Red Team Assessment from Razorthorn Security
Overview
A red team assessment is the closest thing to a real cyber attack your organisation will experience without actually being breached. Razorthorn’s CREST certified red team simulates the tactics, techniques and procedures used by real adversaries to test whether your security controls, monitoring and incident response actually work under pressure.
Unlike penetration testing, which focuses on finding vulnerabilities in specific systems, a red team assessment tests your entire security programme. Our team operates covertly over an extended engagement window, typically 30 days, attempting to achieve agreed objectives such as accessing sensitive data, compromising critical systems or establishing persistent access. The question is not whether vulnerabilities exist but whether your organisation can detect and stop an attacker who is actively trying to get in.
Book a Free Scoping Call
Please leave a few contact details and one of our team will get back to you.
What is a red team assessment?
A red team assessment is an objective driven security test where a team of ethical hackers simulates a realistic cyber attack against your organisation. The goal is not to produce a list of vulnerabilities but to answer a specific question: can an attacker achieve a defined objective against your defences?
Red team assessments test people, processes and technology together. Your security operations team, whether in-house or outsourced, is not told the engagement is happening. This means the assessment measures real detection and response capability, not a rehearsed performance.
Common objectives include gaining access to sensitive data stores, compromising domain administrator accounts, exfiltrating customer records, establishing command and control infrastructure, or bypassing specific security controls such as endpoint detection and response tools or email gateways.
What is the difference between a red team assessment and a penetration test?
Penetration testing and red teaming answer different questions. A penetration test asks ‘what vulnerabilities exist in this system?’. A red team assessment asks ‘can an attacker get to our critical assets, and will we spot them doing it?’.
In a penetration test, the testing team typically works within a defined scope with the knowledge of your security team. The output is a list of vulnerabilities with severity ratings and remediation guidance. In a red team assessment, the testing team operates covertly across your entire environment, using whatever techniques are most likely to succeed, and your security team is expected to detect and respond as they would to a real incident.
Red team assessments are most valuable for organisations that already have established security programmes, functioning security operations and incident response procedures in place. If you are still building those foundations, penetration testing is usually the better starting point.
How does Razorthorn approach a red team assessment?
Every engagement is designed around your specific objectives and risk profile. We do not run generic assessments from a standard playbook. The engagement follows a structured methodology mapped to the MITRE ATT&CK framework, ensuring every technique we use is traceable and reportable.
1. Scoping and objective setting
We work with a small group of stakeholders to define the engagement objectives, rules of engagement and any constraints. This includes identifying the specific assets, systems or data the red team will target and agreeing what techniques are in scope, including whether social engineering and physical access testing are included.
2. Reconnaissance
The red team gathers intelligence on your organisation using open source intelligence techniques, passive scanning and analysis of your external attack surface. This mirrors the preparation a real attacker would carry out before launching an attack and informs the attack plan.
3. Initial access and exploitation
Using the intelligence gathered, our team attempts to gain initial access to your environment through the most viable attack vectors. This may include technical exploitation of external facing services, spear phishing targeting specific individuals, physical access attempts or supply chain vectors. The approach adapts based on what is working and what your defences are blocking.
4. Lateral movement and objective completion
Once inside, the red team escalates privileges, moves laterally through your network and works toward the agreed objectives. Throughout this phase we are testing whether your monitoring detects our activity, whether alerts are triggered and whether your incident response processes activate. All techniques are mapped to the MITRE ATT&CK framework.
5. Reporting and debrief
You receive a detailed report covering every technique used, whether it succeeded or failed, and how your security controls performed at each stage. We also deliver a separate executive summary for senior stakeholders and board level reporting. The engagement concludes with a technical debrief for your security team and an executive debrief for leadership.
What do you get from a red team assessment?
Technical report
Full account of every attack path attempted, with techniques mapped to the MITRE ATT&CK framework. Includes what succeeded, what failed, where detection occurred and where it did not.
Executive summary
Board-ready overview of the engagement, findings and risk implications written in business terms rather than technical jargon. Suitable for presenting to senior leadership, audit committees or regulators.
Detection and response analysis
Assessment of how your security operations performed during the engagement. Which alerts fired, which were missed, how quickly your team responded and where the gaps are.
Prioritised remediation plan
Recommendations ranked by risk and mapped to the specific techniques that worked. Practical, actionable guidance your team can work through, not a generic list of best practices.
Technical debrief
A walkthrough session with your security and IT teams covering exactly what happened, how and why. This is where the real learning happens.
Executive debrief
A separate session for senior stakeholders covering the headline findings, business risk and investment priorities.
Remediation retesting (optional)
Once your team has worked through the remediation plan, we can retest the specific areas that were exploited during the engagement to confirm the fixes are effective. Retesting is available as an optional add-on and can be scoped during the initial engagement planning.
Frequently asked questions about red team assessments
How long does a red team assessment take?
A typical red team assessment runs over a 30 day engagement window. This allows enough time for realistic reconnaissance, initial access attempts, lateral movement and objective completion while giving your security operations team a genuine test of their detection capabilities. More focused engagements with narrower scope can be shorter, while larger or more complex environments may require longer.
How much does a red team assessment cost?
Pricing depends on the scope, objectives, duration and number of attack vectors included. Contact us for a scoping call and we will provide a fixed-price quote based on your specific requirements. Scoping calls are free and carry no obligation.
What is the difference between red teaming and penetration testing?
Penetration testing identifies vulnerabilities in specific systems over a defined period. Red teaming simulates a full adversarial campaign over weeks, testing whether your security programme can detect and respond to a realistic attack across people, processes and technology. Penetration testing asks what vulnerabilities exist. Red teaming asks whether an attacker can actually get to your critical assets and whether you will notice.
Will my security team know the red team assessment is happening?
Typically, a small group of senior stakeholders knows about the engagement. Your security operations team is not told, which ensures the assessment tests real detection and response capability rather than a rehearsed performance. All details are covered during scoping, and we agree rules of engagement that protect business operations throughout.
Will the assessment disrupt business operations?
No. Red team assessments are designed to be non-disruptive. We operate within agreed rules of engagement that protect critical systems and business operations. As a CREST certified provider, we follow strict professional standards for responsible testing. If any activity risks operational impact, it is discussed with the designated stakeholder before proceeding.
What frameworks does Razorthorn use for red teaming?
Our methodology is mapped to the MITRE ATT&CK framework. Every technique used during the engagement is logged against the corresponding ATT&CK tactic and technique, giving you clear traceability in the report. This also makes findings directly comparable with threat intelligence on real adversary groups active in your sector.
Does a red team assessment help with DORA or TIBER-EU compliance?
Yes. DORA requires financial institutions to carry out threat-led penetration testing (TLPT), and TIBER-EU provides the framework for how these tests should be conducted. Red team assessments aligned to these frameworks satisfy the testing requirements. We also support organisations meeting red team testing requirements under PCI DSS and NIS2.
What is the difference between red teaming and purple teaming?
In a red team assessment, the attacking team operates covertly and the defensive team is not aware of the engagement. In a purple team assessment, the attacking and defending teams work together in real time. Red teaming tests your defences. Purple teaming improves them. If your goal is to evaluate your current capability under realistic conditions, red teaming is the right choice. If your goal is to rapidly develop your security operations team’s detection skills, purple teaming is more effective.
What qualifications do Razorthorn’s red team hold?
All red team assessments are carried out by CREST certified professionals. CREST is the international accreditation body for the cyber security testing industry and its certifications are widely recognised by regulators, government bodies and enterprise clients.
Can a red team assessment include physical security testing?
Yes. Physical access testing can be included as part of a red team assessment or conducted as a standalone engagement. This covers tailgating, badge cloning, lock bypass, access control testing and attempts to reach restricted areas. We also offer dedicated physical red team assessments for organisations that want a focused evaluation of their physical security controls.
Red Team Assessment Enquiry
Optimise your cyber security posture with realistic breach and attack simulations from Razorthorn’s CREST certified ethical hackers. Our red team assessments thoroughly test your detection capabilities, incident response readiness and overall cyber resilience.
Get in touch to arrange a consultation.