A simulated adversary campaign with a defined objective (“exfiltrate the customer-PII bucket”, “deploy ransomware to the build server”, “obtain a production AWS access key”), tested across as many vectors as it takes.
What gets tested
- Initial access — phishing, smishing, OSINT, supply-chain via dependency
- Lateral movement — once in, can we move? what’s logged?
- Privilege escalation — IAM, group policy, sudoer files, the lot
- Detection & response — does your SOC see us? in how long? what gets paged?
- Exfiltration — the final boss: can we leave with what we came for?
How it runs
Four-week minimum, six-week typical. We coordinate timing with a single point of contact on your side (usually CISO or VP Eng) who is not in the SOC. The SOC doesn’t know we’re coming — that’s the point.
We end with a purple-team debrief: a half-day session walking your detection team through every action we took, what fired, what didn’t, and what coverage gaps that exposes.
What you walk away with
- Attacker-timeline report — every action, every alert (or absence thereof)
- Detection-engineering recommendations — concrete Sigma / Sentinel rules
- A debrief recording your SOC can replay
- Re-test of the highest-impact paths inside 90 days
// honest caveat
A red team is not a substitute for a pen test. We recommend running a
penetration test first to clear out the basics — otherwise the red team finds
the same medium-severity issues a $32K engagement would have found, for $80K.