Service

RED TEAM
operations.

Full-scope adversary simulation against your people, process, and technology. Modelled on the real threat actors targeting your industry — mapped to MITRE ATT&CK, aligned to TIBER-EU and CBEST for financial-sector engagements. We measure detection and response, not just exploitability.

RED

Think like the adversary. Become the adversary.

A red team engagement is the closest a defender can get to experiencing a real breach — without the actual breach. We pick an objective (steal the crown-jewel database, deploy code to production, exfiltrate the CEO’s mailbox) and pursue it with the same patience, tradecraft, and stealth as the threat actors you’re actually worried about.

Unlike a penetration test, the goal isn’t to find every vulnerability. The goal is to quietly succeed against your full stack of defences — humans, processes, EDR, SIEM, IDPS, IDR — and report exactly where the wheels fell off, in MITRE ATT&CK terms your blue team can act on.

Red team vs. penetration testing.

Both are valuable. They’re not interchangeable:

Penetration testing

  • Goal: find and exploit as many vulnerabilities as possible
  • Scope: defined — one app, one network, one cloud account
  • Stealth: not required — defenders are usually informed
  • Output: comprehensive list of findings

Red team operations

  • Goal: achieve a specific objective like a real threat actor would
  • Scope: everything is in play — phishing, physical, supply chain, cloud, network
  • Stealth: critical — only a small “white cell” knows it’s an exercise
  • Output: full attack path, detection gap analysis, blue team improvement plan

Engagement phases.

  1. Scoping & threat modelling. Choose the threat actor profile (financial APT, ransomware affiliate, insider, hacktivist) and define the objective. Identify the white cell — usually CISO + 1–2 trusted people.
  2. Threat intelligence. For TIBER-EU style engagements, intelligence on relevant threat actors’ TTPs is gathered and baked into the operations plan.
  3. Reconnaissance. Passive OSINT on the target organization, employees, and infrastructure. Pretexting and target identification for social engineering.
  4. Initial access. Tailored spear-phishing campaigns, exposed-service exploitation, or supply-chain entry — whichever fits the threat model.
  5. Command & control. Establish persistent, low-and-slow C2 with custom infrastructure designed to evade your specific EDR and proxy stack.
  6. Lateral movement & privilege escalation. Move toward the objective using living-off-the-land techniques; document every step.
  7. Action on objective. Demonstrate impact on the agreed crown-jewel target without causing operational harm.
  8. Debrief & purple team. Walk every action through with the blue team, replay techniques, and tune detections.

Common objectives.

  • Achieve Domain Admin in the corporate Active Directory
  • Reach the cardholder data environment or sensitive customer database
  • Deploy code to production from a compromised developer endpoint
  • Exfiltrate the CEO/CFO mailbox or an M&A SharePoint site
  • Compromise the cloud control plane (root account, billing role)
  • Disrupt a critical business process (e.g., trading platform availability)
  • Bypass MFA on a privileged identity provider

Purple team workshop.

Every red team engagement includes an optional purple team handoff. After the report is delivered, we sit with your blue team and walk through every technique we used — one MITRE ATT&CK technique at a time. For each technique:

  • We re-execute the technique in a controlled way
  • Your team checks whether the SIEM/EDR/log pipeline saw it
  • If detection was missing, we co-author the detection rule on the spot (Sigma, KQL, EQL, Splunk SPL)
  • If detection fired but wasn’t actioned, we identify the process gap

The deliverable is a measurable lift in your detection coverage — not just a report saying you missed things.

Tradecraft & tooling.

We use commercial C2 frameworks alongside custom tooling to evade signature detection:

Cobalt StrikeSliverMythicHavocCustom payloadsGoPhishEvilginxModlishkaSharpHoundRubeusCertifyInveighSeatBeltBadBlood

Phishing campaigns use bespoke infrastructure aged appropriately for the threat actor being simulated, with realistic pretexts informed by OSINT. We deconflict every payload with the white cell before execution.

Frameworks & alignment.

  • MITRE ATT&CK — every action mapped to a technique and sub-technique
  • TIBER-EU (Threat Intelligence Based Ethical Red Teaming) — financial-sector engagements aligned to the European Central Bank framework
  • CBEST — Bank of England intelligence-led testing for UK financial services
  • iCAST (Hong Kong) and FEER (Saudi) where required by regulators
  • NIST SP 800-115 / 800-53 CA-8 control validation
  • DORA (EU Digital Operational Resilience Act) TLPT (Threat-Led Penetration Testing) alignment for critical financial entities

What you receive.

  • Executive narrative — the story of the engagement, written for the board
  • Technical report — every action with timestamp, MITRE ATT&CK mapping, and detection assessment
  • Detection gap analysis — technique-by-technique scorecard of what your defences caught
  • Sigma rule pack co-authored during the purple team workshop
  • Time-to-detect / time-to-respond metrics for each phase
  • Replay package for your blue team to re-run techniques in a lab
  • Threat actor emulation report for TIBER-EU / CBEST engagements

Frequently asked questions.

What is the difference between red team and pen testing?

Penetration testing finds and exploits as many vulnerabilities as possible in a defined scope. Red team operations simulate a specific threat actor pursuing a specific objective — measuring your detection and response capability across people, process, and technology, not just technical weaknesses.

How long does a red team engagement take?

Most red team engagements run 2–4 weeks of active operations, plus 1 week of planning and 1 week of reporting. Threat-led engagements aligned to TIBER-EU or CBEST can extend to 12 weeks including threat intelligence gathering.

Will you trigger our SOC?

That is the point. Only a small “white cell” inside your organization knows the engagement is happening. The blue team responds as if it were a real incident, and we measure their detection time, scoping accuracy, and response effectiveness.

Do you offer purple team exercises?

Yes. After a red team engagement we run a purple team workshop with your defenders — replaying every technique, validating detection coverage in your SIEM, and building or tuning the detections that would have caught us.

Are red teams safe to run against production?

Yes when properly scoped. We use non-destructive payloads, agree exclusion lists in advance, and a dedicated incident channel allows the white cell to deconflict instantly if a genuine incident occurs during the engagement.

Related services.

Find out how you’d hold up

RUN A RED
team exercise.

Confidential scoping call. We’ll discuss your threat model, regulator requirements, and propose an engagement aligned to your maturity.

Book Confidential Call →All Services