Red Team Assessments

  • Home
  • Red Team Assessments
Red Team Assessments

Red team (Adversary simulation)

Assess the impact of an attack on your organisation

Our red team engagements simulate likely real world threats, showing how it would be possible for an attacker to gain access to your organisation and demonstrate the damage they could do once inside, typically without being detected.

Red teaming takes a much broader approach than penetration testing, not just uncovering vulnerabilities, but showing how these could be exploited and chained together in order to achieve a set goal. Our goals are typically linked to your business critical assets, such as intellectual property or production systems, and would therefore be highly impactful to your organization if a threat actor was able to gain access to them.

This type of assessment would be extremely useful for organisations of all sizes who wish to test their defences against real-world attacks, who have critical business assets they need to protect and to those looking to assess the business impact of a breach.


Using a combination of automated and manual testing, our consultants will inspect your Internet-exposed services to assess if vulnerabilities are present that could allow them to be exploited by a malicious user.

Our external penetration testing comprises the following stages, which are representative of a real-life attack:

  1. Passive Reconnaissance
  2. Network Enumeration
  3. Active Testing

Passive Reconnaissance

During the initial stages of a real-life attack, malicious users will spend time performing reconnaissance, so that a profile or ‘footprint’ of the target organisation can be obtained. Information such as the IP addresses in use, hostnames and employee information can greatly assist an attacker in choosing an effective attack method and may help identify areas of the target organisation’s infrastructure that would render the highest impact if compromised.

Public databases and information services can contain a wealth of information that may prove useful to an attacker. Most of these information sources can be freely and passively accessed and with these information sources residing in the public domain, there is no chance that the searches performed by an attacker will trigger alerts that may notify the target organisation that an attack is being planned.

During this phase of the testing, the following public information sources will be accessed to obtain further information about the target organisation:

  1. RIPE Database
  2. WHOIS Database
  3. Domain Name Servers

Network Enumeration

Once an attacker has built a profile of the organisation through passive information gathering, they will attempt to identify ‘live’ hosts and services within the IP address range. Once an understanding of the exposed ports and services is obtained, this will give the attacker more information on potential vulnerabilities that may allow them to gain a foothold on the network and further their attack.

During this phase of the test, a full TCP and UDP port scan of all 65,535 ports will be conducted over the in-scope IP range. An ICMP scan will also be conducted, to identify which hosts would disclose their presence to an attacker who performs a simple ‘ping’ scan.

Active Testing

Based on the results of the Network Enumeration phase, a vulnerability assessment and targeted penetration test will be conducted on all Internet-exposed services. All results of the vulnerability assessment will be manually verified to ensure that no ‘false positive’ results are present.

All exposed services will be manually inspected by connecting to them and attempting to gain access through known exploits.


  1. A signed & completed Testing Consent Form
  2. List of IP addresses or hostnames to be assessed