See your organisation the way an adversary does.

Real attackers do not follow a checklist. They pick a goal, learn everything they can about you, and take whatever route gets them there. A red team does the same: we agree an objective, use intelligence and any vector, digital, human or physical, and show you how far a determined adversary could get, and whether you would notice.

Red team operations

Goal-based, multi-vector adversary simulation. We agree a real objective and take any route to it, chaining digital, human and physical the way a real attacker would.

  • Goal-based objectives
  • Multi-vector attack
  • Detection & response testing
  • Assumed-breach option

OSINT & attribution

Open-source intelligence on your organisation: the footprint, exposure and people an attacker can map before touching a single system.

  • Attack-surface mapping
  • Exposed people & data
  • Domain & brand abuse
  • Supply-chain exposure

Leaked & breached data

Searching public and breach datasets for your exposed credentials and data, the reused and leaked passwords that are still one of the most common ways in.

  • Breached credential search
  • Exposed documents & data
  • Reused password checks
  • Dark-web exposure

Goal-based, not checklist-based.

A red team is not about counting findings. We agree what a win looks like for an attacker, your crown jewels, then do whatever it takes to get there, testing your defences the way a real incident would.

  • One agreed objective, the thing that would actually hurt to lose
  • Any route in: digital, human or physical, chained together
  • Tests your detection and response, not just prevention
  • An assumed-breach option to focus on what happens after the foothold

How a red team runs.

A red team runs in six phases, from agreeing the objective through to a purple-team debrief. Here is how each one works.

  1. 01

    Objectives and rules of engagement

    We agree what a win looks like, your crown jewels, along with the scope, the rules and how we deconflict with your team, before anything starts.

  2. 02

    Intelligence and reconnaissance

    We map your attack surface with OSINT and search breach datasets for exposed credentials and data, building the picture an attacker would.

  3. 03

    Initial access

    We get in the way a real attacker would: phishing, an exposed service or a chosen foothold, or from an assumed breach if that is the focus.

  4. 04

    Establish and escalate

    We establish a quiet foothold, escalate privileges and move towards the objective, staying under the radar.

  5. 05

    Actions on objective

    We reach the goal and prove impact carefully, while your defenders get a real chance to catch us.

  6. 06

    Report and purple-team debrief

    You get a full timeline of what we did, what your defences caught and missed, and a debrief where we replay the attack with your team.

What you get.

You get more than a list of holes. You get the story of the attack and a clear plan to detect and stop the next one.

  • A senior, CREST-certified operator leading the engagement
  • An executive and technical report within 48 hours of finishing
  • A full attack narrative and timeline of what we did
  • Findings mapped to MITRE ATT&CK, with what your defences caught and missed
  • Clear, prioritised fixes across prevention, detection and response
  • A purple-team debrief to replay the attack with your team

Intelligence and adversary simulation, answered.

Straight answers to what clients ask most about red team engagements.

What is the difference between a penetration test and a red team?

A penetration test finds and proves as many vulnerabilities as it can in a defined scope and a set time. A red team is goal-based and much quieter: we agree a real objective, such as access to a specific system or dataset, and take whatever route gets us there, digital, human or physical, while testing whether your team notices. A pen test measures how exposed a system is; a red team measures how well your whole organisation prevents, detects and responds to a real attack.

Do you search for our leaked and breached data and credentials?

Yes. During the intelligence phase we search public and breach datasets for your exposed credentials, documents and other data, the same sources a real attacker would use. Reused and leaked passwords are still one of the most common ways in, so we check what is already out there about your organisation and your people.

Will you test whether our team detects the attack?

Yes, and that is a big part of the value. We work as quietly as a real attacker and record what we did and when, so afterwards you can line it up against what your tools and your team actually saw. The debrief shows exactly where you detected us, where you missed us, and how to close those gaps.

Do you use real malware, and is it safe?

We use the same techniques a real attacker would, with custom tooling where it is needed, but always safely and under agreed rules. We do not use destructive payloads or anything that risks your data or your uptime, we agree in advance what is in and out of bounds, and everything is logged so it can be reviewed and unwound.

What is an assumed-breach engagement?

Assumed breach means we start from a foothold you give us, such as a standard user account or a machine on your network, rather than spending days getting in. It is efficient: it puts the time into what a capable attacker does after the first foothold, which is usually where the real damage happens.

How long does a red team engagement take?

Longer than a standard test, because stealth and intelligence take time. A focused engagement runs over a few weeks; a broader one longer. We scope it with you around your objective and your budget on a free call, and agree the length and intensity up front.

Ready to see what a real adversary could do?

Tell us what would hurt most if it fell into the wrong hands. We will come back within one working day with a suggested objective, approach and scope, with no sales theatre.

Book a scoping call