How to Trigger an Internal Scan

Follow these steps to initiate an internal scan in Pentest Copilot Enterprise.

Internal scanning runs through a local agent deployed in your environment. The agent receives jobs from Pentest Copilot, executes tooling from inside your network, and streams results back to the control plane.

Internal assessment can run active exploitation. Some exploit families can modify AD/ADCS, deploy callbacks, collect files, use credentials, forge tickets, or change host state. Review approved scope before launching.

Internal Scan Flow

Connect a local AGENT.
Run internal discovery.
Review discovered subnets, hosts, users, groups, services, and credentials.
Select subnets for internal assessment.
Configure agents, allowed exploits, exclusions, PCE Intercept/Inveigh, and RCE controls.
Review estimates and destructive-action warnings.
Run or schedule the assessment.
Review attack paths and cleanup implications.

1. Connect a Local Agent

Open Settings -> Agent or Download Agent and download the installer for your environment.

The agent must be installed on a host that can route to the approved internal subnets. RTCS assigns the concrete agent identity when the agent connects; do not supply your own agent ID.

After connection, confirm the agent appears in Dashboard -> Agents or Settings -> Agent with a connected status, subnets, and network interfaces.

Download Agent

2. Run Internal Discovery

Open Modules -> Internal Assessment -> Discovery Phase.

Select a connected agent.
Review the subnets reported by that agent.
Select the subnet or subnets to discover.
Optionally add Partial Subnet Testing values:
- single IP, such as 10.10.10.25;
- range, such as 10.10.10.20-10.10.10.50;
- CIDR, such as 10.10.10.0/24.
Set a confidence level if the operator wants to document certainty in scope.
Optionally enable Trigger Internal Assessment automatically after discovery if the deployment exposes that control and your team wants an unattended discovery-to-assessment run.
Review the estimate and runtime limit warning.
Run or schedule discovery.

Discovery populates the graph with subnets, hosts, services, users, groups, credentials, and other internal entities that the assessment phase can use.

3. Open Internal Assessment

Open Modules -> Internal Assessment -> Attack Phase.

The page lists discovered subnets. Select the subnets in scope for active assessment.

For each selected subnet, configure:

Agent: the agent that will execute the subnet assessment. Agents in the same subnet are prioritized and labeled.
Confidence Level: operator certainty that target and scope are correct. Use 0 when unsure.
Settings: per-subnet attack settings, exploit selection, and entity exclusions.

4. Configure Per-Subnet Settings

Click the settings icon for a selected subnet.

PCE Intercept/Inveigh

Enable Start PCE Intercept/Inveigh only when NTLM capture/relay is approved for the engagement.

When enabled:

choose one or more interfaces on the selected agent;
the assessment starts PCE Intercept/Inveigh and ntlmrelayx for the subnet;
if no interface is selected, the run is blocked until fixed.

RCE Execution Controls

The drawer includes:

Skip RCE if host is already compromised.
Skip RCE if user is already compromised.

Keep these disabled to run every enabled RCE submodule. Enable them when your team wants to avoid repeated command execution after the graph already proves compromise.

Exploits Tab

The Exploits tab lists exploit families returned by the backend. By default, selected subnets start with all exploit families enabled.

Disable any family that is not approved for the engagement.

The UI labels high-impact categories, such as AD write, DC password, ADCS write, host change, credential use, ticket forging, and data copy. The final review includes a destructive-action warning summary.

Internal Assessment Destructive Actions

Entities Tab

The Entities tab shows graph entities connected to the selected subnet, such as hosts, users, groups, and services.

By default, entities are included. To exclude entities:

Open the Entities tab.
Search or page through the entity list.
Uncheck entities that should not be tested.
Refresh the entity list if discovery has recently added more data.

The exclusion count is shown in the subnet settings and final review.

5. Review and Run

Click Run Assessment to open the final configuration review.

Review:

selected subnets;
assigned agents;
confidence levels;
enabled exploit count;
PCE Intercept/Inveigh status and selected interfaces;
excluded entity count;
scan estimate and credit/runtime information;
destructive-action warning summary;
max module runtime warning, if configured.

Click Run assessment to launch, or cancel and return to the settings drawer.

6. Schedule Internal Assessment

If scheduling is permitted for your role, click Schedule instead of running immediately.

Schedules can be one-time or recurring. They use the saved scan configuration created from the selected subnets and settings at scheduling time.

Scheduling

7. Monitor and Triage

Use:

Activity -> Activity for module and submodule execution status.
Activity -> Attack Logs for detailed operational logs.
Modules -> Internal Assessment -> Statistics for aggregate results.
Modules -> Internal Assessment -> Attack Paths for findings.
Reports for executive or comprehensive PDFs.

Common Blocks

Block

What to check

No agents available

Confirm the AGENT is connected and visible in Dashboard -> Agents or Settings -> Agent.

No subnets shown

Confirm the agent reports subnets and can route to your network.

Intercept enabled but run blocked

Select at least one valid interface for PCE Intercept/Inveigh.

Exploit family not approved

Disable it in the subnet settings drawer before review.

RCE should not repeat on compromised nodes

Enable the RCE skip controls.

Assessment is too broad

Use partial subnet testing during discovery and entity exclusions during assessment.

PreviousManual Crawler NextInternal Assessment Destructive Actions

Last updated 5 days ago