Red Team Operations

Red team is not the same thing as a penetration test, and conflating the two is one of the more common mistakes I see in RFPs. A pen test asks “what can be broken?” A red team asks “what would actually happen if someone tried to break in for real, with a goal in mind, while your defenders are watching?”

I plan engagements around concrete objectives: exfiltrate a specific dataset, reach a particular system, trigger a defined business impact. Tradecraft is mapped to MITRE ATT&CK so the blue team can measure detection coverage afterwards rather than guess at it. Initial access depends on the threat model that fits your organisation — phishing, exposed services, identity abuse, supply chain pivots — and assumed-breach starts are also on the table when you'd rather skip straight to the parts that test internal controls.

What you get back is a narrative: the attack path that actually worked, the techniques used at each step, and the detection opportunities that fired (or didn't) along the way. The point isn't to make your SOC look bad. It's to give them honest data about which controls held, which were noisy without being useful, and where the gap is between detection rules on paper and how attackers move in practice.

I've run engagements in environments north of 150,000 endpoints, but bigger isn't always better. A focused purple-team exercise against a single business unit — engineers, defenders and attackers in the same room — often produces more durable improvement than a sprawling covert campaign, especially the first time around.