CyberFortify red teaming is goal-based adversary simulation aligned with MITRE ATT&CK. We test your detection capability across the entire kill chain - not just your perimeter - and deliver both an offensive narrative report and a structured detection-engineering plan your SOC can author rules from.
// 01 What is red teaming?
Red teaming is goal-based adversary simulation. Where a penetration test maximises vulnerability discovery in a defined scope, a red team achieves a specific business objective - theft of crown-jewel data, persistence in a critical environment, compromise of executive identity - through any means necessary.
It tests not preventive posture alone, but the detection-and-response capability of your blue team and SOC.
Red teaming assumes the existence of a functional blue team worth testing. Earlier in your security journey, a pen test delivers far more value - we will tell you in scoping which fits your maturity.
CyberFortify red team practice lead// 02 Red team vs penetration test
Different audiences, different deliverables, different definition of success. Both are valid; running them at the wrong moment wastes both budgets.
// 03 Engagement modes - full-scope, assumed-breach, purple
Three engagement models, each answering a different question about your security maturity. The right mode is selected during scoping based on your blue team's experience level and the questions leadership needs answered.
Full-scope red team
External start, no insider information, fully OPSEC-aware. The most realistic adversary simulation; 6-8 weeks elapsed. Best for mature security programmes that need a hard pressure test.
Assumed-breach
Begins with a low-privilege foothold - workstation compromise or leaked credentials. Compresses elapsed time while testing post-exploitation detection. 3-5 weeks.
Purple team
Collaborative engagement with your blue team observing live and tuning detection rules as we execute techniques. Most cost-effective path to detection engineering uplift. Two-week sprints.
// 04 MITRE ATT&CK kill-chain coverage
Every CyberFortify engagement is mapped to the MITRE ATT&CK tactic ledger. The 12 enterprise tactics below are the playbook our techniques are organised against - the report shipped with the engagement maps every action to a specific technique ID.
OSINT, employee profiling, infrastructure mapping, exposed-credential mining.
Custom infrastructure, code-signing certs, look-alike domains, weaponised payloads.
Spear-phish, supply chain, valid accounts, exposed services, physical entry.
Process injection, scheduled tasks, signed binary proxies, scripting interpreters.
Scheduled tasks, services, registry, account creation, golden tickets.
Token impersonation, UAC bypass, abuse of elevation control, kernel exploit.
AMSI / ETW patching, BYOVD, indicator removal, in-memory execution.
LSASS dumping, Kerberoasting, AS-REP, DCSync, browser stores, password spray.
Domain trust, network share, BloodHound, cloud account discovery.
Pass-the-hash, RDP, WMI, SMB, remote services, cloud assume-role.
Mailbox harvesting, file shares, screen / keystroke capture, M365 graph.
Custom Mythic / Sliver C2, domain fronting, DNS tunnels, low-and-slow beacons.
// 05 Capabilities & tradecraft
The capabilities CyberFortify exercises are tuned to the realistic threat model for your sector - ransomware affiliate, financially motivated APT, nation-state, or insider. We do not perform actually destructive actions; impact is demonstrated, not executed.
Spear-phishing
Pretext-engineered campaigns with custom landing pages, OAuth abuse, browser-in-browser, MFA-fatigue, conditional-access bypass via legacy auth.
Physical access
Tailgating, badge cloning, evil-maid drops, USB rubber-ducky planting, lock-picking, social engineering of front-of-house and security staff.
Custom C2 & loaders
Bespoke Mythic agents, Sliver, custom loaders. EDR-aware tradecraft: AMSI / ETW patching, indirect syscalls, BYOVD, hardware breakpoints.
Identity-centric
Active Directory, Entra ID, Okta, federated SSO. Kerberoasting, Pass-the-Ticket, DCSync, ADCS abuse, OAuth consent grant attacks.
Cloud pivot
From workstation foothold to cloud control plane - credential discovery on disk, browser cookies, CI / CD token theft, OIDC trust abuse.
Exfiltration & impact
Demonstrated, not executed: staged ransomware artifacts (no encryption), data-staging proof for crown-jewel datasets, executive mailbox proof-of-access.
// 06 Deliverables - what you receive
Two reports, a debrief, and timestamped technique logs your blue team can back-test against. The detection-engineering plan is the part our customers consistently say creates the most lasting value.
Offensive narrative
Chronological attack story written for security leadership - what we did, when, what we saw, and where the blue team did or did not detect us.
Detection-engineering plan
Per-technique detection guidance mapped to ATT&CK with concrete log sources, indicator sets and Sigma / KQL / Splunk SPL examples.
Technique log
Timestamped record of every action with source / target host, ATT&CK technique ID and the artefacts produced - for blue-team back-testing.
Executive debrief
One-hour leadership presentation with the headline narrative, the detection gaps, and the prioritised remediation roadmap.
// 07 Framework alignment
| Framework | Reference | How we map |
|---|---|---|
| MITRE ATT&CK | Enterprise & Cloud matrices | Every technique tagged with a technique ID |
| TIBER-EU | ECB intelligence-led red team | Compatible with TI provider hand-off, regulator coordination |
| CBEST | Bank of England | UK financial-services red team standard |
| iCAST / FEER / CORIE | HKMA / RBNZ / APRA | APAC intelligence-led red team frameworks |
| DORA RT | EU Digital Operational Resilience Act | TLPT (threat-led pen test) requirements |
| NIST CSF 2.0 | DE.AE, DE.CM, RS.AN | Detection / response capability evidence |
// 08 Frequently asked questions
How is red teaming different from penetration testing?
A penetration test maximises vulnerability discovery in a defined scope and serves engineering and audit. A red team achieves a specific objective using any means necessary while testing whether defenders notice, and serves the CISO and SecOps leadership. They are complementary and answer different questions.
What is purple teaming?
A collaborative engagement where the red team executes a defined sequence of MITRE ATT&CK techniques while the blue team observes live and tunes detection rules in real time. The most cost-effective route to detection-engineering improvement.
Should our blue team know the engagement is happening?
For full-scope and assumed-breach engagements, only a small set of approving stakeholders know - CISO, CTO, head of legal, head of HR. The blue team operates as if it were a real attack. Purple-team engagements are openly collaborative.
What is an assumed-breach engagement?
It begins from a low-privilege foothold - a workstation compromise, a leaked credential, a malicious-insider scenario - and tests post-exploitation detection. It compresses elapsed time relative to a full-scope red team while exercising lateral movement, persistence, C2 and exfiltration.
Are you compatible with TIBER-EU, CBEST and iCAST?
Yes. CyberFortify's red teaming service is compatible with the major intelligence-led red teaming frameworks (TIBER-EU, CBEST UK, iCAST Hong Kong, FEER NZ, CORIE Australia, DORA TLPT). These frameworks add formal threat-intelligence inputs, regulator coordination and structured reporting requirements.
How long does an engagement take?
Full-scope: six to eight weeks elapsed. Assumed-breach: three to five weeks. Purple-team sprint: two weeks per ATT&CK tactic group. Continuous adversary simulation programmes are available.