11d
Undetected
in Environment
Full kill chain
Attack simulation
Physical and social
Included in scope
Detection tested
Not just prevention
Executive
Report for leadership
Objective-Based Operations
Red team engagements are driven by specific business objectives: reaching financial systems, exfiltrating customer data, compromising an executive account, or achieving domain administrator access. This focus ensures the exercise is relevant to your actual threat profile rather than a checklist of generic techniques.
Multi-Vector Initial Access
Real attackers use the path of least resistance. We combine phishing, pretexting, physical access attempts, and technical exploitation to find the most realistic initial access path into your environment: testing whether your controls hold against coordinated multi-vector attacks.
Covert Lateral Movement & Persistence
Operating under detection thresholds, we move through your environment using living-off-the-land techniques, legitimate credentials, and trusted tools that blend into normal network traffic. We establish persistence to simulate long-term adversary presence and test your ability to detect dormant threats.
Physical Security Testing
For engagements that include physical access, we test badge cloning, tailgating, dumpster diving, and the installation of rogue devices inside your premises. Physical security weaknesses often provide the easiest path to network access, bypassing all technical controls.
Detection & Response Gap Analysis
We document every action taken during the engagement: with timestamps, techniques used, and system artifacts created. After the exercise, we provide a detailed timeline showing which activities triggered alerts, which were investigated, and which went completely undetected. This is the most valuable output for improving your detection capability.
Purple Team Debrief
Every red team engagement ends with a purple team debrief: the red team walks your blue team through every technique used, showing the artifacts left behind and the detection opportunities that were missed. This turns the exercise into a direct improvement program for your detection and response capability.
What Makes Us Different From Others
- Objective-Driven, Not Checklist-Driven We define success in terms of achieving business-relevant objectives, not completing a list of attack techniques. This makes findings directly relevant to your actual risk.
- Covert Operations Capability We operate under detection thresholds using techniques that real threat actors use: living-off-the-land binaries, legitimate cloud services for C2, and trusted tool abuse that standard security tools are not configured to detect.
- Physical + Digital Combination Where included in scope, we test physical and digital security together: because real attackers combine them and most organizations test them separately.
- Purple Team Follow-Through We do not just hand over a report. We work with your blue team after the engagement to build detection rules for every technique we used, turning the red team exercise into a sustained detection improvement program.
- Realistic Threat Actor Emulation We tailor our techniques to the threat actors most likely to target your industry: ransomware operators, nation-state groups, or financially motivated criminals: based on threat intelligence.
- Full Attack Timeline Documentation We provide a complete, timestamped record of every action taken during the exercise so you can evaluate detection coverage against a known ground truth.
Our security team was confident in their detection capabilities. garrisonOne operated in our environment for eleven days before our SOC detected anything unusual. By that point they had achieved domain admin, accessed our financial systems, and established four separate persistence mechanisms. The purple team debrief that followed was transformative for our detection engineering program.
Client results
See how we have helped
Legal
Law Firm — Security Assessment
A 90-day remediation roadmap delivered after a full security assessment. The firm met enterprise client security requirements and avoided a regulatory incident.
90 days
Remediation roadmap
Critical
Risks addressed
100%
Client requirements met
Industry focus
Industries we serve
Related Services: Penetration Testing | Internal Network Testing | Social Engineering Testing | Threat Detection & Response
Frequently asked questions
What is the difference between a penetration test and a red team exercise?
A penetration test is a systematic search for all exploitable vulnerabilities in a defined scope, with the goal of finding as many issues as possible. A red team exercise simulates a real adversary pursuing specific objectives in a covert, realistic way: testing whether your detection and response capabilities would catch a sophisticated attacker. Red team exercises are broader in scope (people, processes, and technology) and focused on realistic attack simulation rather than comprehensive vulnerability discovery.
Who should the blue team know about the exercise?
This depends on the objectives. Full knowledge exercises involve the security team from the start. Assumed breach exercises start from a defined position with the security team aware. Blind exercises: where the security team is not informed: provide the most realistic test of detection capability but require senior management awareness and careful legal authorization. We discuss the appropriate approach for your organization during scoping.
What objectives are typically used in red team exercises?
Common objectives include achieving domain administrator access, accessing a specific sensitive database or file server, exfiltrating a defined sensitive document, compromising an executive email account, reaching an OT/ICS network from IT, or establishing persistent access undetected for a defined period. Objectives are tailored to your specific threat model.
How long does a red team engagement take?
Red team engagements typically run for two to six weeks depending on scope, objectives, and whether physical access is included. Longer engagements provide more realistic simulation of advanced persistent threats. We discuss the appropriate duration for your objectives during scoping.
Does the red team test our security tools directly?
Indirectly, yes. We use techniques designed to evade standard security tools and document which of our activities were detected and which were not. After the engagement, we work with your team to understand why certain activities were missed and how to improve detection.
What does a purple team debrief involve?
After the engagement, the red team meets with your blue team and walks through every technique used during the exercise: showing the commands run, the tools used, the network traffic generated, and the artifacts left on systems. For each technique, we discuss what a detection rule would look like and help your team build specific detections for the gaps identified.
Is red teaming appropriate for all organizations?
Red team exercises are most valuable for organizations that already have a security team, a SIEM or MDR capability, and have already gone through standard penetration testing. If you do not yet have detection capabilities in place, a penetration test combined with a managed SOC engagement will provide more immediate value.
How do you handle the discovery of critical vulnerabilities during the exercise?
If we discover a critical vulnerability with immediate significant risk to your organization: such as an unauthenticated RCE on a public-facing server: we immediately notify your designated contact regardless of whether exploiting it is necessary for our objectives. Safety and responsible disclosure take precedence over operational security.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
