Initial access
Phishing with tailored pretext, OSINT-driven credential abuse, exposed services, cloud misconfigurations. We pick the path most likely to succeed for your specific threat model.
adversary emulation · 02
Find out what a determined attacker actually breaks.
Goal-based red team operations against your production environment. We pick the same objectives a real adversary would chase, attempt the same paths, and tell your detection team what they missed.
01. in scope
What's in scope.
A red team engagement is structured by objective, not by asset list. We agree the goals in writing; everything in the path is fair game unless explicitly excluded.
Foothold and persistence
Same techniques real groups use: scheduled tasks, cron, registry, OAuth app abuse, service-account hijack. Visibility check at every step.
Privilege escalation
Local kernel exploits where appropriate, misconfigured sudo, AD attack paths, IAM blast-radius walks in cloud, secrets sprayed across CI / CD systems.
Lateral movement
Pass-the-hash, kerberoasting, SSH key reuse, cloud cross-account roles, GitOps trust chains, VPN-to-internal pivots.
Objective execution
Whatever you said success looks like: data exfil, admin takeover, prod data tampering, supply-chain pivot, SaaS tenant takeover. We do not pretend to succeed when we did not.
Detection and response signal
Every action timestamped. Compared with your SIEM, EDR, and SOC tickets in the debrief. You learn what alerted, what fired late, and what your team never saw.
02. how we work
How we work on it.
How a red team engagement runs end to end.
- Objective workshop90 minutes. We agree the goals, scope boundaries, communication protocol, and abort conditions. Written rules of engagement.
- ReconnaissanceOSINT, surface mapping, employee enumeration, tech-stack fingerprinting. You do not see this phase.
- Active operationsTwo to six weeks depending on objective complexity. Daily safety check-ins; a single trusted contact knows we are active.
- Containment + debriefWe end on a signal, not a deadline. Everything documented with timestamps for the purple-team session.
- Purple team workshopHalf-day workshop. We replay every step with your SOC. They see what fired and what did not, then adjust detections live.
03. deliverables
What you walk away with.
What an engagement produces.
Operations timeline
Every action, command, and target with UTC timestamp. Cross-reference against your SIEM and EDR to find the gaps.
MITRE ATT&CK mapping
Each technique we used, mapped to the framework your detection team already speaks. Useful for purple-team training and detection roadmap.
Detection gap report
Where your tooling fired, where it did not, and which signals would have caught us. Includes detection rules in Sigma or your platform syntax on request.
Executive narrative
A five-to-ten-page write-up your CISO can take to the board. The story, not the tooling.
Purple-team workshop
Half-day live session. Your SOC walks the timeline with us. Detections improve before we leave.
Remediation playbook
Prioritized fix list. Detection rules to add, IAM paths to close, training to schedule, configuration changes to deploy.
04. when
When teams hire us for this.
When a red team is the right call.
You already passed a pentest
Pentest finds bugs in the surface you handed over. A red team finds the surface you did not realize you had.
Your SOC needs a real exercise
Tabletop exercises and purple-team drills are useful. A live, unannounced operation is the only way to know what your team actually catches in production.
You want a board-level signal
A red team report tells the board what would happen if a real adversary picked your company this quarter. Concrete, not theoretical.
Pre-IPO or pre-acquisition
A red team result is increasingly part of late-stage diligence. We deliver it in a format buyers and auditors accept.
05. faq
Questions before the call.
Common red team questions.
Will this take down production?
No. Rules of engagement explicitly forbid destructive actions. We stop on signal. Every action is reversible.
Who at our company should know?
A trusted contact is required. Two to four people total, usually CISO, head of engineering, head of legal. Your SOC must not know; otherwise the exercise is invalid.
How is success measured?
Against the objectives you set in the scoping workshop. If we reach them, we describe how. If we do not, we explain what stopped us. We do not pretend.
Can you do this remote only?
Yes. Physical and onsite operations are available on request but cost more and need separate legal coverage.
How does this differ from a pentest?
Pentest is scoped by asset and runs from a known starting point. Red team is scoped by objective and starts from zero, the same way a real adversary does.
Want to know what your SOC actually catches?
Book a 30-minute scoping call. We will tell you whether a red team is the right next step or whether a pentest would answer the question first.