Assumed Breach

What is Assumed Breach?

An assumed breach (also called assume compromise) penetration test is an engagement model in which the tester begins with a pre-authorized internal foothold — simulating the scenario where an attacker has already successfully gained initial access to the environment — rather than attempting to breach the perimeter from scratch. The assumed breach model reflects a security philosophy aligned with Zero Trust Architecture: rather than asking 'can an attacker get in?', it asks 'given that an attacker is already in, what can they do, and would we detect them?' This framing produces findings that are directly relevant to the most impactful phase of real attacks — the period between initial access and business impact.

Description

Assumed breach testing is valuable because initial access is often the easiest phase for attackers to achieve — phishing, credential stuffing, supply chain compromise, and third-party vendor access all provide entry points that perimeter-focused testing does not adequately model. Once inside, the attacker's success depends on the internal security architecture: network segmentation, least-privilege identity controls, internal monitoring, and the speed of detection and response. Assumed breach tests these internal controls directly. The starting position varies by engagement objective: a low-privilege user account simulates a phishing compromise; a standard IT workstation simulates a malware infection; a privileged help desk account simulates an insider or compromised administrator; or a contractor VPN credential simulates a third-party access compromise. From the starting position, testers pursue realistic attacker objectives: lateral movement to adjacent systems, privilege escalation to domain administrator, access to sensitive data stores, persistence establishment, and detection evasion. CrowdStrike's 2026 Global Threat Report noted that average attacker breakout time — from initial access to lateral movement — continues to shrink, meaning organizations have an increasingly narrow window for detection and containment. Assumed breach testing measures this window empirically.

Usage and Examples

A healthcare organization commissions an assumed breach engagement starting from a standard nurse workstation account — the access level of a typical clinical employee with no IT privileges. Within the rules of engagement, the tester: uses BloodHound to map Active Directory attack paths; identifies a path from the nurse workstation to a server running backup software with a privileged service account; extracts the service account credential; uses it to access the domain controller; and achieves domain administrator rights within 6 hours. The entire chain involved no software exploitation — only credential abuse and misconfigured service accounts. The findings directly inform remediation: service account privilege reduction, monitoring for BloodHound-style enumeration activity, and Active Directory tiering to limit lateral movement paths.

How Does This Relate to Penetration Testing?

Assumed breach testing is one of Evolve Security's highest-value engagement types — particularly for organizations that have invested in perimeter security and want to understand their internal resilience. Assumed breach assessments complement external network testing and provide the realistic post-compromise scenario that red team engagements build on. They answer the questions boards and executives ask after reading breach headlines: 'If we were hit, how far would they get? How long would it take us to detect it? What would they be able to access?' Assumed breach findings are among the most compelling security evidence available for driving remediation investment. Evolve Security's Assumed Breach Penetration Testing service provides the most realistic assessment of your post-compromise risk — measuring exactly how far an attacker with a foothold could advance in your environment.