Skip to content
BastionSec
Contact us
Offensive Security · Red Team

Red team: we simulate a real adversary to put your response to the test.

A goal-based operation that simulates how a real attacker would operate: in stealth, against objectives, not against a scope of systems. It tests not just the controls, but your team's detection and response (blue team) too. Advanced: it makes sense on an already-mature posture.

  • Goal-based and in stealth: we simulate the adversary, we don't run a checklist.
  • Tests detection and response (people, process), not just technical controls.
  • TTPs mapped to MITRE ATT&CK; optional Purple Team to work with your blue team.
Discuss a red team engagementSee a sample report

When a red team makes sense

Quick self-qualification: do you recognise yourself in one of these?

You already have a mature posture

Controls in place, active monitoring, maybe pentests behind you: now you want to know whether you'd detect and stop them under a real attack.

See detection & response

You want to test detection and response

You don't just care about 'what's vulnerable', but whether your team notices and reacts in time. That's the red team's domain, not the pentest's.

Talk to us

A specific scenario to validate

You want to test a concrete hypothesis: 'what happens if an account is compromised?' or 'how far does an attacker get starting from phishing?'.

Talk to us

What red teaming is (and why it isn't a pentest)

Red teaming is the simulation of a real adversary: you start from objectives (e.g. accessing critical data, compromising a privileged account) and work in stealth, choosing techniques as a real attacker would. You don't test a predefined scope of systems: you test the organisation as a whole, technology, people and processes, including its ability to detect and respond.

It's different from a penetration test, which has a defined scope and aims to find and demonstrate as many exploitable vulnerabilities as possible, usually without the goal of staying invisible. And it's different from a vulnerability assessment, which identifies and rates without exploiting. A red team against an immature company is a waste: first close the obvious flaws (VA, pentest), then put the defence to the test.

Honesty about the boundaries: this is an advanced activity. If you don't yet have basic controls and monitoring, we recommend starting from a vulnerability assessment and a penetration test: a red team wouldn't add value. We tell you during scoping, not after.

What we put to the test

A realistic attack chain: initial access (e.g. agreed phishing, exploiting an exposure), persistence, privilege escalation, lateral movement and reaching the agreed objective. All under written rules of engagement and with a safety channel to stop the operation at any moment.

The subject of the test isn't only the technical controls, but people and processes: does your defence team (blue team) notice the activity? How long does it take? Do they react correctly? That's the question a red team answers.

What you get: the report

  • Attack narrative: the full path, from initial access to the objective, step by step.
  • TTPs used mapped to MITRE ATT&CK, with evidence and a timeline of actions.
  • Detection assessment: what was detected, what wasn't, and after how long.
  • Findings with CVSS severity where applicable and contextualised business impact.
  • Remediation prioritised across controls, detection and the response process.
  • Executive summary readable by leadership, highlighting the most relevant gaps.

How it works, step by step

A structured operation with clear rules of engagement. Execution is led by human operators: red teaming is adversarial judgement and creativity, not automation.

  1. 1

    Scoping & objectives

    We define objectives, rules of engagement, stealth level, constraints and a safety channel to stop everything.

  2. 2

    Reconnaissance & threat modeling

    We study the surface and the adversary scenarios relevant to your context.

  3. 3

    Initial access

    We gain a foothold with the agreed technique (e.g. phishing, external exposure).

  4. 4

    Operation

    Persistence, escalation, lateral movement toward the objective, in stealth and mapping the TTPs.

  5. 5

    Reporting

    Attack narrative, ATT&CK mapping, detection assessment and remediation.

  6. 6

    Debrief & Purple Team

    Session with your blue team to transfer the lessons and strengthen detection and response.

Stack & methodologies

The primary reference is MITRE ATT&CK for mapping adversary tactics and techniques. We bring in PTES and NIST SP 800-115 for the testing structure and CVSS for the severity of technical findings where applicable.

On request we work in Purple Team mode: our red team and your blue team collaborate in real time, so every technique immediately becomes a measurable improvement in detection. It's often the most effective way to genuinely grow response capability.

Model and timing

  1. 1

    Project model : tailored, 'from' price + range

    A red team operation is sized by objectives and stealth level; it's usually heavier than a pentest. Price defined after scoping. See the pricing page.

  2. 2

    Execution : typically a few weeks

    Stealth takes time: moving 'low and slow' is part of the realism. Defined during scoping.

  3. 3

    Debrief & Purple Team : at operation close

    Session with the blue team to transfer lessons and raise detection and response capability.

To maintain posture over time, periodic offensive testing fits into the continuous-security retainer.

Frequently asked

What's the difference between a red team and a penetration test?

A pentest has a defined scope of systems and aims to find and demonstrate as many exploitable vulnerabilities as possible. A red team starts from objectives, works in stealth and tests the whole organisation, including your team's ability to detect and respond. A pentest asks 'what's breakable?'; a red team asks 'would you notice?'.

Do I really need a red team?

Only if you already have a mature posture: controls in place, active monitoring, ideally pentests already done. On an immature company a red team is a waste: it would surface flaws a cheaper VA or pentest would have found. Write to us and we'll figure out what you need, honestly.

What's a Purple Team operation?

It's when our red team and your blue team collaborate in real time instead of operating blind: every simulated technique is immediately discussed and translated into a detection improvement. It's often the most effective way to grow response capability.

Is it dangerous for my production systems?

We operate under written rules of engagement, with agreed constraints and a safety channel to suspend the operation at any moment. Stealth is about being detected, not about causing damage: the goal is controlled realism, not risk to your business.

What do I get at the end?

The full attack narrative, the TTPs mapped to MITRE ATT&CK with a timeline, the assessment of what was and wasn't detected, remediation prioritised across controls and response, and an executive summary for leadership. Plus, if chosen, the debrief session with your blue team.

Do you guarantee you won't get in?

On the contrary: a determined adversary often finds a foothold. The value of a red team isn't 'pass or fail', it's discovering how far you get without being stopped, and using that to make detection and response faster. Be wary of anyone selling security in absolute terms.

Go deeper

Penetration Testing

Defined scope and controlled exploitation: the step that usually comes before a red team.

Learn more

Detection & Response

Detection and response are what a red team tests: here's how we strengthen them continuously.

Learn more

Audit & Pentest (hub)

Our offensive testing line: VA, penetration testing and red team, with the delivery model.

Go to the hub

Ready to put your defence to the test, for real?

Tell us your objectives and maturity: we'll say whether a red team is right for you now or whether to start from a pentest. Honestly.

Discuss a red team engagement