Home / Solutions / Red Team Engagement
Red Team Engagement

Red Team Engagements & Adversarial Simulation

Red Team Engagements & Adversarial Simulation

Goal-oriented adversarial simulation.

Multi-week engagements where we work toward specific objectives — not a finding count. Phishing, endpoint compromise, lateral movement, exfiltration. Mapped to MITRE ATT&CK with detection metrics included.

What's Different
Goal-driven, not coverage-driven
Multi-vector: phishing, web, cloud, physical
MITRE ATT&CK technique mapping
Detection / response metrics included
Purple team retrospective on close
01 // PENTEST vs RED TEAM

Different exercise. Different outcomes.

A pentest tells you what's vulnerable. A red team tells you what an attacker would actually do — and whether you'd catch them. The deliverable isn't a finding count; it's a narrative of objectives met, detection gaps surfaced, and response performance measured.

  • Objectives, not coverage: 'access customer PII', not 'test 1,000 endpoints'
  • Multi-vector: phishing, social, web, cloud, supply chain, physical
  • Stealth scoring: how long until detected, by whom, with what signal
  • Response evaluation: did your SOC actually act on the alerts they generated
Engagement objectives — sample 
OBJECTIVE 1  Customer PII exfiltration
  Path: phishing → endpoint → AWS keys
        → S3 → 2.4M records
  Detection: none for 14 days
  MITRE: T1566.001, T1078.004, T1530

OBJECTIVE 2  Production deploy access
  Path: stolen GitHub creds → Actions OIDC
        → prod IAM role
  Detection: none
  MITRE: T1199, T1098.003

OBJECTIVE 3  Customer wire transfer
  Path: BEC → finance team → bank portal
  Detection: caught at hour 4
  MITRE: T1534, T1656

→ 2/3 objectives met undetected.
→ Detection gaps: 4 specific MITRE techniques.
02 // MITRE ATT&CK ALIGNED

Every action tagged. Every gap traceable.

Findings aren't a vulnerability list — they're a coverage map of MITRE ATT&CK techniques against your detection stack. You walk away knowing exactly which techniques you'd catch, miss, or partially detect.

  • TTPs mapped to MITRE ATT&CK in real time during engagement
  • Detection scoring per technique: missed, partial, caught
  • Comparison against industry baselines for your sector
  • Purple team workshop on closeout to remediate detection gaps
Detection scorecard 
INITIAL ACCESS
  T1566.001 (Spearphish attach)  MISSED
  T1190 (Public-facing app)      CAUGHT

EXECUTION
  T1059.001 (PowerShell)         CAUGHT
  T1059.003 (Cmd)                PARTIAL

PERSISTENCE
  T1098.003 (Add cloud admin)    MISSED
  T1136.003 (Create cloud acct)  MISSED

CREDENTIAL ACCESS
  T1552.001 (Creds in files)     MISSED
  T1555.005 (Password manager)   CAUGHT

EXFILTRATION
  T1530 (Cloud storage)          MISSED
  T1041 (C2 channel)             CAUGHT

Coverage: 4/10 techniques caught
Industry baseline (SaaS): 6/10

Engagement vectors

Multi-vector adversarial simulation.

Phishing & social

Targeted spearphishing, vishing, smishing. Custom infrastructure. Tracked clicks and credential capture.

External web / app

Internet-facing assets — chained with phishing for realistic initial access.

Endpoint compromise

Post-phishing — privilege escalation, EDR evasion, persistence, lateral movement.

Cloud lateral movement

AWS / GCP / Azure — IAM abuse, instance metadata, cross-account assumption.

Supply chain

Dependency confusion, typosquatting, CI/CD compromise via OIDC trust.

Physical (optional)

Office access, badge cloning, USB drops, network jack assessment.

Engagement Model

Goal-priced. Multi-week. Multi-vector.

Red team engagements are scoped by objectives, not endpoints. You define what success looks like ("access customer PII," "compromise a production deploy") — we plan multi-vector campaigns to achieve them. Phishing-only engagements: 2-4 weeks, $25K+. Full multi-vector (phishing + endpoint + cloud + lateral): 8-12 weeks, $80K-$200K. Annual purple team retainers available.

Deliverables

Detection scorecards, not vulnerability counts.

Engagement narrative

Day-by-day operational log: what we tried, what worked, what was detected, when, by whom. Reads like an incident timeline. The single most useful artifact for your detection engineering team.

MITRE ATT&CK detection scorecard

Per-technique coverage map: which TTPs your stack caught, partially caught, missed entirely. Comparison against industry baseline for your sector.

Purple team workshop

Closeout session with your SOC and detection engineering team. We walk through every undetected technique, explain what signals were generated, recommend specific detection rules.

Executive briefing

90-minute exec briefing with screenshots and video of the most critical compromises. Built specifically for board-level audiences. Doesn't require security expertise to follow.

Frequently Asked Questions

Common questions, answered.

How is this different from your pentest service?
A pentest is broad coverage with a finding count. Red team is narrow goals with a detection scorecard. Pentest tells you 'here are 47 issues'. Red team tells you 'we accessed your customer database in 6 days and your SOC noticed on day 12'. Different exercises, different value.
How long is a typical engagement?
4-12 weeks depending on objective complexity and scope. Phishing-only engagements run 2-4 weeks. Full multi-vector engagements with cloud + endpoint + lateral movement run 8-12 weeks. Long-duration engagements with custom infrastructure can run 12+ weeks.
Will our SOC team know it's a test?
Depends on the model. 'Black box' red teams: only a small executive sponsor group knows. 'Purple team' engagements: SOC knows and we collaborate in real time on detection improvements. We recommend starting black box, then transitioning to purple in subsequent engagements once baseline detection capability is measured.
What about legal authorization and scoping?
We require a signed Rules of Engagement document specifying authorized actions, in-scope assets, prohibited activities (e.g. no destructive actions, no real customer data exfiltration even when reachable), and emergency stop conditions. Standard for the industry, non-negotiable for us.
How much does a red team engagement cost?
Phishing-focused engagements (2-4 weeks) typically run $45k-$90k. Multi-vector full red team (4-8 weeks) typically $90k-$220k. Long-duration engagements with custom infrastructure (8-12 weeks) typically $220k-$480k. Pricing is fixed-fee scoped after objectives definition.
Do you do physical red teaming?
Yes, when in scope and properly authorized. Office access, badge cloning, USB drops, network jack assessment. Physical engagement requires specific legal authorization beyond standard ROE — we work with your legal team to scope authorization correctly.
Can you do supply chain attacks?
Yes. Dependency confusion, typosquatting against your published packages, CI/CD compromise via OIDC trust misconfiguration, vendor compromise simulation. Supply chain red team requires specific scoping because real-world supply chain attacks have spillover risks.
Do you provide MITRE ATT&CK mapping?
Yes — every engagement produces a detection scorecard mapping each TTP we used to ATT&CK identifiers, with detection results (caught / partial / missed). Comparable to MITRE Engenuity ATT&CK Evaluations format. Useful for SOC purple-team exercises and detection-engineering roadmaps.
Can the engagement be remote-only?
Yes. Most engagements are remote — phishing, external web exploitation, cloud lateral movement, endpoint compromise via remote access. Physical components are optional and require dedicated logistics.
What if you find something critical mid-engagement?
Critical findings (RCE, active backdoor, exposed credentials in production) are disclosed immediately to the executive sponsor — not held for the final report. This is part of the ROE and protects your organization while preserving the engagement's other objectives.
Do you offer purple team workshops?
Yes — most engagements close with a 2-4 hour purple team workshop where we walk your SOC and detection-engineering teams through every TTP, what triggered (or didn't), and what detection improvements would close gaps. Often the highest-value deliverable.
How does this compare to FedRAMP / NIST 800-53 red team requirements?
FedRAMP Moderate doesn't require red teaming. FedRAMP High requires it under CA-8. NIST SP 800-53 r5 control CA-8 covers it for systems requiring red team validation. We've delivered against both — happy to walk through scoping.
How is red teaming different from penetration testing?
A pentest is broad coverage with a finding count. Red team is narrow goals with a detection scorecard. Pentest tells you "here are 47 issues across your application." Red team tells you "we accessed your customer database in 6 days using phishing + cloud lateral movement, and your SOC noticed on day 12." Different exercises, different value, different price points. Most mature security programs do both.
Will our SOC team know it's a test?
Depends on engagement model. "Black box" red team: only a small executive sponsor group knows; SOC responds as if real. "Purple team": SOC knows and we collaborate in real-time on detection improvements. We recommend starting black box for the first engagement (gives you a true detection baseline), then transitioning to purple in subsequent engagements (faster detection improvement).
What about legal authorization and rules of engagement?
Required and non-negotiable. Every engagement has a signed Rules of Engagement document covering: authorized actions, in-scope assets, prohibited activities (no destructive actions, no real customer data exfiltration), emergency stop conditions, escalation contacts. We also require a get-out-of-jail letter for the team in case of physical engagement scope.
Can you do physical / social engineering on-site?
Yes, as a scope option. Office access, badge cloning, USB drops, network jack assessment. We take this seriously — including bringing identification, signed authorization letters, and a designated emergency contact at your organization. Physical engagements add 1-2 weeks to engagement length.
What's the difference between red team and bug bounty?
Bug bounty is opportunistic and external — researchers find what they find, you pay per valid finding. Red team is goal-directed and structured — we work toward specific objectives over a defined period, with full visibility into our methods. Red team measures detection capability; bug bounty measures attack surface. Both have value; neither replaces the other.
Do you require any specific tools or telemetry from us?
No prerequisites — we can engage whatever your current detection stack is (or lack thereof). For purple team engagements, having a SIEM, EDR, and centralized log access makes the workshop output much more actionable. For black box, we just need scope and authorization.

Related

Continue exploring

Foundation
Web App Pentesting

Coverage-driven testing — different exercise.

Read more →
Adjacent
Cloud Security Review

Cloud privilege paths the red team will exploit.

Read more →
Continuous
Continuous AppSec

Ongoing coverage between red team engagements.

Read more →
Audits
Compliance Readiness

Red team engagements as DORA TLPT evidence.

Read more →
Ready to ship secure?
Talk to a senior engineer. No SDR script, no slide deck — just a working session about your stack.

What is a red team engagement

Goal-driven adversarial simulation, not a longer pentest.

Red team engagements are multi-week adversarial simulations where an offensive security team works toward specific objectives — accessing customer data, achieving production deployment, exfiltrating financial information — using whatever realistic attack vectors are in scope (phishing, web/cloud exploitation, supply chain compromise, occasionally physical access). The goal isn't a finding count; it's an honest answer to the question: "could a real attacker do this, and would we catch them?"

Where a pentest tells you what's vulnerable, a red team tells you what an attacker would actually do and whether your detection-and-response capabilities would catch them. Findings are framed as objectives met or not met, mapped to MITRE ATT&CK techniques, and accompanied by detection scorecards showing which TTPs your SOC caught, partially detected, or missed entirely.

Red teaming complements rather than replaces application pentesting. A pentest provides broad-coverage finding lists; a red team provides narrow-but-deep narrative-driven scenarios. Most mature security programs run both: pentests for coverage, red teams for validation.

  • Multi-week engagements (4-12 weeks typical)
  • Mapped to MITRE ATT&CK (full TTP traceability)
  • Detection scorecards: caught / partial / missed per technique
  • Purple team workshops on close to remediate detection gaps

Pricing & timeline

Multi-week, fixed-fee, scoped by objectives.

Red team engagements are scoped by objective complexity, vector mix (phishing only? phishing + cloud + endpoint?), and duration. The largest cost driver is dwell-time — short engagements run lean, longer engagements add infrastructure, persistence, and detection-evasion work.

Phishing-focused (2-4 weeks)
$45k - $90k
Multi-vector full red team (4-8 weeks)
$90k - $220k
Long-duration with custom infra (8-12 weeks)
$220k - $480k
Black box → purple team
Add 1-2 weeks for closeout workshop
Re-engagement discount
20-30% off subsequent engagements within 12 months
Rules of Engagement document
Required; signed before any activity

Related

Related services

Web Application Pentesting

Pentest first; red team second. Different exercises.
Cloud Security Review

Cloud lateral movement is a common red team vector.
Continuous AppSec

Continuous coverage between red team engagements.
Compliance Readiness

Some frameworks (FedRAMP, NIST) require red teaming.
DevSecOps Integration

Detection-engineering pipelines exercised by red team.
Sample Pentest Report

Includes a sanitized red team detection scorecard.
Ready When You Are

The pentest your auditor will accept.
The findings your engineers will fix.

Continuous AppSec for SaaS, fintech, and regulated industries. Talk to a senior engineer — no SDR script, no slide deck, just a working session about your stack.

Fixed-Fee Pricing
No engineer-hour billing
Audit-Ready by Default
SOC 2, ISO, PCI, HIPAA
Engineer-Validated
Not scanner output