🔴

Red Team Operations

Adversary simulation using MITRE ATT&CK. Full campaign planning, phishing, physical access, and executive reporting.

MITRE ATT&CKPhishingC2OPSECSocial EngineeringPhysical Security
Serving clients across the United Kingdom & United States of America

What You Receive

  • Campaign-level executive report focused on detection, response, and resilience
  • Detailed technical attack narrative with MITRE ATT&CK technique mapping
  • Detection engineering recommendations for SOC teams
  • Tabletop exercise debrief with blue team and leadership
  • Post-engagement Purple Team workshop (optional)

A red team engagement is an objective-driven simulation of a real adversary's full attack campaign. Unlike a penetration test — which scope-bounds technical testing — a red team is given an objective ("reach the customer database", "establish persistent access to the CFO's email", "exfiltrate the design files for product X") and operates under realistic constraints to achieve it.

The deliverable is not a vulnerability list. It is an answer to a strategic question: would our defences detect, contain, and respond to an actual attack?

When Red Team Is the Right Engagement

Red team operations are most valuable for organisations that:

  • Have a mature security programme with detection and response capabilities in place
  • Need to validate SOC effectiveness, not just identify vulnerabilities
  • Hold high-value assets or operate in highly regulated sectors
  • Have completed penetration testing and want to test the next layer (detection, response, organisational resilience)
  • Need executive-level evidence of breach-or-no-breach posture for board reporting

For organisations that have not yet validated baseline controls, a comprehensive penetration test followed by tabletop exercises is typically more cost-effective.

Engagement Models

Covert Red Team

The default model. Only the CISO, an executive sponsor, and a designated trusted agent know the engagement is happening. The blue team, SOC, and broader organisation respond as they would to a real attack. This produces the most realistic test of detection and response — and the most valuable data.

Notified Red Team

The blue team knows an engagement is happening within a defined window but does not know the specific timing, methods, or starting point. This balances realism with operational risk for organisations not yet ready for fully covert testing.

Purple Team

Red team and blue team operate with full transparency from the start. The red team executes specific techniques while the blue team observes telemetry and tunes detections in real time. Purple team engagements are detection-engineering exercises rather than realism tests.

Methodology

Our red team methodology aligns with MITRE ATT&CK and the structure of real adversary campaigns:

Phase 1: Reconnaissance

External OSINT — corporate footprint, employee enumeration on LinkedIn, technology stack identification, exposed services, leaked credentials in breach databases, supply chain mapping. We build a target profile equivalent to what a sophisticated adversary would assemble before initial access.

Phase 2: Initial Access

Spear-phishing campaigns targeting identified individuals using contextually relevant pretexts. Physical access where in scope — social engineering at reception, tailgating, dropped USB devices. Exploitation of externally-facing vulnerabilities identified during reconnaissance. Watering-hole attacks where the threat model justifies.

Phase 3: Execution and Persistence

Once initial access is achieved, establish reliable C2 channels. Deploy persistence mechanisms that survive reboots and limited remediation. OPSEC-aware tooling that avoids common EDR detections — custom loaders, in-memory execution, signed binaries living-off-the-land.

Phase 4: Privilege Escalation and Lateral Movement

Move from initial foothold to higher-privilege access. Active Directory abuse (see our AD attack paths analysis), credential dumping, Kerberos ticket abuse, certificate-based persistence via ADCS misconfigurations. Lateral movement to identified crown-jewel assets.

Phase 5: Objective Achievement

Demonstrate compromise of the agreed objective. Exfiltration of designated test data (never genuine customer data), persistent access establishment, evidence of capability without actual harm.

Phase 6: Reporting and Debrief

Full technical narrative mapped to MITRE ATT&CK. Detection gap analysis identifying which techniques were observed and which were missed. Executive-level summary suitable for board reporting. Purple team debrief workshop with the blue team.

What You Receive

  • Executive narrative — board-level account of the engagement, focused on detection capability and response effectiveness
  • Technical attack narrative — step-by-step account of the campaign with MITRE ATT&CK mapping, screenshots, and timestamps
  • Detection gap analysis — for each technique used, whether it was detected, partially detected, or missed
  • SOC effectiveness metrics — mean time to detect, mean time to respond, alert quality assessment
  • Detection engineering recommendations — specific Sigma / KQL / Splunk SPL rules to close the gaps identified
  • Optional Purple Team workshop — joint red/blue session to tune detections against the techniques used

Rules of Engagement

Every red team engagement operates under a formal Rules of Engagement document signed by an executive sponsor. The RoE defines:

  • Authorised and prohibited techniques
  • In-scope and out-of-scope assets, networks, locations
  • Testing windows and blackout periods
  • Escalation contacts and emergency stop procedure
  • Letter of Authorisation provisions for physical operations
  • Data handling — what may be accessed, what must not be exfiltrated even in test
  • Engagement duration and milestone checkpoints

UK & USA Coverage

We deliver red team engagements across both jurisdictions. Physical access testing is conducted in person where required; remote operations are conducted from secure UK and US facilities. Engagements involving sensitive industries (defence, critical national infrastructure) follow additional vetting and clearance requirements specific to each jurisdiction.

Frequently Asked Questions

What's the difference between a penetration test and a red team engagement?
Penetration tests are scope-bounded technical assessments — they identify and demonstrate vulnerabilities. Red team engagements are objective-driven adversary simulations — they test detection and response, not just controls. A pen test finds vulnerabilities; a red team finds out whether you'd notice an actual attack.
How long does a red team engagement take?
4-12 weeks for a typical engagement. Reconnaissance and OPSEC preparation: 1-2 weeks. Initial access campaign: 1-3 weeks. Internal operations to reach objectives: 2-6 weeks. Reporting and debrief: 1-2 weeks. Faster engagements are possible but trade depth and realism for speed.
Will the blue team know testing is happening?
That depends on the engagement model. In a covert red team, only a small number of approved stakeholders know — typically the CISO and a designated trusted agent. In a notified red team, the blue team knows the window but not the methods or timing. Purple Team engagements have full transparency between red and blue teams from the start.
Do you do physical access testing?
Yes — physical access is part of full-scope adversary simulation. Tailgating, badge cloning, social engineering at reception, dropping malicious USB devices, accessing unattended workstations. Physical testing is heavily scope-controlled and requires explicit written authorisation for each location and method.
What if you're caught during the engagement?
We carry a Letter of Authorisation signed by an executive sponsor at all times. If physically detained or questioned by security or law enforcement, the LoA is presented and the named sponsor is contacted to verify. The engagement is logged in advance with relevant stakeholders to prevent inadvertent law enforcement involvement.
Can we use a red team to test our SOC?
Yes — this is one of the most valuable applications. Red team campaigns generate realistic, multi-stage attack telemetry that exercises detection rules, alert triage, escalation procedures, and incident response coordination. SOC effectiveness data from a red team is far more actionable than tabletop exercises alone.
Is a red team engagement worth the cost for an SME?
Usually not — SMEs typically extract more value from a comprehensive penetration test combined with a tabletop incident response exercise. Red team engagements are most valuable for organisations with mature security programmes, dedicated SOC capabilities, and high-value or regulated assets to protect.
Do we need MITRE ATT&CK mapping?
Yes — every action taken during a red team is mapped to specific MITRE ATT&CK techniques in the final report. This allows defenders to evaluate which techniques their detections cover and which they missed, providing a structured basis for detection engineering investment.

Discuss a Red Team Engagement

Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.

By submitting this form you agree to our privacy policy. We will only use your details to respond to this enquiry.