Methodology

A red team operation that tells your SOC exactly what it missed — and how to close the gaps.

Objective-led, six phases mapped to MITRE ATT&CK, measured by what your detection program saw. The primary deliverable is the detection-coverage matrix your SOC can act on.

Get a straight answer
Why methodology matters

A red team operation is only valuable if it tells you what your detections missed.

A pentest tells you where the vulnerabilities are. A red team operation tells you whether your SOC would have detected and stopped a real intrusion. The output your team needs is a matrix that maps every ATT&CK technique attempted to what was logged, what alerted, and what was investigated.

Every action in the operation is recorded against specific ATT&CK technique IDs so the detection-coverage matrix is directly usable as a detection-engineering backlog.

The methodology

Six phases, every operation.

  1. 01

    Objective and rules of engagement

    Define the operational objective in concrete terms — domain admin, payment-system access, tagged-data exfiltration, or a specific business outcome. Document control points, out-of-scope systems, hard stop conditions, and legal authorization paperwork.

  2. 02

    Reconnaissance and infrastructure

    External recon (subdomains, leaked credentials, public source code, supplier surface) feeds the targeting plan. Operational infrastructure — redirectors, domains, C2 hosts — is stood up with OPSEC appropriate to the objective and detection-program maturity.

  3. 03

    Initial access

    Phishing (with or without MFA-bypass tooling depending on scope), exposed external services, supply-chain or contractor pretexts, or an assumed-breach foothold. Each path maps to MITRE ATT&CK Tactic TA0001 with specific technique IDs recorded for the report.

  4. 04

    Foothold, privilege escalation, lateral movement

    Establish persistent C2, escalate privileges, move laterally with OPSEC discipline, and harvest credentials only where it serves the objective. Each action recorded against ATT&CK tactics TA0003–TA0008 for the detection-coverage matrix.

  5. 05

    Action on objective

    Reach the objective and document the path. Exfiltration is simulated against a controlled honeypot or tagged data set with explicit pre-approval — no real customer data is ever moved.

  6. 06

    Reporting, debrief, and detection-gap analysis

    Executive attack narrative; detection-coverage matrix per ATT&CK technique (logged / alerted / investigated / contained); recommended detections per gap. Blue-team debrief is standard; purple-team mode compresses this into the engagement itself.

What we measure

ATT&CK coverage and detection-program performance.

  • · TA0001 Initial Access — phishing (T1566), valid accounts (T1078), exploit public-facing application (T1190), supply chain (T1195).
  • · TA0002 Execution — command-and-scripting interpreter (T1059) variants appropriate to the environment.
  • · TA0003 Persistence — scheduled tasks, services, accounts, registry, cloud-IAM persistence.
  • · TA0004 Privilege Escalation — token manipulation, ACL abuse, kernel and service exploits where required.
  • · TA0005 Defense Evasion — process injection, signed-binary proxy execution, indicator removal, OPSEC tradecraft.
  • · TA0006 Credential Access — OS credential dumping (T1003), Kerberoasting (T1558.003), AS-REP roasting, browser-credential harvest.
  • · TA0007 Discovery — domain, account, system, network, and cloud-resource discovery.
  • · TA0008 Lateral Movement — remote services, pass-the-hash, pass-the-ticket, container/cloud lateral movement.
  • · TA0009 / TA0010 Collection and Exfiltration — staging and simulated exfiltration to controlled infrastructure, never real data.
  • · TA0011 Command and Control — application-layer protocols, encrypted channels, proxy chains.

Not sure whether your program is ready for red team?

A quick call gives you an honest read on scope, maturity fit, and what the operation will cost.

Get a straight answer
Tools we use

Operational toolkit.

Used only under signed engagement paperwork and explicit written authorization. Activity is throttled; destructive payloads are not deployed.

Cobalt Strike

Commercial C2 platform — the industry-standard primary C2 on most paid red-team engagements.

Sliver

Open-source C2 used alongside or instead of Cobalt Strike for OPSEC diversification.

BloodHound and SharpHound

Active Directory attack-path graphing for lateral movement and privilege escalation.

Impacket suite

Protocol-level attacks against SMB, Kerberos, and LDAP — secretsdump, GetUserSPNs, ntlmrelayx.

GoPhish and Evilginx

Phishing infrastructure and MFA-bypass adversary-in-the-middle under explicit written authorization.

Custom loaders and beacons

Engagement-specific loaders where signature avoidance matters. Not published or shared.

MITRE ATT&CK Navigator

Used to plan technique coverage and produce the detection-coverage matrix in the deliverable.

OPSEC and safety

How we run operations without breaking things.

  • · No destructive payloads. Ransomware, data destruction, and irreversible actions are out of scope on every engagement.
  • · Throttled activity. Operational tempo is calibrated to your detection-program maturity and the agreed visibility goal.
  • · Hard stop conditions. Pre-agreed triggers immediately pause the operation — sensitive system reached, business impact risk, IR escalation by the unaware blue team.
  • · Control-point owners on a shared channel for the duration, available to authorize edge cases in real time.
  • · Reversible footholds. Persistence is removed at the end; the report documents every artifact created and its location.
Deliverables

What the SOC and the executive team get.

  • · Executive attack narrative. What we tried, what worked, what did not, and the business-language posture assessment.
  • · Detection-coverage matrix. Per ATT&CK technique attempted: logged, alerted, investigated, contained. The artifact your SOC will use most.
  • · Recommended detections. For every gap, a recommended detection — log source, indicator pattern, threshold — the detection-engineering team can build against.
  • · Blue-team debrief. A working session that walks through the timeline alongside the SOC's own observations.
See the red team service
FAQ

Red team methodology — common questions

How do you avoid disruption to production?

Destructive payloads are not used. Activity is throttled, hard stop conditions are agreed before kickoff, and critical systems are coordinated with your team in advance. The objective is to demonstrate the attack path, not to break things.

Is the blue team supposed to know?

On a traditional red team operation, only the control-point owners know; the broader SOC is unaware. On a purple team variant, both teams work together. Most mid-maturity programs get more value from purple team in the first one or two cycles, then move to covert red team once detection coverage matures.

How is initial access agreed?

On the scoping call we agree which vectors are in scope — external phishing, exposed-service exploitation, and an assumed-breach foothold are common combinations. Social engineering of staff or physical access requires explicit, written, legally authorized scope.

What is the deliverable a SOC team actually uses?

The detection-coverage matrix. For every ATT&CK technique attempted, it records what was logged, what alerted, what was investigated, and what was contained — plus recommended detections for each gap. It becomes the SOC's detection-engineering backlog.

Want a credible answer when a customer, auditor, or your board asks how secure you are?

A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.

Get a straight answer