as Active Directory misconfigurations, weak segmentation, and lateral movement paths remain undiscovered.

Assume-Breach Scenario Never Validated

Absence of internal penetration testing means the organization has never evaluated its defensive posture under the assumption that an attacker has already bypassed perimeter controls and has internal access.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Record	Penetration test report and executive summary	Per engagement
Record	Remediation tracking and retest validation results	Post-engagement
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Penetration Testing Policy

Control 18

Related Safeguards in Control 18

18.1 Establish and Maintain a Penetration Testing Program

18.2 Perform Periodic External Penetration Tests

18.3 Remediate Penetration Test Findings

18.4 Validate Security Measures