Goal-based adversary emulation, end to end.

A vulnerability scan tells you what is broken. A red team tells you whether an adversary pursuing your most critical assets would succeed — and whether your people, processes, and technology would detect and stop them in time.

MITRE ATT&CKTIBER-EUCBESTTLPT / DORACustom C2

Every engagement operates under a signed Rules of Engagement document, defined authorisation chain, and explicit kill-switch authority. Scope, blast-radius limits, and deconfliction procedures are agreed in writing before any activity begins.

ENGAGEMENT MODELS

Pick the lens.

Full Red Team Campaign

  • Threat-intelligence-driven scope emulation plan built from actors that realistically target your industry and technology stack
  • Full kill chain recon, initial access, C2 establishment, privilege escalation, lateral movement, persistence, and objective execution
  • Custom infrastructure dedicated C2 servers, redirectors, and domains purpose-built for the engagement; never shared or re-used
  • Typical duration: 4–12 weeks depending on scope and objectives
  • Blue team debrief and detection gap analysis at engagement close

Assumed Breach

  • Realistic starting position foothold simulates a compromised workstation, stolen credential, or phished employee at an agreed access level
  • Tests internal segmentation, east-west detection, and privilege escalation defences without spending weeks on external access
  • Crown jewel targeting objectives defined around your most sensitive data, systems, and business processes
  • Faster time-to-insight; suited to organisations with mature perimeter controls
  • Can be combined with a full campaign or run as a standalone assessment

Purple Team

  • Atomic TTP execution individual techniques executed one at a time; blue team observes, tunes detections, and confirms coverage before moving to the next
  • Detection engineering output Sigma rules and detection queries produced collaboratively during the exercise
  • Compressed feedback loop between operators and analysts — atomic TTP execution and detection tuning happen in the same week, vs. months of asynchronous purple-team cycles
  • Ideal for validating SIEM/EDR coverage against a specific threat actor or technique set
THREAT INTEL

Adversaries that realistically target you.

Effective red teaming starts with the question: which threat actors would realistically pursue your organisation, and what would they actually do?

Threat Profiling

  • Sector and industry analysis identify which threat groups actively target your vertical, geography, and organisation size
  • Technology stack mapping align adversary TTP selection to your specific EDR, identity stack, cloud provider, and network architecture
  • Crown jewels definition structured exercise to identify and rank the assets, data, and processes that represent your highest-value targets

Emulation Planning

  • ATT&CK-mapped emulation plan documented TTP selection with rationale; shared with client before any activity begins
  • Payload and tooling tailoring tradecraft aligned to known actor behaviour: LOLBins, signed binary abuse, custom loaders, or commodity tooling where appropriate
  • OPSEC alignment timing, noise profile, and infrastructure design matched to target actor's known operational security posture

Regulated Frameworks

  • TIBER-EU European Central Bank framework for threat intelligence-based ethical red teaming of financial entities
  • CBEST Bank of England framework for UK financial infrastructure; CBEST-aligned methodology and reporting
  • TLPT / DORA Article 26 threat-led penetration testing under the EU Digital Operational Resilience Act for financial sector entities
METHODOLOGY

Phases and tradecraft.

Campaign Phases

  • Scoping & authorisation objectives, ROE, authorisation chain, deconfliction contact, kill-switch protocol, and out-of-scope systems documented and signed
  • Threat profiling & emulation plan adversary selection, TTP mapping, infrastructure provisioning, and payload development
  • Reconnaissance passive and active recon of perimeter, identities, supply chain, and human targets within authorised scope
  • Initial access phishing, external exploitation, physical access, or assumed breach depending on agreed scenario
  • Post-exploitation C2 establishment, privilege escalation, credential harvesting, lateral movement, and persistence
  • Objective execution pursuit of defined crown-jewel targets under OPSEC constraints; simulated exfiltration or impact within agreed blast-radius limits
  • Cleanup & verification removal of all implants, persistence, and infrastructure; cleanup verified jointly with client before engagement close
  • Readout & debrief attack narrative walkthrough with red and blue team, detection gap analysis, and remediation prioritisation

OPSEC & Custom Infrastructure

  • Dedicated C2 infrastructure operator servers, redirectors, and categorised domains provisioned exclusively for the engagement and decommissioned at close
  • Traffic blending C2 callbacks profiled to blend with legitimate traffic patterns for the target environment
  • Living-off-the-land (LOLBins) native OS tools, signed binaries, and built-in scripting engines used where actor tradecraft warrants
  • Payload obfuscation & evasion tailored to the specific EDR and security stack in scope; no off-the-shelf default configurations
  • Operational logging every operator action timestamped and logged internally throughout the campaign for precise deconfliction
  • No cross-engagement contamination tools, infrastructure, and implants are never shared or re-used across client engagements
SCOPE OPTIONS

Where the campaign can run.

Technical

  • External perimeter: internet-facing infrastructure and applications
  • Internal network: on-premises, segmented environments, OT/ICS where applicable
  • Cloud: IAM abuse, misconfiguration exploitation, and cross-account movement
  • Identity: directory services, SSO platforms, and federation attacks
  • Email and collaboration: phishing, BEC simulation, and supply chain impersonation

Human & Physical

  • Social engineering pretexting, vishing, and tailored spear-phishing campaigns against named or role-based targets
  • Physical access tailgating, badge cloning, and access control bypass to test physical security controls and guard response
  • Both require specific written authorisation identifying the authorising officer and defined boundaries of acceptable contact

Supply Chain & Third-Party

  • Supplier impersonation simulated compromise of a trusted vendor to test third-party trust relationships
  • MSP vectors testing trust granted to managed service providers and IT service providers
  • Requires authorisation from all affected parties before any third-party systems are contacted or impersonated
ROE & SAFETY

Governance you can sign off on.

An engagement that disrupts production or creates a real incident is a failure — regardless of what it found.

Authorisation & Limits

  • Written authorisation chain ROE document signed by the authorising officer (typically CISO and/or legal counsel) before any activity; defines who can issue a halt instruction
  • Explicit out-of-scope systems safety-critical systems, production databases, third-party infrastructure, and regulated data stores listed explicitly and enforced operationally
  • Blast-radius limits no destructive actions, no data deletion, no ransomware deployment simulation without explicit written authorisation and defined rollback plan
  • Kill-switch protocol designated contact at the client can halt all red team activity immediately at any time; operators acknowledge the halt within a defined window

Operational Safety

  • Deconfliction process if the blue team escalates a detection to incident response, the deconfliction contact can confirm red team activity within minutes
  • Change window alignment high-impact activity scheduled away from critical business periods and change freezes
  • Real attacker discovery protocol if genuine threat actor activity is discovered during the engagement, operations pause and the client is notified immediately
  • Legal and HR alignment social engineering and physical scenarios scoped with legal and HR to ensure compliance with employment law
DELIVERABLES

Technical, detection, executive.

Technical Report

  • Chronological attack narrative with operator logs, screenshots, and evidence for every step
  • Full attack path diagram: initial access through objective execution with all pivot points
  • ATT&CK navigator layer complete TTP mapping across the campaign with technique-level annotations
  • IOC package: C2 domains, IP addresses, file hashes, and behavioural indicators
  • Control failures identified at each phase with root cause analysis
  • Cleanup verification record: all implants, persistence, and infrastructure removed and confirmed

Detection Engineering

  • Sigma rules detection rules for techniques that went undetected, ready for import into your SIEM
  • Replayable validation test cases for each technique used, enabling ongoing blue team validation
  • Detection gap analysis: techniques detected vs. missed, with time-to-detect where applicable
  • EDR/SIEM tuning recommendations to reduce noise and increase signal fidelity
  • Purple team validation plan: structured programme for closing identified detection gaps

Executive & Remediation

  • Executive summary: business risk narrative, objectives achieved, and key conclusions
  • Risk-rated remediation roadmap prioritised actions ranked by impact on adversary capability, not just CVSS score
  • People and process findings: detection failures, escalation gaps, and response time analysis separate from technical findings
  • Threat actor comparison: how your defences performed against the emulated actor's known success rate against comparable organisations
  • Recommended retesting scope to validate remediation effectiveness
ACTIVE INCIDENT?