What deliverables do we get?

An executive narrative for the board, a technical report with full ATT&CK kill-chain and IOCs, and a detection-engineering appendix with recommended Sigma/Splunk/Sentinel rules. Plus a debrief workshop and a 90-day purple-team follow-up.

Red Team Services — Adversary Emulation & Assumed Breach

Beyond Penetration Testing

Goal-oriented adversary simulation, not a vulnerability checklist

What Makes a Real Red Team Engagement

A red team engagement is not a longer penetration test. It's a goal-oriented operation where a small cell of senior offensive operators is given crown-jewel objectives — exfiltrate customer PII, transfer funds, take down production, access the CEO's mailbox — and a window of weeks or months to achieve them by any means short of physical harm or data destruction. Detection and response are part of the test, not exclusions from it.

Threat-led, objective-based scoping (not asset-list scoping)

Full kill-chain coverage: recon, initial access, persistence, lateral movement, exfiltration

Custom tradecraft and OPSEC to evade EDR, SIEM, and SOC detection

Mapped end-to-end to MITRE ATT&CK with per-technique detection deltas

Aligned to TIBER-EU, CBEST, and threat-led testing frameworks where required

Executive narrative with attack-path graphs your board can read

Engagement Models

Pick the model that matches your maturity, risk appetite, and regulatory pressure

Full-Scope Red Team

External-to-internal adversary emulation against named objectives. Includes phishing, exploit development, and custom C2 infrastructure. Best for mature security programs that need a true blue-team workout.

Assumed Breach

We start with a planted foothold (low-privilege user, compromised workstation, or rogue cloud key) and measure how far we get before detection. Most efficient way to validate internal controls and lateral-movement detections.

Purple Team

Collaborative engagement where our operators run ATT&CK techniques side-by-side with your SOC. Each technique is detonated, detected (or not), tuned, and re-tested. Fastest way to raise mean-time-to-detect.

Cloud Red Team

Adversary emulation focused on AWS, Azure, and GCP environments. Covers identity federation abuse, cloud persistence, lateral movement across accounts, and exfiltration through native services. Mapped to MITRE ATT&CK for Cloud.

AI / ML Red Team

Adversarial testing of AI systems and the infrastructure around them: prompt injection, model extraction, training-data poisoning, and abuse of AI-driven business logic. Aligned to OWASP Top 10 for LLM Applications and MITRE ATLAS.

Threat-Led (TIBER / CBEST)

Intelligence-driven red team aligned to TIBER-EU, CBEST, or DORA TLPT requirements. Threat intelligence informs scenario design; engagements are conducted under regulator-style controls with bespoke reporting.

How We Operate

A senior cell of operators, real adversary tradecraft, full kill-chain coverage

Threat Modeling & Objectives

We work with your leadership to define crown-jewel objectives, rules of engagement, and the threat actors most relevant to your industry. Output: a scenario brief mapped to ATT&CK and your business risk register.

Reconnaissance & Weaponization

OSINT, infrastructure profiling, employee enumeration, and custom payload/implant development. We stand up isolated C2 infrastructure with redirectors and domain fronting where appropriate.

Initial Access

Phishing, password-spray against exposed services, MFA-bypass techniques, supply-chain abuse, or assumed-breach handoff. Initial access is engineered to evade your specific email gateway, EDR, and SOC playbooks.

Persistence & Lateral Movement

Privilege escalation, credential theft, Kerberoasting, AD CS abuse, cloud-identity pivoting, and lateral movement under SOC visibility budget. Every technique is logged with timestamps for blue-team correlation.

Action on Objectives

Reaching the crown jewels — without actually exfiltrating sensitive data. We demonstrate access (screenshots, file listings, transaction-staging) and stop short of operational impact, with your approval gates throughout.

Debrief & Detection Deltas

Full ATT&CK heatmap showing which techniques were detected, which were missed, and the dwell time at each stage. Executive narrative for the board, technical report for the SOC, and a re-test offering 90 days out.

Senior Operators Only

Every Nomad red team engagement is staffed by operators with OSCP, OSEP, CRTO, GXPN, and OSCE3 certifications and prior experience in government, defense-industrial-base, or top-tier consulting red teams. No juniors learning on your environment.

Custom Tradecraft

We develop bespoke implants, evasion techniques, and infrastructure for each engagement. Off-the-shelf tooling gets caught by modern EDRs — and catching off-the-shelf tooling doesn't tell you whether you'd catch a real adversary.

ATT&CK-Mapped Reporting

Every action is tagged to a MITRE ATT&CK technique. You receive a heatmap of detection coverage, dwell time per stage, and concrete detection-engineering recommendations — not just a vulnerability list.

Re-Test & Purple Team Follow-Up

We don't disappear after the report. Standard engagements include a 90-day purple-team day to validate remediations and a free re-test of any technique your team has since hardened against.

Red Team FAQ

A penetration test finds vulnerabilities in a defined scope (an app, a subnet, a cloud account) over 1–4 weeks. A red team engagement is objective-based, runs for weeks or months, treats your detection and response capability as part of the test, and uses bespoke tradecraft to evade your EDR/SOC. Pentests answer "what's exploitable?" — red teams answer "would we catch a real adversary in time?"

For a true red team, no — only a small trusted control group (the "white team," usually CISO + 1–2 leaders) knows. The SOC is blind so we can measure real detection and response. For a purple team, the opposite: the SOC works alongside us in real time to tune detections technique-by-technique.

Excellent — that's a successful engagement outcome too. Every operator carries a signed "get out of jail" letter from your white team and an emergency contact protocol. If we're caught, we cooperate with your IR process, log the detection event, and either pivot to a new TTP or move to an assumed-breach scenario for the next phase.

Typical engagements run 4–12 weeks of execution plus 2 weeks for planning and 2 weeks for reporting. Assumed-breach engagements compress to 2–4 weeks. TIBER-EU and CBEST-style threat-led tests can run 3–6 months end-to-end including the threat intelligence phase.

If you don't have an EDR deployed, a SOC capability, and a working incident response process, the answer is usually no — start with penetration testing and vCISO advisory first. A red team against a green environment produces a long list of findings you can't act on. Assumed breach or purple team are great bridge engagements when you're not quite ready for full-scope.

Three documents: an executive narrative for the board (attack story, business impact, strategic recommendations), a technical report (full ATT&CK kill-chain, IOCs, evidence, remediation), and a detection-engineering appendix (per-technique detection deltas with recommended Sigma/Splunk/Sentinel rules). Plus a debrief workshop with your SOC and a 90-day purple-team follow-up.

Find Out If You'd Catch a Real Adversary

Schedule a scoping call with our lead operators. We'll discuss your environment, threat model, and the right engagement model for your maturity.

Schedule a Scoping Call

Red Team Services