What does a red team do?

A red team simulates a cyberattack in real time, using real-world adversarial tactics to assess, analyze and consult on the strength of the organization’s defensive response to the attack. By using actual methods from “the wild” in a controlled way, the red team gains visibility into the people, processes and controls behind an organization’s cyber security posture.

How long does it take to conduct a red teaming operation?

The length of a red team operation will vary based on the scope and objectives of the exercise. A full end-to-end red team engagement can take one to two months. If the objective of the exercise has a specific focus, it may take closer to two weeks.

What is the difference between pen testing and red teaming?

Penetration testing focuses on exploiting the vulnerabilities of only one specific system or set of systems. The goal is to test the resiliency of the technology in place. Red team testers play the role of real threat actors, concealing their movements as much as possible and trying to get as far into the target systems as they can. Penetration testing is usually the methodology of choice for evaluating systems, while a red team exercise evaluates the defenses as whole, including technical controls, processes and training.

Could a red team operation cause any damage or disruption?

Unlike genuine cyberattacks, red team operations are designed to be non-destructive and non-disruptive. Our tactics and techniques are executed in a methodical and controlled manner, while techniques that carry a risk of disruption are specifically avoided. By choosing a CREST-accredited provider of ethical hacking services, you can be sure that all engagements will be carried out in line with pre-agreed rules of engagement and the highest technical, legal and ethical standards.

Red Team Security Services

Q: What is a red team exercise?

Red teaming is the process of simulating a real-world cyber adversary to test your defenses against a realistic attack under controlled conditions. This can include attacks at all levels of the kill chain and a full range of TTPs, including both technical exploits as well as human weaknesses. Red teaming helps you assess processes, technical controls and employee training against threats to both people and technology. Red teaming also helps your business measure the effectiveness of detection and response to inform strategic decision making.

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

While it is impossible to know when your business will be the target of a cyberattack, an attack simulation (a.k.a. a “red team” exercise) is as close as you can get to understanding your organization’s level of preparedness.

Unlike penetration testing, red teaming is a focused assessment designed to test an organization’s detection and response capabilities against a simulated threat actor with defined objectives, such as data exfiltration. Organizations that already conduct regular pen tests and have a mature vulnerability management program may benefit from red team security services.

A red team operation from Kroll is designed to exceed the limits of traditional security testing by rigorously challenging the effectiveness of security controls, personnel and processes in detecting and responding to highly targeted attacks. Our team evaluates your organization’s response to an attack, helping you identify and classify security risks, uncover hidden vulnerabilities and address identified exposures so you can spend more time prioritizing future growth and investments.

What is a Red Team Exercise

Explore Cyber and Data Resilience

Penetration Testing Services

Cyber Risk Retainer

Cyber Risk Assessments

Cloud Security Services

AI Security Testing Services

Get a Quote

24X7 Hotline

Watch as Jeff and Ben explain the benefits and what might qualify your organization for a red team exercise.

Loading component...

Get the Full Picture with Red Team Testing

Evaluate Your Response

How prepared is your organization to respond to a targeted attack? Test the effectiveness of your people, processes and technology.

Identify Security Risks

Learn what critical assets are at risk and how easily they could be targeted by cyber criminals.

Uncover Vulnerabilities

Red teaming mimics the latest adversarial tactics to identify hidden vulnerabilities that attackers seek to exploit.

Address Identified Exposures

Receive important post-operation support to address identified vulnerabilities and mitigate the risk of suffering a real-life attack.

Enhance Blue Team Effectiveness

Identify and address gaps in threat coverage and visibility by simulating a range of attack scenarios.

Evaluate Your Response

Red team exercises help ensure that your team has an opportunity to test the effectiveness of your incident response program.

Prioritize Future Investments

Better understand your organization's security weaknesses and ensure that future investments deliver the greatest benefit.

Access Certified Experts

Get the support of a team of experts which conducts more than 53,000 hours of assessments a year, with well over 100 offensive security certifications.

Loading component...

Red Team Security Services Key Features

Our red teaming process is built from the ground up to give you adaptability, clarity and support, allowing you to act with confidence.

Offensive Security Experts – Our seasoned team of credentialed experts use their knowledge of data security to comprehensively test your organization's cyber security controls and incident response procedures against the highest technical, legal and regulatory standards.
Intelligence-led Testing – Red team operations use evasion, deception and stealth techniques, similar to those used by sophisticated threat actors, to simulate an attack and provide actionable security outcomes for your business.
Blended Attack Methods – A wide range of attack techniques are used, which might include phishing, social engineering, exploit of vulnerable services, proprietary adversarial tools and techniques and/or physical access methods.
In-Depth Reporting – A detailed post-engagement report provides key stakeholders with a complete overview of the assessment and actionable insights to support the remediation of any identified risks.

Tailored Terms of Engagement – We adapt to your business needs and your level of security maturity. From OSINT (open-source intelligence) gathering and network reconnaissance to custom social engineering and phishing campaigns, we test the effectiveness of your controls by simulating both internal and external threat actors across different attack domains.
Comprehensive, Actionable Findings – Our adversarial simulation follows MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework. Covering the entire attack chain, our goal is to provide a measurable effectiveness rating across the attack and defense surfaces to better inform strategic decision-making.
Ongoing Collaborative Support – We partner with you to develop a strategy that aligns with natural business cycles. The program can include red team, social engineering, penetration testing and purple team. We also provide support for strategic and tactical remediation and mitigation, so you can prevent and respond to real-world attacks, reducing risk in the long term.

Loading component...

Example Red Team Objectives

Gaining access to a segmented environment holding sensitive data
Taking control of an IoT device or a specialized piece of equipment
Compromising a company director’s account credentials Obtaining privileges to allow ransomware to be mass deployed across the environment
Obtaining access to OT / ICS zone
Obtaining physical access to a server room or sensitive location
Successfully phishing or social engineering a user or group
Bypassing specific security controls, such as endpoint detection and response (EDR), data loss prevention, DLP, email security controls or anti-bot controls

Example Red Team Objectives

Loading component...

Actionable Red Team Reporting

Kroll's approach to red teaming gives you a clear, real-world view of your security posture and provides an actionable strategy with quickly recognizable benefits. Here’s what you can expect to receive in your red team report:

Executive Summary

A high-level overview for executive and management teams including assessment results, vulnerabilities found and strategic recommendations for fixing identified problems or systemic issues.

Play-by-play Attack Narrative

Steps taken to compromise your organization, including observed strengths and opportunities for further maturity.

Technical Details

Detailed technical feedback for teams to understand, replicate and remediate findings.

Expert Risk Analysis

Comprehensive analysis of all the security risks identified, including their severity and potential impact.

Actionable Intelligence

Tactical and strategic recommendations, including clear expert advice to help address risks.

Security Framework Mapping

Pinpoint and direct NIST, CIS, HITRUST and MITRE ATT&CK.

Loading component...

Red Team Testing Methodology

Our red team operations experts embrace a systematic approach when testing the capacity of your organization’s threat detection and response capabilities. An example of a common red team engagement might include the following stages:

Reconnaissance– The success of any red team test hinges on the quality of intelligence. Our white hat hackers utilize a range of OSINT tools, techniques and resources to gather details about networks, employees and in-use security systems that could be used to successfully compromise the target.
Staging– Once vulnerable access points have been identified and our experts develop a plan of attack, the “staging” phase begins. Staging involves setting up and concealing the groundwork and resources needed to launch attacks, like fixing servers to perform ”command and control” (C2) operations and social engineering activities.

Initial Access– The initial access phase of a red team operation marks the point at which the attackers establish a foothold in the target environment. In pursuing their objective, our ethical hackers may attempt to exploit discovered vulnerabilities, use brute force to crack weak employee passwords and create fake email communications to launch phishing attacks and drop malicious payloads.
Internal Compromise– Once a foothold is established on the target network, the red team turns its focus to executing the objectives of the operation. Objectives during this phase might include lateral movement across the network, privilege escalation and data extraction.
Reporting and Analysis– Now that the red team operation has concluded, a comprehensive evaluation is prepared to inform technical and non-technical stakeholders in assessing the results of the exercise. A summary may include an overview of the effectiveness of the security program as it currently stands, attack vectors used and recommendations about how to remediate and mitigate risks.

Loading component...

Red Team Testing Fueled by Frontline Intelligence

Kroll is one of the largest incident response providers in the world, handling over 3,000 incidents worldwide every year. This unrivaled expertise allows us to collect actionable frontline threat intelligence and adapt the latest tactics, techniques and processes to incorporate in our red team operations.

Our team serves clients in 140 countries across six continents, spanning nearly every industry and sector. To help our clients stay ahead of today’s complex demands, we developed red team services that fully assess your organization's threat detection and response capabilities with a simulated cyberattack.

Our Red Team Security Qualifications

In addition to our rich threat intelligence, Kroll’s team of ethical hackers possess the skills and experience to identify and leverage the latest threats, putting your defensive controls through the ringer. Our experts carry key certifications too, besides their cyber street creds:

Offensive Security Certified Professional (OSCP)
CREST Registered Penetration Tester
CREST Certified Infrastructure Tester
Azure Security Specialist Cert
AWS Security Specialist Cert
GIAC Penetration Tester (GPEN)
GIAC Web Application Penetration Tester (GWAPT)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
GIAC Cloud Penetration Tester (GCPN)
EC-Council Licensed Penetration Tester (LPT) Master
Certified Red Team Operations Professional (CRTOP)

Loading component...

Red Teaming Part of the Cyber Risk Retainer

Red team security services can be packaged as part of Kroll’s user-friendly Cyber Risk Retainer, along with a variety of valuable cyber security solutions like tabletop exercises, risk assessments, cloud security services and more. In addition to unique discounts, the retainer also secures prioritized access to Kroll’s elite digital forensics and incident response team, including solutions like crisis communication and litigation support when needed.

Get Started with Kroll’s Red Team Security Services

Assess and test your organization’s threat detection and response capabilities with our in-depth red team services and security consulting.

A deep understanding of how hackers operate
In-depth threat analysis and expert advice you can trust
Complete post-assessment care for effective risk remediation
Multi award-winning security services
Avg. >9/10 customer satisfaction, 95% retention rate
Red team experts backed by cutting-edge research and development

Loading component...

Frequently Asked Questions

A “red team” is a term originally derived from military exercises for a group playing the part of the adversary. This requires that the red team members are highly skilled in offensive tactics that real world adversaries are likely to employ. Within a cybersecurity exercise, these adversarial tactics are used to penetrate your systems in order to provide a realistic assessment of the effectiveness of your defenses against real-world attacks.

Loading component...

Connect With Us

Jeff Macko

Associate Managing DirectorCyber and Data ResilienceSecaucus

Jeff Macko jeff.macko@kroll.com +1 919 441 7501

Benjamin Mahar

Associate Managing DirectorCyber and Data ResilienceToronto

benjamin.mahar@kroll.com

Loading component...

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn More

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Learn More

Agile Penetration Testing Program

Integrated into your software development lifecycle (SDLC), Kroll’s agile penetration testing program is designed to help teams address security risks in real time and on budget.

Learn More

FAST Attack Simulation

Safely perform attacks on your production environment to test your security technology and processes.

Learn More

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Learn More

Loading component...

Let's solve for the future

Yes, I would like to receive periodic event invitations, reports and news from Kroll.