If you've scheduled an internal penetration test with Secure Ideas, we've likely asked you to either plug in a small device or spin up a virtual machine on your network. You will hear us refer to that device as a SIAM, or the Secure Ideas Attack Machine. Understandably, some clients want to know exactly what it is, what it does, and whether they should be worried about it sitting on their network. All are fair questions. So let's walk through it.
So What's In the Box?
The SIAM is a custom-configured machine running Kali Linux loaded with the tools we as consultants use during internal penetration tests. Think of it as our tester's workstation, except instead of shipping a person to your office, we ship the machine. Once it's connected to your network and powered on, it establishes an outbound connection back to our infrastructure over a VPN. From there, consultants can work against your internal environment just as if they were sitting in your server room without actually being onsite.
The SIAM comes in two flavors depending on what works best for your environment. The physical option is a small form-factor device, either an Intel NUC or Dell OptiPlex Micro depending on what we have available, and that gets plugged into a network port and a power source. Setup is about as complicated as plugging in a cable box. If anyone still has those.
Figure 1. One of our Intel NUC SIAMs
The virtual option is an OVA file that you import into your existing VMware infrastructure. If you have a team that's comfortable managing VMs and you'd rather not receive hardware in the mail, the virtual option is a clean alternative.
The physical device tends to be the easier lift for organizations that just want to plug something in and be done with it, while the VM option is popular with organizations that have strict policies around physical hardware or who want to keep everything contained within their existing virtualization platform.
Why Not Just Send Someone Onsite?
We do send consultants onsite when it makes sense or our clients prefer it. But for internal testing, it often doesn't need to happen that way, and the SIAM exists precisely because of that. Travel adds costs like flights, hotels, rental cars, and that cost gets passed along to you. For organizations with multiple locations or tight budgets, that adds up fast. The SIAM lets us do the same quality of internal testing without the additional overhead. Your team doesn't have to coordinate a visit, clear badge access, or schedule around someone being physically present. You plug it in, we confirm connectivity, and testing begins on the agreed schedule.
How Does It Actually Work?
Once the SIAM is connected to your network and powered on, it reaches out to our VPN infrastructure and establishes a secure tunnel. No inbound connections are required on your end and the device initiates everything outbound. Consultants then connect through that tunnel and have access to your internal network segment, which is exactly what we need to simulate what an attacker would be able to do after getting a foothold inside your environment.
Your team just needs to make sure the device can get a DHCP address and that outbound traffic isn't being blocked by a firewall or UTM device. We provide specific instructions for verifying connectivity before testing begins, and our team confirms the connection is solid before we start any work.
Is It Safe to Have on My Network?
This is the question we get most often, and it's the right one to ask. The short answer is yes, and here's why.
The SIAM only communicates outbound to our infrastructure. There are no open inbound ports, no remote access that doesn't originate from the device itself, and no persistent connection that stays alive after the engagement ends. The traffic goes one direction: from your network, out to us, over an encrypted VPN tunnel. An attacker on the internet can't reach the SIAM because there's nothing listening for inbound connections.
Figure 2. The SIAM initiates all outbound traffic. Nothing reaches it from the internet.
The device is also built for authorized testing. It's not running any services that would expose your network to additional risk, and it's not doing anything you haven't explicitly agreed to as part of the engagement scope. If you have SSL inspection or application control running on a UTM device, we'll walk you through what needs to be allowlisted so the connection isn't interrupted. But that's a firewall configuration conversation, not a security concern about the device itself.
At the end of the engagement, the SIAM goes back in the box and gets shipped back to us, or the VM gets deleted. It doesn't leave anything behind.
The Bottom Line
The SIAM exists because internal penetration testing doesn't have to mean someone shows up at your door with a laptop bag. It keeps costs down for clients, removes scheduling friction, and gives us consultants a consistent, well-equipped platform to work from. If you're considering an internal assessment and want to understand more about how the process works, reach out to the Secure Ideas team and we'll walk you through it.
Considering an internal penetration test?
The SIAM makes internal testing straightforward, no travel required. Reach out and we'll walk you through how the process works for your environment.
Talk to Our Team
