Reconnaissance
External recon, target identification, infrastructure profiling.
Find out whether you would notice an intrusion in progress.
Multi-stage red team operations aligned to MITRE ATT&CK — initial access through objective completion, and an honest readout of what your detection program actually caught.
What's at stake
Having a SOC and an EDR is not the same as knowing they work.
A pentest answers "are there vulnerabilities?" A red team operation answers "would we detect and respond to a real intrusion?" Different questions, different answers.
If your board wants evidence the company would notice an active intrusion, or you want to know if your detection program actually catches things, a vulnerability scan or compliance pentest will not answer it. A red team operation will.
Operation phases
Five phases, mapped to MITRE ATT&CK.
Initial access
Phishing, exposed services, or assumed-breach foothold per scope.
Privilege escalation
Local and domain escalation paths; cloud-IAM trust abuse.
Lateral movement
Move toward agreed objectives — sensitive data, critical workloads.
Objective and exfil
Demonstrate impact in a controlled way; no destructive payloads.
Detection readout
Map every technique attempted to what was logged, alerted, and contained.
Engagement variants
Three ways to scope a red team.
Full red team
Goal-driven, blackbox or graybox, with limited internal awareness. Best when you want to test the detection program end-to-end.
Assumed breach
Start from an agreed foothold (compromised endpoint or low-tier account). Faster, focused on internal detection.
Purple team
Collaborative with your blue team. Each technique is run, reviewed, and rerun once detections are tuned.
Typical scenarios
Three patterns we see most often.
New SOC, real test
You stood up a SOC or EDR program and want to know if it actually catches an intrusion in progress.
Annual program
Your detection program needs an annual stress test that goes beyond a tabletop or breach simulation.
Executive ask
Your CEO or board wants documented evidence the company would notice an active intrusion.
What you get
A detection coverage matrix you can act on.
Operation narrative
A timeline of every action: what we did, when, from where, and how long until anyone reacted.
ATT&CK coverage
Every technique attempted, mapped to MITRE ATT&CK with what was logged, alerted on, and contained.
Detection backlog
A prioritized list of detections to add or tune, with the data source and rule logic to start from.
Want to know if your detection program would catch a real intrusion?
A quick scoping call gives you a clear objective, timeline, and fixed price.
Get a straight answer Adjacent engagements
Pair a red team with one of these.
Network and cloud testing →
Configuration depth before the adversary simulation.
Authenticated testing →
Application-layer abuse paths the adversary may exploit.
Compliance pentest →
Audit-aligned report framing alongside the operation.
Vulnerability scanning →
Continuous coverage on entry points between operations.
Further reading
Background from our team.
FAQ
Red team — common questions
When should we run a red team operation instead of a pentest?
Pick a red team when you have a SOC, EDR, or detection program and want to know if it actually catches a real intrusion — not just whether vulnerabilities exist.
Do you cover initial access?
Yes — phishing or assumed-breach scenarios, agreed in scope. We do not run unannounced physical or social-engineering campaigns without explicit written authorization.
How do you measure detection?
For each technique attempted we record what was logged, alerted, investigated, and contained — mapped to MITRE ATT&CK. Deliverable includes a detection coverage matrix and a prioritized gap list with recommended detections.
Will this disrupt production?
No. No destructive payloads, no data destruction. Activity is throttled and hard limits are agreed before kickoff.
How long does a red team engagement take?
4–6 weeks of operations plus a week for reporting and debrief. Purple-team variants can compress into shorter cycles.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.