Service Overview

What Is Red Team Operations?

A red team operation is a full-scope, goal-oriented adversarial simulation. Unlike penetration testing, it does not aim to find every vulnerability — it aims to achieve a specific mission objective while evading your defences, exactly as a sophisticated threat actor would.

At Cyber Security Pentesting Inc., every red team engagement is planned and executed by Arturs Stay — principal consultant, CREST-certified practitioner, and holder of OSCP, OSEP, and CRTO certifications. There are no junior analysts handed your engagement after kick-off. You get 15 years of offensive security expertise applied directly to your environment.

Engagements are scoped around your threat model, your industry's adversary profile, and your specific mission objectives — whether that is reaching crown-jewel data, demonstrating a full domain compromise, or validating your SOC's detection and response capabilities under realistic attack conditions.

MITRE ATT&CK Aligned Custom C2 Infrastructure OPSEC-Hardened Full Kill-Chain Physical + Digital + Social Toronto, Canada

Engagement at a Glance

Duration: 4–12 weeks depending on scope and objectives
Methodology: MITRE ATT&CK, CREST STAR, CBEST, TIBER-EU
Attack vectors: Digital, physical, and social engineering
Infrastructure: Custom C2, OPSEC-hardened, purpose-built per engagement
Deliverable: Executive narrative + technical report + MITRE ATT&CK heat map + remediation roadmap
Purple team option: Collaborative blue team knowledge transfer available

15+ Years Offensive Security

CREST Certified Principal

100% Principal-Led

Methodology Comparison

What Sets Red Teaming Apart

Red team operations and penetration tests serve different purposes. Understanding the distinction helps you choose the right engagement for your current security maturity and objectives.

Characteristic	Red Team Operations	Penetration Testing
Primary objective	Achieve mission goal — reach crown-jewel assets, demonstrate full domain compromise	Enumerate and validate vulnerabilities within a defined scope
Scope	Unrestricted — attacker chooses path of least resistance	Defined in advance — specific systems, IP ranges, applications
Duration	4–12 weeks, covert and patient	1–3 weeks, time-boxed
Detection testing	✓ Core objective — measures SOC dwell time and response	− Not typically measured
OPSEC and stealth	✓ OPSEC-hardened — evading detection is essential	− Not required — visibility is acceptable
Physical attack vectors	✓ Physical intrusion, badge cloning, tailgating in scope	− Rarely included
Social engineering	✓ Spear phishing, vishing, pretexting as initial access vectors	− Separate engagement
Custom C2 infrastructure	✓ Purpose-built per engagement, domain-fronted or redirector-based	− Off-the-shelf tooling typical
Purple team integration	✓ Available as post-engagement debrief or concurrent collaboration	− Not applicable
Best suited for	Mature security teams validating their defences against realistic adversary behaviour	Organisations identifying and prioritising known vulnerabilities for remediation

Not sure which engagement is right for your organisation? Ask us directly →

MITRE ATT&CK Coverage

Full Kill-Chain Coverage

Every red team engagement is mapped to the MITRE ATT&CK Framework, ensuring techniques are grounded in documented real-world adversary behaviour. The following phases are covered end-to-end.

ATT&CK TA0001

Initial Access

We gain a foothold using the same vectors real threat actors exploit. Campaigns are custom-crafted, not templated — delivery infrastructure is purpose-built and unlikely to trigger commodity threat intel.

Spear Phishing Phishing Links & Attachments Drive-By Compromise Valid Account Abuse External Remote Services Supply Chain Physical Intrusion USB Drop

ATT&CK TA0002 / TA0003

Execution & Persistence

Payloads are custom-developed per engagement. Persistence mechanisms are selected to survive reboots, credential rotations, and endpoint security updates — mimicking nation-state and advanced criminal group behaviour.

Custom Implant Development LOLBins / Living-Off-The-Land Scheduled Tasks Registry Run Keys COM Hijacking Boot/Logon Autostart WMI Event Subscription

ATT&CK TA0004

Privilege Escalation

From initial low-privilege access, we pursue the most realistic path to domain or cloud admin — exploiting misconfigurations, service account weaknesses, and credential exposure rather than relying solely on public exploits.

Kerberoasting AS-REP Roasting Token Impersonation DACL / ACL Abuse Service Misconfigurations DLL Hijacking GPO Abuse UAC Bypass

ATT&CK TA0008

Lateral Movement

We move through the environment as an attacker would — methodically, using legitimate protocols and harvested credentials where possible, minimising noise while expanding access toward the mission objective.

Pass-the-Hash Pass-the-Ticket WMI / DCOM SMB / PsExec RDP Hijacking BloodHound Attack Paths Forest Trust Abuse Cloud-to-On-Prem Pivoting

ATT&CK TA0009 / TA0010

Collection & Exfiltration

Crown-jewel data is identified, staged, and demonstrated as exfiltrated using covert channels that bypass data loss prevention controls. The goal is not to steal data — it is to prove that a real adversary could, and to measure your detection capability at each stage.

LSASS Credential Dumping DCSync Email / SharePoint Harvest C2 Exfil over DNS/HTTPS Covert Channel Techniques DLP Bypass Cloud Storage Abuse

ATT&CK TA0040

Impact Assessment

We document the realistic business impact of each attack path — translating technical findings into financial, operational, and reputational risk language that resonates with boards, audit committees, and regulators.

Business Risk Mapping Crown-Jewel Impact Analysis Ransomware Simulation Operational Disruption Modelling Regulatory Exposure Executive Reporting

Engagement Methodology

Our Approach

Effective red teaming requires more than running known tooling against your environment. We build custom infrastructure, operate with strict operational security, and integrate every attack vector into a single coherent campaign.

Custom C2 Infrastructure

We do not use shared or commodity command-and-control infrastructure. Every engagement gets purpose-built C2 using Cobalt Strike, Havoc, Sliver, or custom implants — with malleable profiles, domain-fronted redirectors, and categorised domains that blend into legitimate traffic patterns. Your threat intel team will not recognise it from blocklists.

OPSEC-Hardened Tooling

Every tool, technique, and payload is reviewed for OPSEC risk before deployment. We use reflective DLL injection, in-memory execution, and process injection to minimise artefacts on disk. Payloads are custom-compiled with modified signatures to evade signature-based AV and EDR solutions. We treat OPSEC as a first-class constraint throughout the engagement.

Assumed Breach Scenarios

Not every engagement starts at the perimeter. Assumed breach scenarios place us inside your environment — simulating a compromised workstation, a malicious insider, or a successful phishing click — and test your ability to detect and contain a threat that has already bypassed your perimeter defences. Ideal for organisations with mature perimeter controls who want to test internal resilience.

Physical + Digital + Social Vectors

Real threat actors do not limit themselves to digital channels. Our red team engagements can incorporate physical intrusion attempts (badge cloning, tailgating, physical device implants), targeted social engineering (spear phishing, vishing, pretexting), and digital attack paths — all running concurrently as a single coordinated campaign. This is the truest test of your holistic security posture.

Purple Team Integration

For organisations with a mature SOC or dedicated detection engineering function, we offer purple team integration — a collaborative mode where red and blue teams work together in real time. Our red team executes specific ATT&CK techniques while your defenders observe, tune detection rules, and validate alert coverage. The result is a measurable, documented improvement in your detection capability, not just a report of gaps.

Reporting & Remediation

Every red team engagement concludes with two deliverables: an executive narrative for leadership (framing findings in business risk language) and a detailed technical report for your security team (attack timelines, TTPs mapped to MITRE ATT&CK, IOCs, detection recommendations, and a prioritised remediation roadmap). A debrief session is included to walk through findings and answer questions.

Industry Frameworks

Methodology References

Our red team operations draw on the most rigorous and widely recognised adversarial simulation frameworks in the industry — ensuring your engagement is credible, repeatable, and aligned to regulatory expectations where required.

Primary

MITRE ATT&CK Framework

The gold standard for adversary behaviour documentation. Every technique and tactic we employ is mapped to a specific ATT&CK entry, ensuring findings are contextualised against real-world threat actor behaviour. The engagement report includes a populated ATT&CK Navigator heat map showing your coverage gaps and detections.

attack.mitre.org →

CREST

CREST STAR — Simulated Target Attack and Response

The CREST STAR methodology provides a structured framework for intelligence-led red team assessments. As a CREST-certified practitioner, Arturs Stay operates within the STAR methodology's rigorous professional standards — covering threat intelligence scoping, scenario development, attack simulation, and reporting requirements.

crest-approved.org/membership/crest-star →

Financial

CBEST Framework (Bank of England)

The Bank of England's CBEST framework defines intelligence-led penetration testing for UK financial institutions and their supply chains. For Canadian financial services organisations with UK operations or regulatory relationships, CBEST-aligned red team engagements provide demonstrable compliance evidence and align with regulators' expectations of systematic adversarial simulation.

bankofengland.co.uk/cbest →

EU Reg.

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming)

The European Central Bank's TIBER-EU framework establishes a common approach to intelligence-led red team testing across EU financial market infrastructures. For organisations operating in or with European financial markets, TIBER-EU alignment demonstrates a consistent, regulator-recognised approach to adversarial testing of critical systems.

ecb.europa.eu/TIBER-EU →

Frequently Asked Questions

Red Team Operations — FAQ

What is the difference between red teaming and penetration testing?

Penetration testing is a structured, time-boxed assessment that enumerates vulnerabilities within a defined scope. Red team operations are full-scope adversarial simulations with no predefined targets — the objective is to achieve a specific mission goal (such as reaching crown-jewel data) while evading detection, testing your people, processes, and technology simultaneously. Red teaming reveals whether your defences actually work in practice, not just on paper.

How long does a red team engagement take?

A meaningful red team engagement typically runs 4–12 weeks depending on scope, objectives, and environment complexity. Shorter engagements risk missing persistent, patient threat actor behaviour. We agree on mission objectives, rules of engagement, and minimum engagement duration before any work begins.

What frameworks guide your red team operations?

Our red team operations are primarily aligned to the MITRE ATT&CK Framework, ensuring every tactic, technique, and procedure maps to documented real-world adversary behaviour. We also draw on the CREST STAR methodology, CBEST (Bank of England), and TIBER-EU where clients require regulatory alignment.

Will the red team test our security operations centre (SOC)?

Yes. Unlike a standard penetration test, red team operations are specifically designed to test your detection and response capabilities. We operate covertly and measure whether your SOC detects our activity, at what stage, and how effectively they respond. Detailed dwell-time and detection-gap metrics are included in the final report.

Do you offer purple team engagements?

Yes. Purple team engagements are available as a standalone service or as an extension of a red team operation. In purple team mode, our red team works collaboratively with your blue team in real time — executing TTPs while your defenders observe and tune detection rules. This accelerates security maturity significantly and is particularly valuable for organisations with a mature SOC looking to improve specific detection coverage.

Who conducts the engagement — will I get a junior analyst?

Every engagement is conducted directly by Arturs Stay — principal consultant, CREST-certified, OSCP/OSEP/CRTO, with 15 years of offensive security experience. Cyber Security Pentesting Inc. is a principal-led practice. You will not have your engagement handed to a junior analyst after scoping. The person you speak to during discovery is the person executing the work and writing your report.

How is a red team engagement scoped and priced?

Pricing is based on engagement duration, number of objectives, attack vector coverage (digital-only vs. physical and social inclusion), and reporting requirements. We provide a fixed-fee proposal after a scoping call so you know exactly what you are getting before any contract is signed. Contact us to request a quote or start a scoping conversation.

Also Consider

Related Services

Red team operations work best as part of a broader offensive security programme. These services complement a red team engagement or address specific security objectives independently.