Red Team / Adversary Simulation

A red team engagement, also called adversary simulation, is a goal-oriented test that mirrors a real attack against your organisation. A penetration test finds as many vulnerabilities as possible within a defined scope. A red team pursues one objective: exfiltrate a defined data set, gain domain administrator access, or demonstrate a ransomware impact path. We use the tactics, techniques and procedures that real adversaries use, and we test your detection, response and resilience under realistic pressure. We look past the holes themselves to see whether your controls, your analysts and your incident response would stop us.

The consultant who scopes your engagement leads its delivery, and senior people handle every phase.

Who this is for / when to test

• Maturing security programme: you have run penetration tests and want to test detection and response under realistic conditions.
• Compliance and assurance: regulatory or insurance requirements call for adversary simulation.
• Post-incident: you want to confirm that defensive improvements made after a breach hold up.
• High-stakes events: you are preparing for an IPO, acquisition or major launch where a breach would be severe.
• Board assurance: you need to show that controls stand up to real attack techniques.

Start with a penetration test first. If you have never had one or have no detection capability, red teaming will tell you little.

What we test

• Threat intelligence and scenario design: OSINT, external attack-surface mapping, and a scenario modelled on a relevant threat actor.
• Initial access: spear phishing, exploitation of exposed services, supply-chain pretexts and, where agreed, physical access.
• Persistence and privilege escalation: we hold access and escalate from standard user to domain or cloud-privileged roles.
• Lateral movement: Pass-the-Hash/Ticket, BloodHound-driven path analysis, and movement across on-premises and cloud identity.
• Defence evasion: living off the land, obfuscated command-and-control, and operating to blend with legitimate activity.
• Objective and impact: we demonstrate data exfiltration or ransomware impact under control, by explicit consent and without real harm.

Our methodology

We run engagements intelligence-led and structure them on the principles of TIBER-EU and CBEST. We draw on these frameworks; we hold no accreditation under them. We map every technique to MITRE ATT&CK.

1. Threat intelligence and scenario design: we agree the objective, rules of engagement and a realistic threat scenario.
2. Initial access: we gain a foothold using the agreed access vectors.
3. Persistence and lateral movement: we establish durable access and move toward the objective.
4. Objectives: we achieve the agreed goal and document every action and what your team did and did not detect.
5. Detection and response debrief: we run a purple-team session that turns the engagement into concrete detection and response improvements.

Throughout, we record what we tried, what worked, what your team detected and the time-to-detect at each milestone.

Testing approaches

• Assumed breach: we start from a standard user account or compromised workstation to test internal controls, segmentation and lateral-movement detection.
• Full chain: we start with no access and exercise the complete attack chain from initial access to objective. This tests the widest ground.
• Scenario-driven: we tailor TTPs to a specific threat actor, such as a ransomware group or an APT pursuing intellectual property.
• Purple team: red and blue teams work together in real time to build and tune detections.

We recommend assumed breach for a first engagement, then full chain as your programme matures.

What you get

• An executive summary and an attack narrative: a chronological account of how we reached the objective, which controls stopped us and which did not.
• Technical findings with evidence, each mapped to MITRE ATT&CK.
• Per-finding remediation plus detection content: example SIEM, Sigma and KQL queries, and EDR tuning recommendations.
• A CVSS severity rating alongside a business-risk rating where individual vulnerabilities apply, with response metrics (MTTD/MTTR) for the engagement.
• Same-day notification of any critical finding.
• A purple-team debrief call and a retest of remediated detection and response gaps.

FAQs

How long does an engagement take? We run red team engagements over weeks rather than days, typically three to six, which reflects how a real low-and-slow operation works.

Will it disrupt the business? No. We work within agreed rules of engagement, with a control group of aware stakeholders and a clear stop procedure.

Can it be done remotely? We run the digital phases remotely. Where physical social engineering is in scope, we run it on-site.

How is this different from a penetration test? A penetration test enumerates vulnerabilities in a defined scope. A red team pursues an objective stealthily to test whether you would detect and respond to a real attacker.