Red Team Operations
Adversary simulation using MITRE ATT&CK. Full campaign planning, phishing, physical access, and executive reporting.
What You Receive
- Campaign-level executive report focused on detection, response, and resilience
- Detailed technical attack narrative with MITRE ATT&CK technique mapping
- Detection engineering recommendations for SOC teams
- Tabletop exercise debrief with blue team and leadership
- Post-engagement Purple Team workshop (optional)
A red team engagement is an objective-driven simulation of a real adversary's full attack campaign. Unlike a penetration test — which scope-bounds technical testing — a red team is given an objective ("reach the customer database", "establish persistent access to the CFO's email", "exfiltrate the design files for product X") and operates under realistic constraints to achieve it.
The deliverable is not a vulnerability list. It is an answer to a strategic question: would our defences detect, contain, and respond to an actual attack?
When Red Team Is the Right Engagement
Red team operations are most valuable for organisations that:
- Have a mature security programme with detection and response capabilities in place
- Need to validate SOC effectiveness, not just identify vulnerabilities
- Hold high-value assets or operate in highly regulated sectors
- Have completed penetration testing and want to test the next layer (detection, response, organisational resilience)
- Need executive-level evidence of breach-or-no-breach posture for board reporting
For organisations that have not yet validated baseline controls, a comprehensive penetration test followed by tabletop exercises is typically more cost-effective.
Engagement Models
Covert Red Team
The default model. Only the CISO, an executive sponsor, and a designated trusted agent know the engagement is happening. The blue team, SOC, and broader organisation respond as they would to a real attack. This produces the most realistic test of detection and response — and the most valuable data.
Notified Red Team
The blue team knows an engagement is happening within a defined window but does not know the specific timing, methods, or starting point. This balances realism with operational risk for organisations not yet ready for fully covert testing.
Purple Team
Red team and blue team operate with full transparency from the start. The red team executes specific techniques while the blue team observes telemetry and tunes detections in real time. Purple team engagements are detection-engineering exercises rather than realism tests.
Methodology
Our red team methodology aligns with MITRE ATT&CK and the structure of real adversary campaigns:
Phase 1: Reconnaissance
External OSINT — corporate footprint, employee enumeration on LinkedIn, technology stack identification, exposed services, leaked credentials in breach databases, supply chain mapping. We build a target profile equivalent to what a sophisticated adversary would assemble before initial access.
Phase 2: Initial Access
Spear-phishing campaigns targeting identified individuals using contextually relevant pretexts. Physical access where in scope — social engineering at reception, tailgating, dropped USB devices. Exploitation of externally-facing vulnerabilities identified during reconnaissance. Watering-hole attacks where the threat model justifies.
Phase 3: Execution and Persistence
Once initial access is achieved, establish reliable C2 channels. Deploy persistence mechanisms that survive reboots and limited remediation. OPSEC-aware tooling that avoids common EDR detections — custom loaders, in-memory execution, signed binaries living-off-the-land.
Phase 4: Privilege Escalation and Lateral Movement
Move from initial foothold to higher-privilege access. Active Directory abuse (see our AD attack paths analysis), credential dumping, Kerberos ticket abuse, certificate-based persistence via ADCS misconfigurations. Lateral movement to identified crown-jewel assets.
Phase 5: Objective Achievement
Demonstrate compromise of the agreed objective. Exfiltration of designated test data (never genuine customer data), persistent access establishment, evidence of capability without actual harm.
Phase 6: Reporting and Debrief
Full technical narrative mapped to MITRE ATT&CK. Detection gap analysis identifying which techniques were observed and which were missed. Executive-level summary suitable for board reporting. Purple team debrief workshop with the blue team.
What You Receive
- Executive narrative — board-level account of the engagement, focused on detection capability and response effectiveness
- Technical attack narrative — step-by-step account of the campaign with MITRE ATT&CK mapping, screenshots, and timestamps
- Detection gap analysis — for each technique used, whether it was detected, partially detected, or missed
- SOC effectiveness metrics — mean time to detect, mean time to respond, alert quality assessment
- Detection engineering recommendations — specific Sigma / KQL / Splunk SPL rules to close the gaps identified
- Optional Purple Team workshop — joint red/blue session to tune detections against the techniques used
Rules of Engagement
Every red team engagement operates under a formal Rules of Engagement document signed by an executive sponsor. The RoE defines:
- Authorised and prohibited techniques
- In-scope and out-of-scope assets, networks, locations
- Testing windows and blackout periods
- Escalation contacts and emergency stop procedure
- Letter of Authorisation provisions for physical operations
- Data handling — what may be accessed, what must not be exfiltrated even in test
- Engagement duration and milestone checkpoints
UK & USA Coverage
We deliver red team engagements across both jurisdictions. Physical access testing is conducted in person where required; remote operations are conducted from secure UK and US facilities. Engagements involving sensitive industries (defence, critical national infrastructure) follow additional vetting and clearance requirements specific to each jurisdiction.
Frequently Asked Questions
What's the difference between a penetration test and a red team engagement?
How long does a red team engagement take?
Will the blue team know testing is happening?
Do you do physical access testing?
What if you're caught during the engagement?
Can we use a red team to test our SOC?
Is a red team engagement worth the cost for an SME?
Do we need MITRE ATT&CK mapping?
Discuss a Red Team Engagement
Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.