An objective-based adversary simulation that tests your detection and response capabilities end-to-end. We emulate real-world threat actors using their actual tactics, techniques, and procedures, exercising your people, processes, and technology against the kind of attack you would actually face.
Where vulnerability assessment finds known weaknesses and penetration testing exploits them, red team and adversary simulation goes further. It tests whether your detection and response capabilities are ready for a determined adversary.
A red team and adversary simulation engagement uses threat intelligence and offensive tradecraft to simulate a real-world adversary attacking your organisation. The objective is not to enumerate vulnerabilities. It is to test whether your detection and response capabilities are ready when an actual attacker is in your environment.
Our consultants operate stealthily through the full kill chain, from reconnaissance and initial access through to the agreed objectives, exercising your security operations, incident response procedures, and security controls under conditions that mirror an actual intrusion. The engagement is informed by current threat intelligence and tactics, techniques, and procedures mapped to MITRE ATT&CK.
Each engagement concludes with a detailed simulation report, kill-chain narrative, evidence pack, and a debrief with your technical and executive stakeholders to walk through what happened and provide prioritised recommendations to strengthen your defences.
We combine elite offensive cybersecurity expertise with institutional backing to deliver red team engagements that actually drive business resilience.
Our consultants bring deep offensive cybersecurity experience from top-tier global consulting firms, backed by the industry's most rigorous red team certifications including CRTM, CRTL, CRTO, CRTE, and CRTP, alongside OSCE³, OSEP, OSWE, OSCP, and HTB CAPE. Red team engagements are run by the same elite practitioners who define our methodology, with the tradecraft to operate stealthily and the discipline to do it without disrupting your operations.
No junior bait-and-switch and no offshore hand-offs. The senior consultants who scope your engagement are the ones running the simulation, walking you through findings, and supporting your team through the recommendations and remediation work. You get the same expert from kickoff through closure.
Adversary simulation requires absolute trust. You are granting us weeks of stealth access to your most sensitive environment. We are proudly supported by the HKSTP Incubation Programme and the CityU HK Tech 300 Seed Fund, making us a vetted Hong Kong cybersecurity partner with institutional accountability.
We don't deliver scanner reports or technical-only findings. Every red team engagement produces an executive narrative, a kill-chain attack story mapped to MITRE ATT&CK, and prioritised recommendations to strengthen your defensive capability, translated for both your engineers and your board.
Clients engage us when finding vulnerabilities is no longer enough, when detection and response capabilities have to be exercised, and when the outcome has to hold up to auditors, regulators, customers, and the board.
Organisations ready to test their detection and response capabilities under realistic adversary conditions, not just identify vulnerabilities point in time.
Organisations that have completed penetration testing and want to verify whether attacks would actually be caught and contained by their security operations.
Organisations subject to intelligence-led testing requirements under HKMA C-RAF 2.0 iCAST, Hong Kong's Critical Infrastructure (Computer Systems) framework, HKIA GL20, or equivalent regulatory mandates.
Validating defences around defined high-value assets, customer data, intellectual property, or systems considered critical to business continuity.
Exercising security operations team detection coverage, escalation procedures, and incident response playbooks under realistic adversary conditions.
Acquirers and investors evaluating the cyber resilience of target organisations prior to transaction close, particularly where integration of sensitive systems or data is planned.
Every engagement is scoped collaboratively to ensure assessment objectives align with business priorities, threat profile, and regulatory context.
Coverage is structured around the MITRE ATT&CK Enterprise framework, informed by current threat intelligence and the tactics, techniques, and procedures of the adversaries our clients actually face.
Open-source intelligence gathering on your organisation, infrastructure and personnel profiling, and preparation of the attack infrastructure required for the engagement, including delivery domains, payloads, and command-and-control.
External entry vectors including phishing campaigns, exploitation of public-facing services, and abuse of valid credentials, followed by execution of the payload on compromised hosts.
Establishing long-term access that survives reboots and credential changes. Elevating to administrative control of compromised hosts through process injection, DLL hijacking, and exploitation of misconfigurations or kernel-level vulnerabilities.
Operating below detection thresholds through obfuscation, sandbox evasion, and indicator removal, paired with active disabling of endpoint protection, EDR, and logging where the engagement objective requires it.
Harvesting credentials from memory, authentication services, password stores, scripts, and configuration files, including Kerberos abuse, NTLM relay, and password attacks against directory services.
Internal reconnaissance of the network, hosts, and Active Directory environment, lateral movement across the network using built-in administration protocols and credential reuse, and identification and staging of high-value data.
Establishing covert command-and-control channels through encrypted web traffic, DNS tunnelling, and proxy chains, followed by exfiltration of staged data and, where in scope, simulation of impact actions such as ransomware and business process disruption.
Where intelligence-led testing is required, our consultants emulate the specific tactics, techniques, and procedures of a named adversary, ransomware group, or sector-relevant threat actor, mapped end-to-end to MITRE ATT&CK and validated against current threat intelligence.
A structured, repeatable methodology that delivers consistent quality, with clear entry and exit criteria at each phase and defined responsibilities on both sides.
Define objectives, trophy, in-scope vectors, rules of engagement, communication and escalation protocols with your designated contacts, blackout windows, and abort conditions.
Open-source intelligence gathering against your organisation, threat actor selection or scenario design where intelligence-led, and development of attack scenarios mapped to MITRE ATT&CK and validated against your environment.
Stealth execution of agreed scenarios across the kill chain, from initial access through to objectives. Activity logged with timestamps and evidence. Operationally sensitive issues escalated to your designated contacts in real time.
A detailed simulation report with executive summary, kill-chain narrative mapped to MITRE ATT&CK, detection observations, evidence pack, and prioritised recommendations.
Technical and executive debrief sessions where we walk through the engagement with your team, covering scenarios executed, attack paths taken, observations during the engagement, and recommendations for strengthening your defensive capability.
Every engagement produces a comprehensive simulation testing report designed to serve both technical remediation and executive decision-making.
A non-technical narrative of the engagement, attack outcomes, business-risk implications, and strategic recommendations, written for leadership, risk, and board-level stakeholders.
Documentation of the agreed scope, attack vectors selected, scenarios designed, threat intelligence sources, and the methodology applied during the engagement.
Step-by-step story of how the engagement progressed, mapped to the MITRE ATT&CK matrix, showing what worked, what was bypassed, and where attack paths converged on objectives.
Each finding documented with technical description, affected systems, evidence, observed impact, and references to relevant standards and CVE/CWE identifiers where applicable.
Timestamped log of every action taken during the engagement, with screenshots, command output, video evidence where applicable, and indicators of compromise (IoCs) for blue team detection rule development. Suitable for internal reproduction, audit, and regulatory submission.
Prioritised recommendations across detection rules, control hardening, process improvements, and security team training, informed by the engagement findings and observations made during execution.
Our methodology is built on internationally recognised adversary simulation frameworks and mapped to the regulatory regimes most relevant to Hong Kong-regulated organisations.
A penetration test focuses on identifying and exploiting vulnerabilities in a specific asset or environment within a defined scope. A red team assessment is fundamentally different. It simulates a determined adversary, end-to-end, against your organisation. The goal is not to enumerate vulnerabilities. It is to test whether your detection and response capabilities are ready when an actual attacker is in your environment. Red team operations are stealthy by design, multi-vector, and objective-based, exercising your people, processes, and technology together rather than evaluating any one of them in isolation.
No. The value of a red team engagement comes from testing your security operations under realistic conditions, which means your blue team and broader security organisation are not informed during execution. Knowledge of the engagement is restricted to a small group of designated contacts who hold authority to authorize activity, escalate issues, abort the engagement, or extend scope. Your blue team is debriefed after the engagement concludes, typically through a collaborative walk-through where the attack path is reconstructed and recommendations are discussed.
Detection during an engagement does not end it. The standard practice is to continue testing rather than abort. Our consultants will continue with alternative tradecraft to test the breadth of your detection capabilities, or where the engagement objective requires testing later kill-chain stages, pause and resume from an agreed point further along the kill chain with your designated contacts. This ensures the engagement continues to deliver value across the full set of objectives. Detection events are useful data points in their own right, captured in the activity log and discussed during the debrief.
Where in scope, yes. Physical security testing can include badge cloning, tailgating, lock bypass, USB drop campaigns, and unauthorized entry attempts to validate physical access controls. Physical testing is high-risk and is only conducted with explicit written authorization, defined operational windows, signed authorization letters carried by consultants, and a clear escalation protocol with your designated contacts. Many engagements run cyber and social engineering only without physical access; the right scope is agreed during the scoping call.
Where in scope, yes. Social engineering can include phishing campaigns, voice and video pretexting, and other human-element attack vectors. Social engineering scenarios are designed and reviewed with your designated contacts before execution to ensure they reflect realistic adversary behaviour without crossing into prohibited territory such as targeting specific individuals personally or causing psychological distress. Where social engineering is out of scope, the engagement focuses on technical and infrastructure-based attack paths.
A red team engagement is adversarial. We operate stealthily, your blue team is not informed during execution, and the goal is to test detection and response under realistic conditions. A purple team engagement is collaborative. The red and blue teams work together in real time, executing TTPs and discussing detection coverage as they go, often as a focused exercise to improve detection rules around specific tactics. Our service described on this page is red team and adversary simulation. Purple team is offered as a separate engagement type.
A typical red team engagement runs 3 to 6 weeks of active operations, with an additional 1 to 2 weeks for scoping and threat intelligence preparation up front, and 1 to 2 weeks for reporting and debriefing at the end. Total engagement duration is typically 5 to 10 weeks. Larger or multi-vector engagements that include physical and extensive social engineering can extend further. Compressed engagements of shorter duration are possible for scoped scenarios such as Assumed Breach.
Most red team engagements kick off within 2 to 4 weeks of scoping sign-off, accounting for the threat intelligence and scenario design work performed up front. Where a regulatory deadline or board-mandated milestone requires a faster start, we will do our best to accommodate and confirm feasibility during the scoping call.
A red team engagement produces value in several ways that go beyond a count of vulnerabilities. The primary outcome is a clear picture of where your defences held against realistic adversary tradecraft and where they were bypassed. The engagement also produces traditional findings on exploitable weaknesses where they were used, an attack-path narrative showing how an actual attacker could progress through your environment, and observations on where security tooling intervened during execution. These provide your team with the input needed to evaluate detection and response performance and prioritise improvements.
Not in the literal sense. Where the engagement objective involves data exfiltration, we typically demonstrate the capability against canary files, synthetic data, or pre-agreed marker assets that prove access without actually exposing real sensitive content. Where access to real data is unavoidable for evidencing an objective, the data is handled under strict confidentiality, captured only to the extent necessary to evidence the finding, and confirmed destroyed in writing after engagement closure.
Adversary simulation is conducted carefully and under controlled conditions to avoid disrupting production. Before execution, we agree on the engagement window, blackout periods, prohibited actions (e.g. denial-of-service, destructive payloads, exploits known to risk service stability), and abort conditions. Higher-risk techniques are coordinated in advance with your designated contacts, and any operationally sensitive issue is escalated in real time so the engagement can be paused or rerouted.
Any sensitive data, credentials, or system information encountered during the engagement is handled under strict confidentiality. We do not extract, retain, or reproduce sensitive data beyond what is strictly necessary to evidence a finding, and where possible, data is anonymised in the final report. Recovered credentials are not used outside the agreed engagement scope. Credentials provided by you for authorized access are held in access-controlled secrets management throughout the engagement, used only for the agreed scope and duration, and confirmed destroyed in writing after engagement closure. All engagement artefacts are stored in access-controlled environments, transmitted over encrypted channels, and securely destroyed after the agreed retention period.
Yes. On request, we issue a formal Letter of Attestation summarising the engagement scope, operational period, methodology followed, and high-level outcome. The attestation is suitable for audit, regulatory submission, and third-party assurance purposes, including HKMA C-RAF 2.0 iCAST, the Hong Kong Critical Infrastructure (Computer Systems) framework, PCI DSS, SOC 2, ISO/IEC 27001, and similar obligations.
Schedule a scoping call with our specialists to define the right engagement scope for your environment, threat profile, and timeline. We will walk you through methodology, deliverables, and next steps.