What we actually do

Our Red Team runs attacks against your environment—phishing campaigns, credential theft, lateral movement, privilege escalation, and data exfiltration. Standard attacker playbook stuff. The difference is we’re doing it alongside your Blue Team, not in a vacuum.

Your SOC analysts watch the attacks unfold in real-time through their existing tooling (SIEM, EDR, NDR, whatever you’ve got). We tell them what we’re doing as we do it. They try to detect it. When they miss something, we stop and figure out why together. Then we fix the gap—whether that’s tuning a detection rule, adjusting log collection, or updating an investigation playbook.

Typical engagement looks like this:

  • Week 1: Scoping call, threat modelling based on your infrastructure and actual threats you care about
  • Week 2-3: Initial Red Team operations with Blue Team shadow mode (they watch, we explain)
  • Week 4-5: Active defence with Blue Team attempting detection and containment
  • Week 6: Joint debrief, gap analysis, remediation roadmap mapped to MITRE ATT&CK
  • Ongoing: We can run periodic exercises (quarterly is common) to validate improvements

Technical focus areas

Initial Access & Persistence

Can your team detect credential stuffing, phishing with MFA bypass, VPN compromise, or webshell deployment? We test realistic entry vectors and persistence mechanisms specific to your stack.

Lateral Movement

Testing detection of SMB enumeration, RDP lateral movement, pass-the-hash attacks, Kerberoasting, and privilege escalation paths. We map what’s visible in your logs vs what’s happening on the network.

Data Exfiltration

Can you spot large file transfers over DNS tunneling, cloud storage abuse, or encrypted C2 channels? We test egress monitoring and DLP controls against real exfiltration techniques.

Detection Engineering

We help write Sigma rules, Splunk queries, or custom detection logic for your SIEM. Everything gets tested against our attack traffic to verify true positive rates before deployment.

Incident Response

Your IR team practices containment, evidence collection, and eradication while we simulate an active breach. We test runbooks under pressure and identify process gaps before they matter.

Threat Hunting

We leave artifacts in your environment (with your permission) and see if your team can find them through proactive hunting. Teaches hypothesis-driven investigation techniques.

What you get out of it

Reduced mean time to detect (MTTD): When we start, your team might miss credential dumping for days. After a few iterations, they’re catching it in minutes because they know what to look for and have the right detections in place.

Validated security controls: You’ll know which EDR rules actually fire, which SIEM queries work, and which alerting thresholds are tuned correctly. No more wondering if your $500K security stack would actually catch an attack.

Documented coverage gaps: We map every technique we use to MITRE ATT&CK and note detection status (detected, partially detected, missed). You get a clear view of blind spots ranked by exploitability and business impact.

Trained SOC analysts: Your team gets hands-on experience investigating real attacks in a controlled environment. They learn what Mimikatz execution looks like in memory, how to trace lateral movement through Windows Event logs, and how to correlate network and endpoint telemetry.

Runbooks that work: IR playbooks often fail during actual incidents because they weren’t tested under realistic conditions. We help you find and fix those gaps before it’s 3am and your production environment is being ransomed.

Common questions

How is this different from regular penetration testing?

Pentest: Red Team finds vulnerabilities, writes report, leaves. You get a list of things to fix but no improvement in detection or response capability.

Purple Team: Red Team finds vulnerabilities while actively teaching Blue Team how to detect and respond. You fix both technical issues AND build internal skills to catch similar attacks in the future.

What if our Blue Team is small or inexperienced?

That’s exactly when Purple Team work is most valuable. We’ll spend more time in teaching mode, explaining what to look for and why. Your analysts will learn faster from seeing attacks happen live than from any training course.

Do you require production access?

Usually yes, but we scope carefully. We’ll discuss acceptable risk levels during scoping—some clients want full production testing, others prefer starting with dev/staging and limiting production to specific low-risk techniques. Your call.

How do we measure improvement?

We track metrics like: percentage of MITRE ATT&CK techniques your team can detect, median time from initial access to detection, false positive rate for new detection rules, SOC analyst confidence scores before/after engagement. Basically anything you care about measuring, we can baseline and track.

Get started

Contact us with some info about your environment (company size, key tech stack, existing security tooling) and what you want to improve. We’ll set up a call to discuss scope and pricing.

Typical engagement runs 4-6 weeks with follow-up exercises every quarter. Pricing depends on scope and environment complexity—we’ll give you a fixed quote after the scoping call.

Book a Consultation
CONTACT US