Internal Network Pentest Report: Full Structure and Example (2026)

Internal network penetration tests are some of the most complex engagements to document. You are not dealing with a single web application. You are dealing with an entire network - Active Directory, subnets, legacy services, lateral movement paths, and multiple hosts with different risk levels.

Writing an internal network pentest report that clients can actually use takes structure. This guide walks through the full report format with real section examples so you can write faster and deliver better.

For a broader introduction to pentest report structure, see our pentest report template guide.

How Internal Network Reports Differ From Web App Reports

A web application pentest report documents vulnerabilities in a single application surface. An internal network pentest report documents an entire attack chain - often from an assumed-breach starting point through lateral movement to domain compromise.

The key differences are:

Multiple hosts instead of one application
Active Directory attack paths - Kerberoasting, Pass-the-Hash, DCSync
Network segmentation gaps
Lateral movement chains that span multiple findings
Privilege escalation across machines, not just within one app
Domain and forest level impact

This means your report needs to tell a story, not just list findings. The reader needs to follow the attack path from initial access to domain admin.

Recommended Structure for an Internal Network Pentest Report

Cover Page
Document Control
Executive Summary
Scope and Methodology
Network Overview
Attack Path Summary
Detailed Findings
Active Directory Risk Summary
Remediation Roadmap
Appendices

The attack path summary section is what separates strong internal network reports from weak ones.

Executive Summary for Internal Network Reports

The executive summary for an internal network report should answer four questions: starting access level, worst-case outcome, was domain compromise possible, and the top three risks in business terms.

Here is an example executive summary:

“During the internal network assessment, [Your Company] identified a critical attack path leading from an unauthenticated network position to full Active Directory domain compromise. The path required exploiting a default credential on a network printer, pivoting to a Windows host with local administrator reuse across 14 machines, and executing a DCSync attack from a privileged host. The entire chain was executed within four hours of initial access. Domain compromise gives an attacker full control over all systems, user accounts, and data in the organization.”

Scope and Methodology for Network Assessments

The scope section for an internal network assessment should include the starting access level, IP ranges and subnets tested, any excluded segments, physical access details, credential assumptions, and testing methodology.

Asset	Type	In Scope
10.0.0.0/16	Internal network range	Yes
10.0.100.0/24	OT network segment	No - excluded
corp.example.com	Active Directory domain	Yes
Azure AD (cloud)	Cloud identity	No - excluded

Network Overview Section

The network overview gives the reader context before they dive into findings. Include the total number of live hosts discovered, the domain structure, key services running across the network, and any notable technology in use.

This section should be two to three paragraphs. Cover what the network looks like from an attacker perspective. How many hosts responded to scanning, what operating systems were present, what the Active Directory structure looked like, and what services were exposed internally.

The goal is to give the reader a mental map of the environment before they start reading individual findings.

Attack Path Summary

The attack path summary is the most important section in an internal network pentest report. It shows the full chain from initial access to the highest level of compromise achieved.

Discovered default credentials on HP printer at 10.0.1.45 via Nmap service scan
Accessed printer admin interface - retrieved LDAP credentials stored in config
Used LDAP credentials to authenticate to domain as svc-print service account
Enumerated domain with BloodHound - identified svc-print has local admin on WKSTN-014
Moved laterally to WKSTN-014 using Pass-the-Hash
Dumped credentials from LSASS on WKSTN-014 - recovered domain admin hash
Used domain admin hash to authenticate to domain controller DC01
Executed DCSync to extract all domain password hashes

This eight-step path from network access to full domain compromise was possible due to three root causes: default credentials, password reuse, and excessive service account permissions.

Example Finding: Kerberoastable Service Account

Severity	High
CVSS 3.1	8.1
Vector	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected	corp.example.com - svc-sql

Description: The service account svc-sql was configured with a Service Principal Name (SPN) and a weak password, making it vulnerable to Kerberoasting. Any authenticated domain user can request a Kerberos service ticket for this account and crack the password offline without triggering account lockout.

Evidence:

$ python3 GetUserSPNs.py corp.example.com/jsmith:Password1 -request -outputfile kerberoast.txt
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName    Name     MemberOf  PasswordLastSet
----------------------  -------  --------  -------------------
MSSQLSvc/db01:1433      svc-sql            2024-01-15 09:23:11

$krb5tgs$23$*svc-sql$CORP.EXAMPLE.COM$MSSQLSvc/db01:1433*$a8f2...
[CRACKED] svc-sql : Summer2024!

Impact: An attacker with any valid domain credentials can extract and crack the svc-sql service account password. This account has local administrator access on the database server db01, which contains production customer data. Compromise of this account provides direct access to sensitive data and a lateral movement path deeper into the network.

Remediation:

Change the svc-sql password to a 30+ character randomly generated password
Configure the account as a Group Managed Service Account (gMSA) to enable automatic password rotation
Remove unnecessary SPNs from service accounts that do not require them
Implement monitoring for Kerberoasting activity by alerting on Event ID 4769 with RC4 encryption type

Active Directory Risk Summary

Include a dedicated section summarizing all Active Directory-related risks in one place. This gives the IT team a focused view of domain-level issues.

Risk Area	Finding	Severity
Kerberoasting	3 service accounts with crackable passwords	High
Password reuse	Local admin password reused on 14 workstations	Critical
Privilege escalation	Service account with unnecessary domain admin membership	Critical
Credential storage	LDAP credentials stored in printer configuration	High
Segmentation	No network segmentation between workstations and servers	Medium

Remediation Roadmap for Internal Network Reports

Prioritize remediation by impact and effort. A roadmap table helps the client plan their response.

Priority	Finding	Action	Effort
1	Default printer credentials	Change all default credentials on network devices	Low
2	Local admin password reuse	Deploy LAPS for unique local admin passwords	Medium
3	Kerberoastable service accounts	Migrate to gMSA and enforce 30+ character passwords	Medium
4	Excessive service account privileges	Audit and reduce service account permissions	Medium
5	No network segmentation	Implement VLAN segmentation between workstations and servers	High

For tips on automating report generation and remediation tracking, see our guide on pentest report automation.

Speed Up Your Network Report Writing

Internal network reports take the longest to write because of the number of hosts, the attack path documentation, and the Active Directory analysis. PentestReportAI lets you paste in your findings and tool outputs and generates a structured report with CVSS scoring, executive summary, attack path documentation, and remediation roadmaps. Stop spending hours on formatting and focus on the testing.

Try free with 2 credits