Internal network access
To test targets inside a private network, give SimpleSec a way in — either a WireGuard tunnel or a small deployable agent. Both connect only while a scan is running.
When you need this
External and web engagements reach their targets over the internet — no setup required. An internal engagement tests hosts inside a private network that SimpleSec can't reach from outside, so you provide a connection method. Once connected, the planner can run internal checks: Active Directory enumeration, Kerberoasting, AS-REP roasting, SMB checks, and lateral-movement validation.
Two ways to connect
WireGuard config
Upload a WireGuard .conf to the engagement. Best when you already run WireGuard or can stand up a peer on the target network.
Deployable agent
Run a small Docker container inside the network. It dials out to SimpleSec, so there are no inbound firewall rules to open.
Option A — WireGuard
- Get a WireGuard config for a peer that can reach your internal targets.
- Open the internal engagement and upload the
.confto its network settings. The private key is encrypted at rest. - Launch a test as usual. The tunnel comes up automatically when the scan starts and tears down when it finishes.
Option B — deployable agent
- Deploy the agent container on a host inside the target network, following the setup instructions shown on the engagement.
- It dials out to SimpleSec — outbound only, so you don't expose any inbound ports.
- Launch your test. The engagement's status flips to Connected once the agent is reachable.
Connectivity is established on scan start and torn down on completion — SimpleSec isn't holding a standing tunnel into your network between runs. Each engagement's network profile is isolated from every other.
Internal testing reaches deep into your environment. Only connect networks you're authorized to test, and prefer the agent's outbound-only model where your security policy requires no inbound exposure.