Skip to main content
CERT-In Empanelled · MITRE ATT&CK · TIBER-EU Adjacent

Red Team
Assessment

One threat actor. One objective. Full kill-chain. Goal-oriented adversary simulation, MITRE ATT&CK-mapped, brand-safe by design.

Request a Scoping Call Our Methodology
MITRE ATT&CK
Mapped
TIBER-EU
Methodology Adjacent
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Define

Threat model, crown jewels, threat-actor profile, rules of engagement, authorisation letter — all in Lemon.

STEP 02

Engage

4–16 weeks of OSINT, initial access, lateral movement, persistence, exfil. Brand-safe, fully logged, MITRE-mapped.

STEP 03

Hand Over

Executive narrative + technical kill-chain report. Optional purple-team handover with your SOC.

What Is a Red Team Assessment?

A red team assessment is a goal-oriented adversary simulation where certified operators emulate a specific threat actor against your organisation — using OSINT, phishing, payload development, lateral movement, persistence, and exfiltration — to test whether your people, process, and technology can detect and respond. Goes beyond pen testing into the realism that RBI / SEBI threat-led testing and TIBER-EU expect.

Beyond vulnerability — into adversary realism

A real attacker doesn\'t care about your CVSS. They care about reaching their objective. So do we.

OSINT & Recon

Public-source intelligence: domains, employees, tech stack, leaked credentials

Phishing & Vishing

Targeted social engineering with bespoke pretexts and infrastructure

Payload Development

Custom payloads, AV/EDR evasion, in-memory only, encrypted C2

Initial Access

Phishing, USB drops, supply-chain pretexts, exposed-service exploit

Lateral Movement

AD attack paths, Kerberos abuse, credential harvest, segmentation bypass

Persistence & Domain Dom.

Persistence implants, golden ticket where authorised, SOC playbook evasion

Exfiltration Simulation

Reach crown-jewel target, demonstrate covert exfil, document SOC visibility

Purple-Team Handover

Walk your SOC through every TTP, every detection gap, every control improvement

Related: Network Penetration Testing → · Related: Continuous Adversary Monitoring →

Methodology

9 steps. Realistic adversary, brand-safe execution.

Every engagement runs through Lemon, our audit-management platform — fully logged, fully escalation-controlled, MITRE ATT&CK-mapped throughout.

Discovery
01

Threat Model & Rules of Engagement

Crown jewels confirmed, threat-actor profile selected, kill-chain stages in scope, authorisation letters signed, escalation contacts and safe-words agreed in writing. Lemon stages all artefacts.

02

OSINT & External Recon

Public-source intelligence gathering — domains, employees, technology stack, leaked credentials in dark-web corpora, exposed services. Build the attack picture before touching anything.

03

Pretext Development

Phishing infrastructure stand-up, payload development, AV/EDR evasion testing in isolated lab, social-engineering personas, and physical-pretext gear if in scope.

Engagement
04

Initial Access

Phishing, vishing, USB drops, supply-chain pretexts, exposed-service exploitation, leaked-credential reuse. Whichever vector aligns with the threat-actor profile we're simulating.

05

Privilege Escalation & Lateral Movement

Foothold to domain admin (where in scope), credential harvesting, AD attack-path traversal, segmentation-bypass to crown-jewel environments. MITRE ATT&CK technique-mapped throughout.

06

Persistence & Domain Dominance

Persistence implants in non-detection paths, golden-ticket / silver-ticket where authorised, evasion of your active SOC playbooks. Quietly demonstrate the business impact.

07

Data Exfiltration Simulation

Reach the agreed crown-jewel target, demonstrate exfil through covert channels, document SOC visibility (or absence), proof-of-impact captured for the report. Brand-safe at every step.

Delivery
08

Three-Layer QA + Purple-Team Handover

L1 operator → L2 senior → L3 architect QA. Optional purple-team handover where we walk your SOC through every TTP, every detection gap, every control improvement.

09

Reporting & Tabletop

Executive narrative + technical kill-chain report, MITRE ATT&CK mapping, control-gap analysis, optional tabletop exercise to validate response improvements.

Compliance-Ready

Aligned to threat-led-testing frameworks

Red team reports satisfy detect-respond clauses your regulator and customers will check — CERT-In, RBI / SEBI threat-led testing, TIBER-EU, NIST CSF, ISO 27001.

CERT-In
Empanelled since 2008
TIBER-EU principles
Threat-led testing alignment
MITRE ATT&CK
Technique mapping per engagement
RBI / SEBI
Threat-led testing alignment
NIST CSF
Detect / Respond function validation
ISO 27001
Annex A 5.7 (threat intel) + 5.24 (incident)
PCI DSS v4.0
Targeted risk analysis testing
CBEST / iCAST adjacent
Equivalent methodology

Common engagement types

What clients ask us to simulate

Red team engagements cluster into a handful of well-defined patterns — sized for our 4–16 week delivery window.

BFSI threat-led test TIBER-style, financial-sector threat actor
Supply-chain pretext Vendor or partner pretext, lateral to crown jewel
Phishing / vishing only Awareness-baseline + tactical detection test
Full-spectrum red OSINT to exfil, multi-vector, brand-safe
Web + mobile attack chain External app to internal foothold
Insider-threat simulation Assumed-breach with low-priv internal access

Deliverables

What you get

Executive narrative for leadership, technical kill-chain for SOC and engineering, MITRE ATT&CK map, and the option of a structured purple-team handover that turns the red exercise into permanent detection improvements.

Request sample report → Read red-team case studies →

Executive Narrative

Story of the engagement, business impact, control-gap analysis. Board-ready.

Technical Kill-Chain Report

Every TTP, every command, every detection gap, MITRE ATT&CK technique mapping.

Purple-Team Handover

Optional — structured walk-through with SOC, every TTP, every detection improvement.

Tabletop Exercise

Optional — facilitated tabletop validating the response improvements actually work.

FAQ

Common questions

Can\'t find what you\'re looking for? Talk to our red-team lead.

Contact us
What is a red team assessment? +
A red team assessment is a goal-oriented adversary simulation where certified operators emulate a specific threat actor against your organisation — using OSINT, phishing, payload development, lateral movement, persistence, and data exfiltration — to test whether your people, process, and technology can detect and respond. Unlike pen testing (technology-focused, broad coverage), red teaming is narrow but realistic — one threat actor, one objective, full kill-chain.
How is red teaming different from penetration testing? +
Pen testing is "find every vulnerability" with broad coverage. Red teaming is "achieve a defined objective the way a real attacker would" with narrow, deep, stealthy execution. Pen test report: 47 findings ranked by severity. Red team report: a single kill-chain narrative, MITRE ATT&CK techniques used, detection gaps along the way, and a control-improvement roadmap.
Black-box, grey-box, or assumed-breach? +
Configurable per engagement. Black-box mirrors a real adversary with no prior info — most realistic, longest engagement. Grey-box gives us a basic external profile and the threat-actor model. Assumed-breach starts post-foothold to focus on detection and response. Many enterprises do all three over a multi-year red-team programme.
Will this trigger our SOC / cause an incident? +
It might — and that's the point. We pre-agree out-of-band escalation contacts and safe-words so if your SOC declares an incident we can confirm or deny. We also keep a parallel "blue-team channel" with your CISO so leadership knows the engagement is in flight. The whole engagement is logged in Lemon for after-action review.
How long does a red team take? +
Compact engagements: 4–6 weeks. Standard enterprise red team: 6–10 weeks. Multi-vector threat-led testing (TIBER-EU style for banks): 12–16 weeks. Time-on-target is the key variable — real attackers are patient, so are we.
Is red teaming required for RBI / SEBI / TIBER? +
Increasingly yes. RBI and SEBI both have moved toward threat-led testing for systemically important institutions. TIBER-EU is the European framework that India's threat-led-testing emerging guidance leans on. CERT-In empanelment is the qualifying standard. Security Brigade has been empanelled since 2008.
Do you do social engineering and physical? +
Both — within authorisation. Phishing and vishing in every engagement. Physical access (tailgating, USB drops, badge cloning) only with explicit written authorisation, escalation contacts pre-agreed, and a written authorisation letter our operators carry. We do not do anything that risks operator safety or breaks the law.
What about purple-team handover? +
Often the most valuable part. After the red engagement we run a structured walk-through with your SOC — every TTP we used, every detection gap (or detection that worked), every control we recommend. Pure red is exciting; purple is what actually moves the needle on detection maturity.

Find out what your SOC actually catches.

Whether it\'s a tactical phishing test, a financial-sector threat-led engagement, or a full-spectrum red team into purple-team handover — talk to our red-team lead.

Request a Scoping Call View All Services