Adversary simulation
A Red Team exercise does not look for vulnerabilities: it simulates a real attacker, stealthy and with a specific objective, to answer the question that truly matters. If someone came after you for real, would you detect it in time? We combine intrusion, social engineering and evasion to reach your critical assets the way an adversary would, and we measure how long your organization takes to see it and react.
People, processes and technology tested at the same time, with every step mapped onto MITRE ATT&CK.
What it is
A pentest gives you a snapshot of your flaws. A Red Team gives you something different and more uncomfortable: proof of whether your entire organization is able to stop a real attacker before it reaches what matters. It is not measured in number of vulnerabilities, but in whether you noticed and how long it took you.
Looks for and demonstrates the maximum number of vulnerabilities within a defined scope. Noisy on purpose: what matters is coverage.
Pursues a specific objective without you seeing it. Silent on purpose: what matters is testing your detection and your response.
That is why a Red Team is done once you already have a security and defense baseline, and what you want is to know whether it really holds up against someone who means business.
The exercise
We act like a real adversary: we study your organization, we look for the crack, we get in and we move silently to the objective. We do not limit ourselves to the technical, because a real attacker does not either: we combine intrusion, social engineering and evasion of your defenses.
We imitate a specific actor, with their known tactics, techniques and procedures (TTP). Useful if you are worried about a specific threat in your sector.
We do not tie ourselves to an actor: we start from your business objectives and from what would hurt you to lose. Useful to measure your resistance in a general way.
We choose it with you, and every move is mapped onto MITRE ATT&CK so the reading is shared with your defense team.
What you test
A real attacker does not only target your machines. That is why a Red Team tests the three things that hold up your security, and the one you least expected almost always fails.
Who falls for an email, who lets things through, who does not raise the alarm. The link most exploited in real attacks.
Whether your detection and response procedures work when it really matters, not just on paper.
Whether your defenses, from the EDR to segmentation, stop the attacker or only seem to.
When
You have your own or a managed SOC and controls, and you want to know whether they really stop a determined attacker.
Banking, insurance or critical infrastructure. DORA requires financial entities to run an advanced Red Team modality, TLPT, based on the TIBER-EU framework, and NIS2 pushes in the same direction.
You have put money into tools and team and you want to check that the whole works, not each piece on its own.
So that your defense team lives through a real attack and learns to see it, instead of waiting for the real one.
Method
We define what needs to be reached, the rules of the exercise and what your team knows, so it is realistic and safe.
We study your organization from outside and inside as an attacker would, without making noise.
We get in, persist and advance toward the objective combining technique, deception and evasion.
What we did, what was detected and what was not, how long you took, and work with your team to close the gaps.
Fits with
A Red Team is the exam of your defense, so its natural partner is Sondriva, our SOC: the blue team that has to detect and respond. The exercise measures how well it does it and makes clear what to fine-tune. And if you do not yet have a baseline of flaws covered, the infrastructure pentest comes first: first you fix the obvious, then you test whether they defend you.
Social engineering is one of its key pieces, because the real attacker often gets in through people. And if you want attack and defense to work together to improve detection live, instead of measuring it blind, that is a Purple Team exercise.
Questions
In the goal. A pentest looks for and demonstrates the maximum number of vulnerabilities within a defined scope, noisy on purpose. A Red Team pursues a specific objective without you seeing it, and what it measures is not how many flaws there are, but whether your organization detects it and how long it takes to react.
If you do not yet have a security and detection baseline in place, start with the pentest: it tells you what to fix. The Red Team comes later, once you already have defenses and want to know whether they really work against a determined attacker. They do not compete, they go in order.
Adversary emulation imitates a specific actor, with the tactics, techniques and procedures (TTP) known to be theirs, useful if you are worried about a specific threat in your sector. Adversary simulation is not tied to an actor: it starts from your business objectives and from what would hurt you to lose. We choose with you the one that brings you the most value.
It depends on the exercise. If you want to measure detection for real, your defense team does not know it is a test, and that is the point. In other cases a small group is warned for safety. We agree it with you beforehand, always with a control channel to stop if needed.
Yes, almost always. A real attacker often gets in through people, so a realistic Red Team combines technical intrusion with social engineering and with evading your defenses. The three paths together, like in a real attack.
Yes. We map every move onto MITRE ATT&CK, which is the common language of attack tactics and techniques. That way your defense team can read the exercise in their own terms and turn it into concrete detection improvements.
Yes. In sectors such as banking, insurance or critical infrastructure, testing your resistance against a real attack is almost mandatory, and frameworks like DORA push in that direction. A Red Team is the way to prove, with facts, that your organization holds up and reacts.
TLPT, or Threat-Led Penetration Testing, is the Red Team modality that DORA requires from designated financial entities, and it is run following the TIBER-EU framework of the European Central Bank. A Red Team exercise is the foundation of that capability. Worth knowing that formal TLPT has its own rules and requires accredited providers, so we help you get ready and arrive with everything in place.
Yes. We work with agreed rules and a permanent control channel to stop the exercise if anything requires it. The goal is to demonstrate the risk as an attacker would, not to cause damage or interrupt your business.
Shall we talk?
Tell us what would really hurt you to lose, and we design a Red Team exercise to check whether someone could reach that far without you seeing it.
Get in touch