A single infected laptop should be an inconvenience, not a catastrophe that ends up on the front page of a trade publication. Whether it stays that way depends almost entirely on what that laptop can reach once it is inside your network, and in far too many businesses, the honest answer is everything without exception. Nobody chose that outcome deliberately; it simply accumulated, unnoticed, over years of ordinary growth.
One Door Opens Every Room
A flat network is one where every device, from the receptionist’s PC to the finance server holding payroll data, sits on the same segment with no internal barriers between them at all. It is simple to build and simple to manage, which is exactly why so many small and mid-sized businesses end up with one, often without ever deciding to build it that way on purpose. It just grew, one new device at a time, until nothing was separated from anything else on the network. Nobody sat down one afternoon and decided the payroll server should share a segment with every laptop in the building.
This is precisely the scenario that internal network pen testing is designed to expose, by simulating what happens after an attacker gains an initial foothold, rather than only checking whether they can get in from outside the perimeter. The question that matters most is rarely how they got in, it is how far they could travel once they were already there.

The Difference Between Contained and Catastrophic
Segmentation is the practice of splitting a network into separate zones, so that a compromised marketing workstation cannot simply stroll over to the finance server or the customer database without crossing a deliberate barrier along the way. Done properly, a breach on one segment stays a breach on one segment and nothing more. Without it, the attacker’s job becomes remarkably easy, because the entire network is effectively one open room with no internal walls at all separating anything of value. Every additional hop an attacker must make is another chance for your monitoring tools to notice something is wrong.
William Fieldhouse has seen this distinction decide the outcome of an incident more than once in his career.
“In one test, a compromised guest laptop reached the payroll server within four minutes because nothing on the network told it that was not allowed. There was no wall to hit, no alarm to trip, just a straight, uninterrupted path from one device to the other across the entire building.”
— William Fieldhouse, Director of Aardwolf Security Ltd
Four minutes is not a lot of time to detect and respond to anything happening on your network. That is exactly why segmentation matters more than almost any other single control available, because it buys you time, limits blast radius, and turns what could be a full-scale breach into a contained incident on one isolated segment while your team investigates and responds properly.
Build Walls Before You Need Them
Segmenting a network after a breach is remediation. Segmenting it beforehand is prevention, and it is considerably cheaper in every sense of the word, financial and reputational alike. Combine internal testing with regular external network pen testing so you understand both how an attacker gets in and how far they could travel once through the door, and close both gaps before they get tested by someone with far worse intentions. Most businesses only discover how flat their network truly is once someone has already exploited it.





