Service A.06 · Red Teaming & Adversary Simulation

Red teaming services that test your blue team - not just your perimeter.

CyberFortify's red teaming and adversary simulation services go beyond a point-in-time pen test. We run goal-based engagements combining phishing, physical-access tradecraft, custom-built malware and the full MITRE ATT&CK tactic library - testing your detection-and-response capability the way a real threat actor would, end to end.

Aligned with: MITRE ATT&CK · TIBER-EU · CBEST Engagement: 3-8 weeks Modes: Full-scope · assumed-breach · purple team
TTPs
Full ATT&CK coverage
OPSEC
Custom C2
IR
Detection validated
Purple
Available
Tactic coverage: Initial Access · Execution · Persistence · Privilege Escalation · Defense Evasion · Credential Access · Discovery · Lateral Movement · Collection · Command & Control · Exfiltration · Impact Tactic coverage: Initial Access · Execution · Persistence · Privilege Escalation · Defense Evasion · Credential Access · Discovery · Lateral Movement · Collection · Command & Control · Exfiltration · Impact
// Executive summary

CyberFortify red teaming is goal-based adversary simulation aligned with MITRE ATT&CK. We test your detection capability across the entire kill chain - not just your perimeter - and deliver both an offensive narrative report and a structured detection-engineering plan your SOC can author rules from.

// 01 What is red teaming?

// DefinitionRed Team

Red teaming is goal-based adversary simulation. Where a penetration test maximises vulnerability discovery in a defined scope, a red team achieves a specific business objective - theft of crown-jewel data, persistence in a critical environment, compromise of executive identity - through any means necessary.

It tests not preventive posture alone, but the detection-and-response capability of your blue team and SOC.

Red teaming assumes the existence of a functional blue team worth testing. Earlier in your security journey, a pen test delivers far more value - we will tell you in scoping which fits your maturity.

CyberFortify red team practice lead

// 02 Red team vs penetration test

Different audiences, different deliverables, different definition of success. Both are valid; running them at the wrong moment wastes both budgets.

Dimension
Red team
Pen test
Success criteria
Specific objective achieved
Maximum coverage of scope
Audience
CISO, SecOps leadership
Engineering, audit
Blue-team awareness
Hidden from blue team
Coordinated
OPSEC
Critical - stealth-graded
Not a primary concern
Scope
Whole org, any vector
Defined system / surface
Duration
3-8 weeks elapsed
1-3 weeks active
Validates
Detection & response
Preventive posture

// 03 Engagement modes - full-scope, assumed-breach, purple

Three engagement models, each answering a different question about your security maturity. The right mode is selected during scoping based on your blue team's experience level and the questions leadership needs answered.

FS

Full-scope red team

External start, no insider information, fully OPSEC-aware. The most realistic adversary simulation; 6-8 weeks elapsed. Best for mature security programmes that need a hard pressure test.

AB

Assumed-breach

Begins with a low-privilege foothold - workstation compromise or leaked credentials. Compresses elapsed time while testing post-exploitation detection. 3-5 weeks.

PT

Purple team

Collaborative engagement with your blue team observing live and tuning detection rules as we execute techniques. Most cost-effective path to detection engineering uplift. Two-week sprints.

// 04 MITRE ATT&CK kill-chain coverage

Every CyberFortify engagement is mapped to the MITRE ATT&CK tactic ledger. The 12 enterprise tactics below are the playbook our techniques are organised against - the report shipped with the engagement maps every action to a specific technique ID.

TA0043Reconnaissance

OSINT, employee profiling, infrastructure mapping, exposed-credential mining.

TA0042Resource Development

Custom infrastructure, code-signing certs, look-alike domains, weaponised payloads.

TA0001Initial Access

Spear-phish, supply chain, valid accounts, exposed services, physical entry.

TA0002Execution

Process injection, scheduled tasks, signed binary proxies, scripting interpreters.

TA0003Persistence

Scheduled tasks, services, registry, account creation, golden tickets.

TA0004Privilege Escalation

Token impersonation, UAC bypass, abuse of elevation control, kernel exploit.

TA0005Defense Evasion

AMSI / ETW patching, BYOVD, indicator removal, in-memory execution.

TA0006Credential Access

LSASS dumping, Kerberoasting, AS-REP, DCSync, browser stores, password spray.

TA0007Discovery

Domain trust, network share, BloodHound, cloud account discovery.

TA0008Lateral Movement

Pass-the-hash, RDP, WMI, SMB, remote services, cloud assume-role.

TA0009Collection

Mailbox harvesting, file shares, screen / keystroke capture, M365 graph.

TA0011Command & Control

Custom Mythic / Sliver C2, domain fronting, DNS tunnels, low-and-slow beacons.

// 05 Capabilities & tradecraft

The capabilities CyberFortify exercises are tuned to the realistic threat model for your sector - ransomware affiliate, financially motivated APT, nation-state, or insider. We do not perform actually destructive actions; impact is demonstrated, not executed.

R.01

Spear-phishing

Pretext-engineered campaigns with custom landing pages, OAuth abuse, browser-in-browser, MFA-fatigue, conditional-access bypass via legacy auth.

R.02

Physical access

Tailgating, badge cloning, evil-maid drops, USB rubber-ducky planting, lock-picking, social engineering of front-of-house and security staff.

R.03

Custom C2 & loaders

Bespoke Mythic agents, Sliver, custom loaders. EDR-aware tradecraft: AMSI / ETW patching, indirect syscalls, BYOVD, hardware breakpoints.

R.04

Identity-centric

Active Directory, Entra ID, Okta, federated SSO. Kerberoasting, Pass-the-Ticket, DCSync, ADCS abuse, OAuth consent grant attacks.

R.05

Cloud pivot

From workstation foothold to cloud control plane - credential discovery on disk, browser cookies, CI / CD token theft, OIDC trust abuse.

R.06

Exfiltration & impact

Demonstrated, not executed: staged ransomware artifacts (no encryption), data-staging proof for crown-jewel datasets, executive mailbox proof-of-access.

// 06 Deliverables - what you receive

Two reports, a debrief, and timestamped technique logs your blue team can back-test against. The detection-engineering plan is the part our customers consistently say creates the most lasting value.

D.01

Offensive narrative

Chronological attack story written for security leadership - what we did, when, what we saw, and where the blue team did or did not detect us.

D.02

Detection-engineering plan

Per-technique detection guidance mapped to ATT&CK with concrete log sources, indicator sets and Sigma / KQL / Splunk SPL examples.

D.03

Technique log

Timestamped record of every action with source / target host, ATT&CK technique ID and the artefacts produced - for blue-team back-testing.

D.04

Executive debrief

One-hour leadership presentation with the headline narrative, the detection gaps, and the prioritised remediation roadmap.

// 07 Framework alignment

FrameworkReferenceHow we map
MITRE ATT&CKEnterprise & Cloud matricesEvery technique tagged with a technique ID
TIBER-EUECB intelligence-led red teamCompatible with TI provider hand-off, regulator coordination
CBESTBank of EnglandUK financial-services red team standard
iCAST / FEER / CORIEHKMA / RBNZ / APRAAPAC intelligence-led red team frameworks
DORA RTEU Digital Operational Resilience ActTLPT (threat-led pen test) requirements
NIST CSF 2.0DE.AE, DE.CM, RS.ANDetection / response capability evidence

// 08 Frequently asked questions

How is red teaming different from penetration testing?

A penetration test maximises vulnerability discovery in a defined scope and serves engineering and audit. A red team achieves a specific objective using any means necessary while testing whether defenders notice, and serves the CISO and SecOps leadership. They are complementary and answer different questions.

What is purple teaming?

A collaborative engagement where the red team executes a defined sequence of MITRE ATT&CK techniques while the blue team observes live and tunes detection rules in real time. The most cost-effective route to detection-engineering improvement.

Should our blue team know the engagement is happening?

For full-scope and assumed-breach engagements, only a small set of approving stakeholders know - CISO, CTO, head of legal, head of HR. The blue team operates as if it were a real attack. Purple-team engagements are openly collaborative.

What is an assumed-breach engagement?

It begins from a low-privilege foothold - a workstation compromise, a leaked credential, a malicious-insider scenario - and tests post-exploitation detection. It compresses elapsed time relative to a full-scope red team while exercising lateral movement, persistence, C2 and exfiltration.

Are you compatible with TIBER-EU, CBEST and iCAST?

Yes. CyberFortify's red teaming service is compatible with the major intelligence-led red teaming frameworks (TIBER-EU, CBEST UK, iCAST Hong Kong, FEER NZ, CORIE Australia, DORA TLPT). These frameworks add formal threat-intelligence inputs, regulator coordination and structured reporting requirements.

How long does an engagement take?

Full-scope: six to eight weeks elapsed. Assumed-breach: three to five weeks. Purple-team sprint: two weeks per ATT&CK tactic group. Continuous adversary simulation programmes are available.

Ready for a red team engagement?

Schedule a 30-minute scoping conversation. CyberFortify's red team lead will recommend a model (full-scope, assumed-breach, purple) and quote a fixed-price engagement - usually within a week.

Schedule scoping call → Back to CyberFortify home →