When the Perimeter Is No Longer the Problem
Most security testing still asks the same question: can an attacker get in? It’s a reasonable starting point, but the evidence suggests it’s increasingly not the best place to start.
The UK Government’s Cyber Security Breaches Survey 2025/2026, found that 43% of UK businesses experienced a cyber security breach or attack in the last 12 months and notes that figure is likely an underestimate, capturing only incidents organisations were able to identify and willing to report. More telling still, ransomware crime against UK businesses doubled year-on-year, rising from under 0.5% to 1% of all firms, an estimated 19,000 companies hit with ransom demands. In virtually every significant ransomware incident, the perimeter was not forcibly broken, because a credential was reused, a helpdesk was manipulated, or a supplier was already compromised. The attacker didn’t breach the door, they walked through one that had been opened for them. What happened next is where the real damage was done, and it is precisely the phase that receives the least testing attention.
Starting from the Inside
Assumed Breach Testing, delivered through our expert partner Risk Crew, begins where most attacks do their real work: inside your environment. Rather than spending budget on proving whether initial access is theoretically possible, the engagement begins with a simulated low-privilege foothold and asks what happens next.
The urgency behind that question is well-supported by the data. According to CrowdStrike’s 2026 Global Threat Report, the average time between an attacker’s initial access and the moment they begin moving laterally dropped to just 29 minutes in 2025, a 65% increase in speed from the year prior. The fastest observed breakout occurred in 27 seconds. At that pace, detection windows are not measured in hours. They are measured in minutes. And in 2025, 82% of detections were malware-free, meaning most intrusions involved no traditional malicious code at all, with attackers bypassing signature-based defences by blending into normal activity using valid credentials and trusted access paths.
This is precisely what Risk Crew’s engineers replicate. From a minimal foothold, Active Directory is enumerated, trust relationships are mapped, and misconfigurations, excessive permissions, and weak segmentation become the primary attack surface. Lateral movement techniques blend into legitimate traffic while paths toward domain controller-level access are methodically identified and tested.
What It Tells You That Other Testing Cannot
The findings from these engagements answer the questions that matter most: how far can an attacker move before detection? Are internal controls sufficient to contain the blast radius? Would your tooling identify privilege escalation in real time, or only after the fact?
One particularly instructive outcome from a recent Risk Crew engagement: a client that had acted on every finding from the prior year’s assessment, tightening privilege boundaries, improving visibility and removing high-risk paths, was still traversable to full domain admin access. Not because remediation had failed, but because the threat landscape had shifted. New techniques, evolved tooling, and changed trust relationships had opened paths that simply didn’t exist twelve months earlier. Both the defenders and the attackers had learned. The attack surface had moved with them.
This reflects a broader truth. Environments change constantly through a multitude factors. Each change is individually reasonable; collectively however, they introduce new trust relationships and privilege pathways that won’t appear in last quarter’s assurance report. Auditors assess an environment on a specific date. Attackers observe it continuously and act when the configuration drifts in their favour.
Validation, Not Just Documentation
Risk Crew’s CREST-accredited engineers conduct these engagements in close collaboration with your internal teams. Vulnerabilities are not simply documented but validated, contextualised, and discussed in real time so that remediation can begin immediately. The result is a far more accurate picture of how controls perform under realistic, adversarial conditions.
