Goal-based adversary emulation, end to end.
A vulnerability scan tells you what is broken. A red team tells you whether an adversary pursuing your most critical assets would succeed — and whether your people, processes, and technology would detect and stop them in time.
MITRE ATT&CKTIBER-EUCBESTTLPT / DORACustom C2
Every engagement operates under a signed Rules of Engagement document, defined authorisation chain, and explicit kill-switch authority. Scope, blast-radius limits, and deconfliction procedures are agreed in writing before any activity begins.
ENGAGEMENT MODELS
Pick the lens.
Full Red Team Campaign
- Threat-intelligence-driven scope — emulation plan built from actors that realistically target your industry and technology stack
- Full kill chain — recon, initial access, C2 establishment, privilege escalation, lateral movement, persistence, and objective execution
- Custom infrastructure — dedicated C2 servers, redirectors, and domains purpose-built for the engagement; never shared or re-used
- Typical duration: 4–12 weeks depending on scope and objectives
- Blue team debrief and detection gap analysis at engagement close
Assumed Breach
- Realistic starting position — foothold simulates a compromised workstation, stolen credential, or phished employee at an agreed access level
- Tests internal segmentation, east-west detection, and privilege escalation defences without spending weeks on external access
- Crown jewel targeting — objectives defined around your most sensitive data, systems, and business processes
- Faster time-to-insight; suited to organisations with mature perimeter controls
- Can be combined with a full campaign or run as a standalone assessment
Purple Team
- Atomic TTP execution — individual techniques executed one at a time; blue team observes, tunes detections, and confirms coverage before moving to the next
- Detection engineering output — Sigma rules and detection queries produced collaboratively during the exercise
- Compressed feedback loop between operators and analysts — atomic TTP execution and detection tuning happen in the same week, vs. months of asynchronous purple-team cycles
- Ideal for validating SIEM/EDR coverage against a specific threat actor or technique set
THREAT INTEL
Adversaries that realistically target you.
Effective red teaming starts with the question: which threat actors would realistically pursue your organisation, and what would they actually do?
Threat Profiling
- Sector and industry analysis — identify which threat groups actively target your vertical, geography, and organisation size
- Technology stack mapping — align adversary TTP selection to your specific EDR, identity stack, cloud provider, and network architecture
- Crown jewels definition — structured exercise to identify and rank the assets, data, and processes that represent your highest-value targets
Emulation Planning
- ATT&CK-mapped emulation plan — documented TTP selection with rationale; shared with client before any activity begins
- Payload and tooling tailoring — tradecraft aligned to known actor behaviour: LOLBins, signed binary abuse, custom loaders, or commodity tooling where appropriate
- OPSEC alignment — timing, noise profile, and infrastructure design matched to target actor's known operational security posture
Regulated Frameworks
- TIBER-EU — European Central Bank framework for threat intelligence-based ethical red teaming of financial entities
- CBEST — Bank of England framework for UK financial infrastructure; CBEST-aligned methodology and reporting
- TLPT / DORA Article 26 — threat-led penetration testing under the EU Digital Operational Resilience Act for financial sector entities
METHODOLOGY
Phases and tradecraft.
Campaign Phases
- Scoping & authorisation — objectives, ROE, authorisation chain, deconfliction contact, kill-switch protocol, and out-of-scope systems documented and signed
- Threat profiling & emulation plan — adversary selection, TTP mapping, infrastructure provisioning, and payload development
- Reconnaissance — passive and active recon of perimeter, identities, supply chain, and human targets within authorised scope
- Initial access — phishing, external exploitation, physical access, or assumed breach depending on agreed scenario
- Post-exploitation — C2 establishment, privilege escalation, credential harvesting, lateral movement, and persistence
- Objective execution — pursuit of defined crown-jewel targets under OPSEC constraints; simulated exfiltration or impact within agreed blast-radius limits
- Cleanup & verification — removal of all implants, persistence, and infrastructure; cleanup verified jointly with client before engagement close
- Readout & debrief — attack narrative walkthrough with red and blue team, detection gap analysis, and remediation prioritisation
OPSEC & Custom Infrastructure
- Dedicated C2 infrastructure — operator servers, redirectors, and categorised domains provisioned exclusively for the engagement and decommissioned at close
- Traffic blending — C2 callbacks profiled to blend with legitimate traffic patterns for the target environment
- Living-off-the-land (LOLBins) — native OS tools, signed binaries, and built-in scripting engines used where actor tradecraft warrants
- Payload obfuscation & evasion — tailored to the specific EDR and security stack in scope; no off-the-shelf default configurations
- Operational logging — every operator action timestamped and logged internally throughout the campaign for precise deconfliction
- No cross-engagement contamination — tools, infrastructure, and implants are never shared or re-used across client engagements
SCOPE OPTIONS
Where the campaign can run.
Technical
- External perimeter: internet-facing infrastructure and applications
- Internal network: on-premises, segmented environments, OT/ICS where applicable
- Cloud: IAM abuse, misconfiguration exploitation, and cross-account movement
- Identity: directory services, SSO platforms, and federation attacks
- Email and collaboration: phishing, BEC simulation, and supply chain impersonation
Human & Physical
- Social engineering — pretexting, vishing, and tailored spear-phishing campaigns against named or role-based targets
- Physical access — tailgating, badge cloning, and access control bypass to test physical security controls and guard response
- Both require specific written authorisation identifying the authorising officer and defined boundaries of acceptable contact
Supply Chain & Third-Party
- Supplier impersonation — simulated compromise of a trusted vendor to test third-party trust relationships
- MSP vectors — testing trust granted to managed service providers and IT service providers
- Requires authorisation from all affected parties before any third-party systems are contacted or impersonated
ROE & SAFETY
Governance you can sign off on.
An engagement that disrupts production or creates a real incident is a failure — regardless of what it found.
Authorisation & Limits
- Written authorisation chain — ROE document signed by the authorising officer (typically CISO and/or legal counsel) before any activity; defines who can issue a halt instruction
- Explicit out-of-scope systems — safety-critical systems, production databases, third-party infrastructure, and regulated data stores listed explicitly and enforced operationally
- Blast-radius limits — no destructive actions, no data deletion, no ransomware deployment simulation without explicit written authorisation and defined rollback plan
- Kill-switch protocol — designated contact at the client can halt all red team activity immediately at any time; operators acknowledge the halt within a defined window
Operational Safety
- Deconfliction process — if the blue team escalates a detection to incident response, the deconfliction contact can confirm red team activity within minutes
- Change window alignment — high-impact activity scheduled away from critical business periods and change freezes
- Real attacker discovery protocol — if genuine threat actor activity is discovered during the engagement, operations pause and the client is notified immediately
- Legal and HR alignment — social engineering and physical scenarios scoped with legal and HR to ensure compliance with employment law
DELIVERABLES
Technical, detection, executive.
Technical Report
- Chronological attack narrative with operator logs, screenshots, and evidence for every step
- Full attack path diagram: initial access through objective execution with all pivot points
- ATT&CK navigator layer — complete TTP mapping across the campaign with technique-level annotations
- IOC package: C2 domains, IP addresses, file hashes, and behavioural indicators
- Control failures identified at each phase with root cause analysis
- Cleanup verification record: all implants, persistence, and infrastructure removed and confirmed
Detection Engineering
- Sigma rules — detection rules for techniques that went undetected, ready for import into your SIEM
- Replayable validation test cases — for each technique used, enabling ongoing blue team validation
- Detection gap analysis: techniques detected vs. missed, with time-to-detect where applicable
- EDR/SIEM tuning recommendations to reduce noise and increase signal fidelity
- Purple team validation plan: structured programme for closing identified detection gaps
Executive & Remediation
- Executive summary: business risk narrative, objectives achieved, and key conclusions
- Risk-rated remediation roadmap — prioritised actions ranked by impact on adversary capability, not just CVSS score
- People and process findings: detection failures, escalation gaps, and response time analysis separate from technical findings
- Threat actor comparison: how your defences performed against the emulated actor's known success rate against comparable organisations
- Recommended retesting scope to validate remediation effectiveness
Get a written proposal
Send scope + timeline. Detailed SoW within 1 business day.
Open the form →
Email a senior practitioner
Direct line for scoping questions. NDA available on request before you share details.
hello@grillisecurity.com →
Active incident?
24/7 incident line. Triage call + retainer set-up inside the hour for new engagements.
+372 5610 1641 →
