Assumed Breach
Assumed breach is a penetration testing method where testers begin with internal access to simulate what attackers could do after getting in. It reveals weaknesses in detection, response, and internal controls, helping organisations strengthen real-world cyber resilience.
Assumed breach is a penetration testing approach where testers begin with the premise that an attacker has already gained some level of access, allowing them to focus on evaluating an organisation’s internal detection, response, and resilience.
Short Definition
Assumed breach testing starts from the inside - simulating what a threat actor could do after bypassing perimeter defences.
Expanded Definition
Traditional penetration tests often focus on breaking in from the outside. However, in modern cyber security, organisations increasingly recognise that perimeter controls are not fail-proof. Assumed breach testing accepts this reality and shifts the focus to what happens next.
In this approach, penetration testers start with an internal foothold—for example, a low-privilege user account, access to an internal workstation, or presence on the internal network. From there, they attempt realistic attacker activities such as privilege escalation, lateral movement, credential harvesting, or data exfiltration.
The goal is not to test whether an attacker can get in, but rather to understand how far they could progress, what systems they could compromise, and whether the organisation would detect them in time.
Why It Matters
Assumed breach testing provides a clearer picture of an organisation’s true cyber resilience. Perimeter compromises happen—through phishing, software vulnerabilities, stolen credentials, or insider threats. The important question is: What happens once an attacker is inside?
This approach helps organisations identify:
- gaps in monitoring and detection
- weaknesses in internal access controls
- excessive privileges or poor segmentation
- slow or ineffective incident response
- risks that traditional penetration testing might overlook
It is especially valuable for understanding real attacker impact and improving defence-in-depth strategies.
When It’s Relevant / Common Use Cases
Assumed breach testing is commonly used by organisations with mature security postures that want deeper insight into potential internal risks. It’s particularly relevant when:
- assessing SOC and incident response effectiveness
- evaluating Active Directory or identity security
- testing lateral movement paths inside networks
- validating zero-trust or segmentation controls
- preparing for targeted or advanced persistent threat (APT) scenarios
Examples / Analogies
Think of assumed breach like testing your home security by starting with the assumption that someone is already inside the house. Instead of checking locks and windows, you examine how well interior alarms, room restrictions, and emergency procedures work from that point forward.
TL;DR Summary
Assumed breach is a penetration testing method where testers begin with internal access to simulate what attackers could do after getting in. It reveals weaknesses in detection, response, and internal controls, helping organisations strengthen real-world cyber resilience.
Get started with Adversify
