NullSquare
workflowintermediateReviewed May 18, 2026

Internal network and machine pentesting

Use private runners and CIDR targets to assess internal hosts and subnets.

Requirements

  • The scope includes the subnet or host CIDR to test.
  • A private runner is deployed in a network that can reach the CIDR.
  • The private runner is online and attached to the scope.
  • The run uses private runner execution.
  • Rules of engagement include internal network limits and exclusions.

Workflow

  1. 1Add an internal target such as 10.10.20.0/24 or 10.10.20.15/32.
  2. 2Deploy the runner on a host that can route to that subnet.
  3. 3Attach the runner to the scope.
  4. 4Add credentials if authenticated host, service, or app testing is required.
  5. 5Start discovery using the private runner execution target.
  6. 6Review discovered internal hosts and promote important assets.
  7. 7Run targeted follow-up tests against prioritized machines or services.

Network reachability

Runner placement matters

If the runner host cannot reach the subnet because of routing, firewall, DNS, VPN, or segmentation rules, the agent cannot test those machines.

Related articles