Deployment Strategy
The deployment of your NodeZero® Host depends on the specific insights you aim to gain from your pentest. Below are some options to help you choose the best setup for your goals.
Placement and Intent
The placement of the NodeZero Host, and its defined intent determine the scope and behavior of the assessment.
- Placement: Defines where the NodeZero Host is deployed within the network.
- Intent: Guides the scope and actions of the pentest based on the desired objectives.
Placement
Select the appropriate NodeZero Host placement based on your testing goals:
Scope refers to the network boundaries or specific targets (e.g., IP ranges, endpoints, or domains) that NodeZero will assess during the pentest, as determined by the host's placement.
| Placement | Type | Description |
|---|---|---|
| 1. Inside the Scope | Custom Scope | Position the host within the target network segment to simulate an internal attacker. |
| 2. Outside the Scope | Custom Scope | Place the host outside the target network, mimicking an external attacker. |
| 3. Outside @ Endpoints (i.e., /32s) | Custom Scope | Deploy at specific endpoints (e.g., single IPs) outside the target scope. |
| 4. Attack Starting Point | Intelligent Scope | Use as a defined entry point to simulate a targeted attack vector. |
| 5. Full Private Scope | RFC1918 | Cover the entire private network accessible from the host’s location. |
| 6. OSINT Focused | OSINT | Launch externally to assess cloud-facing assets. |
Intent
Select an intent to guide the scope and actions of the NodeZero assessment:
| Placement | Intent | Will Enumerate and Exploit | Won’t Execute | Use Cases |
|---|---|---|---|---|
| 1. Inside the Scope | Limit the attacker’s scope to a defined range from within the network. | - In-scope hosts, services, domains, web, credentials, data resources - ProTip: Ensure a DC is "in scope" |
- On anything outside the prescribed scope | - Internal Pentest - SOC SLAs - Verify Policies - Verify EDM/SIEM |
| 2. Outside the Scope | Limit the attacker to assess accessible hosts and data from an external perspective. | - In-scope hosts, services, web, credentials (except MITM or PTH attacks) | - Man-in-The-Middle attacks | - External Pentest - Verify Segmentation - Verify access to a sensitive VLAN - Third-party security assessment |
| 3. Outside @ Endpoints (i.e., /32s) | Focus on specific hosts to check for endpoint vulnerabilities and misconfigurations. | - Specified hosts, ports, services, web, exploitable vulnerabilities | - On infrastructure not chained nor vulnerable | - Test EDR endpoint vulnerabilities |
| 4. Attack Starting Point | Discover what an attacker can access from a specific starting point. | - Discovered hosts, services, domains, web, credentials, data resources | - On inaccessible hosts, services, domains, web, credentials | - Internal Pentest - Segmentation - Verify Policies - Verify EDR/SIEM - Test Blast Radius - Test ZeroTrust |
| 5. Full Private Scope | Search every nook and cranny of the private IP space accessible in the environment. | - Discovered hosts, services, domains, web, credentials, data resources | - On inaccessible hosts, services, domains, web, credentials | - Internal Pentest - Asset Discovery - Assess hybrid env - Verify Policies - Verify EDR/SIEM |
| 6. OSINT Focused | Assess publicly available data vulnerable to an external attacker. | - Publicly available usernames, subdomains (from TLDs), web-facing attack surface | - On internal assets - *NOTE: Combined with an internal op/access to a DC will verify user/password access |
- Public-facing Reconnaissance - Company recon - User recon - Subdomain recon - *Cred stuffing |
Note
- OSINT Focused: This external deployment focuses on cloud-facing assets and can be combined with internal operations for comprehensive user/password validation.
- Execution Limits: NodeZero respects defined scopes and avoids actions on out-of-scope or inaccessible assets unless explicitly chained or vulnerable.
Tip
Select the placement and intent that align with your security goals. Consult Horizon3.ai support for complex scenarios.
Placement - More Info
1. Inside the scope
To limit the scope and assess what an attacker could exploit within a defined range, place the NodeZero Host inside the desired test scope. When configuring the scope for your pentest, ensure the NodeZero Host is within one of the specified CIDR ranges for the test.
Figure 1 - Deployment inside your test scope.
Tip
Ensure a Domain Controller is in-scope as well, and NodeZero will attempt to exploit any vulnerabilities or misconfigurations on this host, as well as verify weak domain defaults & credentials
Use cases for Inside the Scope
This placement method facilitates rapid assessments, allowing for a streamlined Find-Fix-Verify loop that enhances your ability to quickly improve and adapt your security posture.
2. Outside the scope
To gain an “outside-in” perspective and evaluate whether an attacker could access critical data and assets within a specific scope, place the NodeZero Host outside the scope you want to test. When configuring the pentest scope, ensure the NodeZero Host is NOT within the specified CIDR range(s) for the test.
Figure 2 - Deployment outside of your test scope.
Note
When NodeZero is not in the same IP range as the scope, it will not execute Man-In-The-Middle and pass-the-hash attacks
Use cases for Outside the Scope
This approach offers an unrestricted assessment, providing a clear view of what is accessible, valuable, and vulnerable from an external starting point.
3. Endpoints-only scope
To quickly verify whether the vulnerability you just remediated had the desired effect, select a single host or a range of hosts using /32 CIDR blocks. When configuring the pentest scope, ensure the NodeZero Host has access to the specific host(s) identified by the /32 CIDR range(s), but is NOT within the specified CIDR range(s) for the test.
Figure 3 - Deployment with Endpoints-only scope.
When NodeZero is not in the same IP range as the scope, it will not execute Man-In-The-Middle and pass-the-hash attacks. Further, with this restricted scope, NodeZero will chain neither weaknesses nor paths as you have limited the scope to a specific endpoint for this assessment
Use cases for Endpoints-only scope
This is a focused assessment designed for quick validation, allowing you to verify that your fix has been implemented successfully and that the vulnerability now poses a lower risk to your attack surface.
4. Intelligent scope
To simulate a true “black box” pentest and see what a non-credentialed attacker could enumerate and exploit from a specific starting point in your network, use Intelligent Scope.
In the Scope section of your Op configuration, select the “Intelligent Scope” option and leave the “Include” box blank. NodeZero will begin with the /16 subnet of the host IP it was deployed on, then expand organically across the infrastructure as it discovers additional hosts and subnets. This mimics how an attacker would explore the environment.
The more vulnerabilities, weaknesses, and misconfigurations are exploitable, the greater the visibility and testing coverage NodeZero will provide. This process demonstrates how an attacker could navigate the environment by chaining together tactics, techniques, and procedures (TTPs) based on their findings and exploiting the attack surface.
Figure 4 - Deployment with Intelligent scope.
Use cases for Intelligent Scope
This is a proactive assessment that provides a deep understanding of what is accessible, valuable, and vulnerable from any entry point, helping you identify potential risks and attack paths across your environment.
5. All private IP scope (i.e., RFC 1918)
Use RFC 1918 to conduct a private scope pentest, quickly and safely enumerating everything accessible within your private network.
When configuring the scope for your pentest, simply select the “Use RFC 1918” option, and NodeZero will handle the rest. If there are specific IP addresses or ranges you wish to exclude from the assessment, add them to the “Exclude” box during scope configuration.
Figure 5 - Deployment with All private IP scope.
note
This operation may take longer as NodeZero enumerates any accessible IPs and DNS names, including edge routers. If your routers are misconfigured for routing private IPs, NodeZero may also attempt to enumerate those external private IPs.
tip
If you want NodeZero to discover every detail of your environment, place it in an unrestricted ACL to allow it to explore all accessible areas, uncovering every nook and cranny of your network.
Use cases for All private IP scope
This is your comprehensive and unrestricted enterprise assessment, designed to provide a complete view of your network. It should be run regularly to ensure continuous security monitoring and vulnerability management.
6. OSINT focused
Available with any of the pentest types, our Open-Source Intelligence (OSINT) assessment allows NodeZero to gather publicly available information and incorporate it into the pentest. During the second step of configuring your pentest, you can gain a true external perspective; your company name will be auto-filled, and you’ll have the option to provide TLDs and weak password terms for NodeZero to test using any discovered information.
Figure 6 - Deployment with OSINT focused.
Note
NodeZero’s OSINT gathering operates outside your environment, so NodeZero placement isn’t as critical. However, when combined with an internal pentest that includes a domain controller in-scope, NodeZero will validate domain users and passwords against those found publicly, providing you with deeper insight into your attack surface and potential risks.
Use cases for OSINT focused
This is your external reconnaissance capability, allowing you to see what attackers can discover and leverage to initiate their campaigns and establish a foothold in your environment.
