REDVEIL/Docs

Segmentation Testing

Validate network segmentation reachability from a deployed RedVeil internal agent.

Segmentation testing validates whether a network segment can be reached from a deployed RedVeil internal agent. It is designed for evidence-driven segmentation validation, including QSA-facing PCI-style checks where the testing location, exact scan command, and scan output need to be preserved.

When to use segmentation testing

Use a segmentation project when you need to prove whether one internal network vantage point can reach hosts or services inside a target network that should be isolated.

Common use cases include:

  • PCI DSS segmentation validation.
  • Testing access from a user subnet into a cardholder data environment.
  • Verifying that firewall, routing, VLAN, VPN, or ACL changes block unintended reachability.
  • Producing per-network evidence showing either observed reachability or no observed reachability.

Segmentation projects are different from internal network penetration tests. A segmentation project answers "can this agent reach this network and which ports respond?" Internal network testing performs broader vulnerability discovery, service analysis, and agent-led exploitation workflows.

Requirements

Segmentation testing requires:

  • A Full Coverage or higher plan. Perimeter-only plans cannot create segmentation projects.
  • At least one registered internal agent.
  • The selected internal agent must be deployed at the network location you want to test from.
  • Target scope containing one or more authorized networks, IPs, domains, or hostnames.

The internal agent is selected during project creation. If no agent is registered, the project creation flow blocks review and directs an admin to create one under Settings -> Internal Agents.

Creating a segmentation project

  1. Go to Projects.
  2. Select New Project.
  3. In the advanced project types, choose Segmentation.
  4. Enter the project name and optional description.
  5. Add the target scope. Enter one target per line, comma-separated targets, or upload a .csv or .txt file.
  6. Open the settings step and choose the internal agent that will execute the scan.
  7. Configure scan depth and transport.
  8. Review the project summary, selected agent, target scope, settings, and estimated Agent Ops.
  9. Submit the project and start the scan when ready.

Segmentation scope is stored as the target networks for the project. The review step shows the selected agent, host discovery setting, TCP coverage, transport, and UDP coverage when UDP is enabled.

Segmentation settings

Internal Agent

The internal agent is the deployed scanner that runs from inside the customer network. The test results only reflect reachability from that agent's network location.

Choose the agent whose placement matches the segmentation question. For example, to test whether a general corporate subnet can reach a protected environment, deploy or select an agent in the corporate subnet.

Host Discovery

Host discovery controls whether RedVeil performs a preliminary host discovery pass before port checks.

  • Disabled: RedVeil uses -Pn behavior and attempts selected port checks against the target without relying on ping responses. This is the default and is commonly preferred for QSA-ready segmentation evidence.
  • Enabled: RedVeil performs a ping-style discovery step first and focuses port checks on responsive hosts.

Most QSAs request no host discovery for segmentation validation because filtered hosts may ignore discovery probes even when services are reachable.

TCP Port Coverage

TCP coverage controls how broad the TCP scan is.

  • All 65,535 TCP ports: Default. Best for formal segmentation validation where all TCP exposure should be tested.
  • Top 1000 TCP ports: Faster, but narrower. Use only when a reduced test scope is acceptable.

When Top 1000 is selected, the UI warns that QSAs commonly expect all TCP ports.

Transport

Transport controls whether RedVeil runs TCP only or both TCP and UDP scans.

  • TCP: Default and faster.
  • TCP and UDP: Adds UDP scanning. This can materially increase runtime and may produce more ambiguous results because UDP responses are less deterministic.

UDP Port Coverage

UDP coverage appears only when TCP and UDP is selected.

  • Top 100 UDP ports: Default when UDP is enabled.
  • All 65,535 UDP ports: Broadest UDP coverage, but can take a very long time across large networks.

What RedVeil runs

For each target network, RedVeil queues scan tasks to the selected internal agent.

The workflow captures:

  • Testing-device network location with ip addr.
  • TCP nmap command and output.
  • Optional UDP nmap command and output.
  • Agent self-IP addresses, which are excluded from the target scan so the agent does not report itself as reachable evidence.

TCP scans use SYN scan behavior, no DNS resolution, and reason output. If host discovery is disabled, the scan includes no-ping behavior. Depending on project settings, TCP coverage is either 1-65535 or the top 1000 ports.

UDP scans use UDP scan behavior, no DNS resolution, reason output, and either the top 100 UDP ports or all UDP ports.

Results and findings

RedVeil creates one segmentation finding per target network.

For usable scan results, the automated interpretation is intentionally binary:

  • If any TCP or UDP reachability is observed, RedVeil treats the result as a segmentation weakness with an open finding and severity 7.0.
  • If no reachability is observed and the evidence suggests segmentation is effective, RedVeil creates an informational result with severity 0.0.

Each finding includes reproducible Markdown evidence with the relevant nmap commands and output snippets. RedVeil also appends a QSA evidence section containing:

  • Testing-device location command.
  • Testing-device location output excerpt.
  • TCP nmap command.
  • TCP nmap output excerpt.
  • UDP nmap command and output excerpt when UDP was run.

If automated interpretation fails after the scan completes, RedVeil still stores the raw scan evidence and creates a manual-review finding so the result is not lost.

Monitoring progress

During a scan, the Hosts view shows target networks as scanning, complete, offline, error, or cancelled. Host task history records key milestones such as:

  • Testing device location captured.
  • Segmentation scan started.
  • TCP segmentation scan completed.
  • UDP segmentation scan completed, when applicable.
  • Segmentation results interpreted.

The project can be paused, resumed, cancelled, or retried using the standard project controls. If the internal agent goes offline, RedVeil marks the affected scan state accordingly and preserves completed evidence.

Segmentation reports

Segmentation projects have a dedicated report type: Segmentation Test Report.

From the project Reports page:

  1. Click Create report.
  2. Choose Segmentation test report.
  3. Wait for generation to complete.
  4. View or download the PDF.

Segmentation projects can generate:

  • Segmentation Test Report PDF.
  • Issues CSV export.

Other PDF report types are hidden or unavailable for segmentation projects because segmentation projects use a specialized evidence format.

CLI usage

The CLI can create segmentation projects and generate segmentation reports.

Create a segmentation project:

pentest-agent project create segmentation \
  --name "PCI Segmentation Validation" \
  --target 10.10.0.0/16 \
  --internal-agent-id <agent_id> \
  --segmentation-port-scope all_ports \
  --segmentation-transport tcp \
  --segmentation-host-discovery false

Include UDP:

pentest-agent project create segmentation \
  --name "Segmentation TCP and UDP" \
  --target 10.20.0.0/16 \
  --internal-agent-id <agent_id> \
  --segmentation-transport tcp_udp \
  --segmentation-udp-port-scope top_100

Generate a segmentation report:

pentest-agent report generate \
  --project <project_id> \
  --type segmentation_pdf

Best practices

  • Place the internal agent exactly where the segmentation claim needs to be tested.
  • Use all TCP ports for formal segmentation validation unless the assessor has approved a reduced scope.
  • Keep host discovery disabled when you need conservative evidence that does not depend on ping responses.
  • Use UDP selectively. It can be useful, but broad UDP testing can be slow and less deterministic.
  • Review the target scope carefully before starting. Segmentation tests are designed to run against authorized networks only.
  • Preserve the generated segmentation report and issues CSV alongside firewall rules, network diagrams, and change records for audit packages.

Internal Testing

Run internal network security testing from a customer-deployed RedVeil internal agent.

Authorization Matrix Testing

Systematic cross-account authorization testing for a single web application in RedVeil.

On this page

When to use segmentation testingRequirementsCreating a segmentation projectSegmentation settingsInternal AgentHost DiscoveryTCP Port CoverageTransportUDP Port CoverageWhat RedVeil runsResults and findingsMonitoring progressSegmentation reportsCLI usageBest practices