How do we run our first Horizon3.ai NodeZero Internal Pentesting test and set scope (subnets, credentials, exclusions)?
Autonomous Pentesting Platforms

How do we run our first Horizon3.ai NodeZero Internal Pentesting test and set scope (subnets, credentials, exclusions)?

9 min read

Running your first Horizon3.ai NodeZero internal pentesting test is straightforward once you understand how to deploy the host and define a safe, effective scope. This guide walks through each step: standing up the internal host, selecting subnets, adding credentials, and configuring exclusions so you can get actionable results without disrupting your environment.

1. Understand How NodeZero Internal Pentesting Works

NodeZero internal pentesting is designed to run safely from inside your network using a lightweight execution environment:

  • Internal tests run from your own infrastructure using:
    • A free Docker host, or
    • An open virtualization appliance (OVA)
  • External tests run from the Horizon3.ai cloud (no host required), but for internal pentesting you’ll use the Docker/OVA host.
  • NodeZero:
    • Connects to your internal network (and optionally your cloud/hybrid environment)
    • Identifies and exploits attack paths
    • Operates from dedicated, ephemeral, one-time-use resources in an isolated virtual private cloud when launched from Horizon3.ai

You control:

  • Which IP ranges are in scope
  • Which subnets and assets to exclude
  • Whether to run with or without credentials
  • What types of operations to perform (internal Autonomous Pentesting™, password audits, etc.)

2. Prepare Your Internal NodeZero Host

To run an internal NodeZero pentest, you first need a host in your local environment.

2.1 Choose Your Host Type

You can use either:

  • Docker Host
    • Ideal for Linux servers or workstations that already support Docker
    • Lightweight and fast to deploy
  • OVA (Open Virtualization Appliance)
    • Ideal for VMware or similar virtualization environments
    • Simple import, especially in existing virtual infrastructures

There is no additional cost for the host; it’s a free component that executes NodeZero tasks inside your network.

2.2 Place the Host in the Right Network Segment

For best coverage on your first test:

  • Put the NodeZero host in a network segment with visibility to the subnets you want to test.
  • Ensure the host has:
    • Network routes to the intended in-scope IP ranges
    • Access through any internal firewalls (or at least enough access to assess reachable systems)

If you plan to test multiple VLANs or segments, place the host where it can reach as many as possible—or plan to run multiple tests concurrently from different segments.

2.3 Deploy and Register the Host

Follow the instructions in the NodeZero UI to:

  1. Create a new internal test configuration.
  2. Copy the execution script provided.
  3. Paste and run that script on your Docker host or OVA instance.

The script will:

  • Configure the host
  • Connect it securely to the Horizon3.ai platform
  • Prepare ephemeral resources for your test in a one-time-use architecture

You don’t have to manually install or manage complex software; the execution script handles setup in minutes.

3. Choose the Right Type of Internal Test

Before setting scope, decide what you want your first internal pentest to accomplish. NodeZero supports several operations:

  • Internal Autonomous Pentesting™
    • Full-scope internal attack path discovery
    • Ideal for a first “real world” internal assessment
  • AD Password Audit
    • Focused operation to audit Active Directory passwords
    • Reveals weak, breached, and re-used passwords
  • Phishing Impact Testing
    • Shows what an attacker could do with phished credentials
    • Helps quantify the impact of credential theft

For your first internal experience, many teams start with:

  • A moderate-scope internal Autonomous Pentest™ to map attack paths, or
  • An AD Password Audit if password hygiene is your top concern

The NodeZero UI will guide you to select the type of operation when creating your test.

4. Define Your Internal Pentest Scope: Subnets and IP Ranges

Scope is critical: it ensures you test what you care about while avoiding sensitive or fragile systems.

4.1 Decide on the Overall Coverage (Small, Targeted, or Broad)

NodeZero can scale far beyond manual pentests:

  • You can configure which IP ranges to include and exclude.
  • You are empowered to test your entire private IP space (RFC 1918) if you want:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16

For your first internal test, consider:

  • Starting with a limited, representative subset (for example, a core server subnet plus one user VLAN), then
  • Expanding to larger ranges in follow-up tests once you’re comfortable with the process and results.

4.2 Add In-Scope Subnets in the UI

In the test configuration screen:

  1. Locate the Scope or Target Ranges section.
  2. Add each subnet or IP range you want to test, such as:
    • 10.0.10.0/24 (server VLAN)
    • 10.0.20.0/24 (user VLAN)
    • 192.168.1.0/24 (branch office)
  3. You can mix:
    • CIDR ranges (e.g., 10.0.0.0/16)
    • Individual IPs (e.g., 10.0.10.5)
    • Host lists, depending on your internal policies

Design your scope based on:

  • Where your critical assets reside
  • Where attackers are most likely to land (user networks, Wi-Fi, remote access subnets)
  • Network segments you have never been able to thoroughly test via manual pentesting

5. Configure Exclusions for Safety and Compliance

NodeZero lets you carefully exclude specific IPs or subnets to avoid fragile or non-permitted systems.

5.1 Identify What to Exclude

Common exclusions include:

  • Legacy hardware known to be unstable
  • OT/ICS devices where scanning is restricted
  • Medical devices, manufacturing controllers, or other specialized systems
  • Third-party or partner systems that you’re not authorized to test
  • Network equipment that security policy disallows testing

Work with internal stakeholders (IT, OT, compliance, vendors) to identify systems that should never be included.

5.2 Add Exclusions in the Test Configuration

In the same scope section:

  1. Find the Exclusions field or subsection.
  2. Enter:
    • IP addresses to omit (e.g., 10.0.10.50)
    • Entire subnets (e.g., 10.0.30.0/24)
  3. Confirm that these exclusions do not appear in any of your included ranges, or that the exclusions override the broader ranges correctly.

By combining broad included ranges with precise exclusions, you can safely test at scale while protecting sensitive assets.

6. Decide Whether to Use Credentials

NodeZero supports both credentialed and non-credentialed internal testing.

6.1 Benefits of Credentialed Testing

Adding credentials enables NodeZero to:

  • Log in to systems where permissions allow
  • Perform deeper configuration and posture analysis
  • Simulate realistic attacker behavior after obtaining valid accounts
  • Enhance findings with context about what a compromised account could access

For example, pairing credentials with Phishing Impact Testing shows exactly what an attacker might do with phished logins in your environment.

6.2 Running Without Credentials

You can also test without credentials, which:

  • Simulates an attacker who has gained network access but no valid logins
  • Focuses on network-level exposures and unauthenticated services
  • Is sometimes easier to approve for a first run

NodeZero is designed to test safely from any network with or without credentials.

6.3 How to Configure Credentials

In the test setup UI, depending on the operation type you choose, you may be able to:

  • Add domain credentials for AD-aware operations
  • Add local credentials for specific hosts
  • Provide service accounts for targeted checks

Use the least privilege credentials that still reflect realistic attacker scenarios. Ensure you have internal authorization before adding any privileged accounts.

7. Launch Your First Internal Pentest

Once your host is ready and scope is defined:

7.1 Review Test Settings

Before starting, double-check:

  • Host registration and connection status
  • Selected operation (internal Autonomous Pentest™, AD Password Audit, etc.)
  • Included IP ranges and subnets
  • Exclusions for any sensitive systems
  • Credentials (if used) and their permissions
  • Any optional OSINT or enrichment settings you’ve chosen

NodeZero also allows you to customize:

  • Exploitation types
  • Aggressiveness or impact-related options (where available)
  • Timing or scheduling preferences

7.2 Schedule or Start Immediately

NodeZero internal tests can be:

  • Started immediately, or
  • Scheduled to run during approved maintenance or testing windows

Internal tests run from your host; external components are orchestrated from the Horizon3.ai cloud using ephemeral, one-time-use architectures in an isolated virtual private cloud, enhancing safety and separation.

8. Run Large-Scale and Concurrent Internal Testing

Once you’re comfortable with a single internal test, you can scale up:

  • Test your entire RFC 1918 space over time by expanding IP ranges.
  • Use internal pentest options to:
    • Configure multiple IP ranges across different sites
    • Exclude specific subnets or devices while still scanning broadly
  • Run multiple tests at the same time in different network segments for maximum efficiency, for example:
    • One test for HQ user networks
    • One test for data center segments
    • One test for a branch office

This is a major advantage over manual pentests, where less than one percent of a network is typically tested. NodeZero’s design focuses on large-scale coverage that reflects your real environment.

9. After the Test: Review Findings and Plan Next Steps

Once your first internal pentesting test completes:

  1. Log into the NodeZero UI and review:
    • Attack paths and exploit chains
    • Weak, breached, or reused AD passwords (if you ran a password audit)
    • Impact of phished credentials (if you ran phishing impact testing)
  2. Prioritize remediation:
    • Start with high-impact, easily exploitable paths
    • Address weak or reused credentials
    • Harden misconfigurations and exposed services
  3. Plan your next test:
    • Expand scope to additional subnets
    • Add new credentials or test scenarios
    • Run concurrent internal tests to cover more of your environment

10. Summary: Key Steps to Run Your First Internal NodeZero Pentest

To recap the process for your first Horizon3.ai NodeZero internal pentesting test:

  1. Deploy the internal host

    • Use a free Docker host or OVA in your local environment
    • Run the NodeZero execution script to register it

  2. Select your internal operation

    • Internal Autonomous Pentesting™, AD Password Audit, or Phishing Impact Testing

  3. Set scope with subnets and IP ranges

    • Include relevant internal ranges, starting with a manageable subset
    • Expand later as you gain confidence

  4. Configure exclusions

    • Omit fragile, sensitive, or non-permitted systems

  5. Choose credentialed vs. non-credentialed mode

    • Add domain or local credentials if appropriate and authorized

  6. Review and launch

    • Confirm scope, exclusions, and credentials
    • Start immediately or schedule during a maintenance window

  7. Iterate and scale

    • Use NodeZero’s large-scale and concurrent testing capabilities to gradually cover your entire RFC 1918 space

Following these steps will help you run a safe, targeted, and insightful first Horizon3.ai NodeZero internal pentesting test, with clearly defined subnets, credentials, and exclusions that align with your organization’s policies and risk appetite.

Back to Autonomous Pentesting Platforms

Keep Reading

More from Autonomous Pentesting Platforms

How do we set up Horizon3.ai NodeZero Tripwires (honeytokens) and where should we place them in AD and cloud?

Read more

Does Horizon3.ai NodeZero have an API/GraphQL or CLI, and how do we integrate results into tickets and reporting?

Read more

How do we enable Horizon3.ai NodeZero Rapid Response for KEVs/zero-days and tune alerts to our environment?

Read more