What is the difference between a red team and a penetration test?

A pentest is broad and finding-focused: cover the attack surface, document every vulnerability. A red team is narrow and objective-focused: achieve a business-impact goal while evading detection. You want both, but for different reasons.

Do you do physical red teaming or social engineering?

We scope phishing and pretexting into engagements when the objective calls for it. Physical access (badge cloning, on-site entry) is out of scope for our standard engagements — we focus on digital attack paths.

How long is a typical red team engagement?

Most engagements run 4-8 weeks, depending on objective complexity and your environment size. Reporting and debrief typically takes another 1-2 weeks.

Will you damage anything?

No. Our rules of engagement explicitly prohibit destructive actions, privilege escalation that could lock accounts, or any activity that would materially affect availability. Every technique is coordinated with your trusted control contact.

02 Offensive

Red Teaming & Adversary Emulation

Goal-based engagements that simulate how a real attacker would move through your environment. MITRE ATT&CK-aligned.

Book a 30-min diagnostic See how we work

What we put our name behind

Detection-ready deliverables

Every technique we execute is mapped to a specific MITRE ATT&CK sub-technique and delivered as detection rules in your SIEM's query language (Splunk SPL, Sentinel KQL, Elastic EQL, or Chronicle YARA-L) — not as a PDF your detection team has to translate. Your blue team walks away with deployable content, not homework.

Overview

A penetration test asks "what can we find?". A red team engagement asks "what can an attacker do?" — and it measures whether your detection and response can stop them from doing it. The scope is an objective, not a target list: exfiltrate customer data, pivot from a developer laptop to production, or escalate to domain admin without tripping an alert.

We align to MITRE ATT&CK so every technique we use maps to a threat actor your threat intel team is already tracking. The output isn't just a list of findings — it's a measured view of how your SOC, your EDR, and your runbooks actually perform under pressure.

What's included

Every engagement is senior-led and scoped in writing before kickoff.

Objective-based scoping

We design the engagement around a business-impact goal (data exfiltration, lateral movement to a crown-jewel system, privilege escalation to admin) rather than a list of targets.

Initial access simulation

Assumed-breach, phishing simulation, or external perimeter exploitation — your choice of starting posture. Each with different learning value.

MITRE ATT&CK mapping

Every action taken is mapped to a specific ATT&CK technique so your detection engineering team can build rules against real adversary behavior, not generic IOCs.

Detection & response measurement

We coordinate with your blue team (if you have one) to measure mean-time-to-detect and mean-time-to-respond for each phase of the kill chain.

Purple team readout

Optional joint readout where we walk your blue team through every technique used, which ones were detected, and what detection content would catch them next time.

What you get

Engagement charter with objective, scope, and rules of engagement
Attack narrative document — timeline of every action taken, mapped to ATT&CK
Detection gap analysis with specific recommendations
Executive briefing for leadership
Optional purple team workshop to hand off findings to your detection team
Verification retest of every critical and high finding, completed within 60 days of report delivery (request by day 45)

Ideal for

Organizations with a mature SOC who need to measure effectiveness, not just existence
Security teams running an annual assumed-breach exercise
Teams preparing for a board-level cyber readiness conversation
Companies who have run pentests and want to level up to adversary emulation

Frequently asked

What is the difference between a red team and a penetration test?: A pentest is broad and finding-focused: cover the attack surface, document every vulnerability. A red team is narrow and objective-focused: achieve a business-impact goal while evading detection. You want both, but for different reasons.
Do you do physical red teaming or social engineering?: We scope phishing and pretexting into engagements when the objective calls for it. Physical access (badge cloning, on-site entry) is out of scope for our standard engagements — we focus on digital attack paths.
How long is a typical red team engagement?: Most engagements run 4-8 weeks, depending on objective complexity and your environment size. Reporting and debrief typically takes another 1-2 weeks.
Will you damage anything?: No. Our rules of engagement explicitly prohibit destructive actions, privilege escalation that could lock accounts, or any activity that would materially affect availability. Every technique is coordinated with your trusted control contact.

Ready to scope a red teaming engagement?

A 30-minute call with a senior specialist. Written scope before kickoff. No SDRs.

Book a 30-min diagnostic hello@caaslabs.com