Red team

The ultimate test of an organisation’s security stack

A Red Team simulates the tactics, techniques, and procedures (TTPs) of real-world threat actors to test an organisation’s defences against likely adversaries. By emulating realistic attack scenarios, Red Team exercises assess the effectiveness of the security stack in preventing, detecting and responding to cyber-attacks. Red Team exercises balance realism with safety, helping to identify prioritised gaps in security and raising organisational awareness, ultimately strengthening overall resilience.

Red Team Testing Outcomes

Understand Your True Cyber Risk

A snapshot of current cyber risk versus a given level of adversary is provided to benchmark current security effectiveness.

Identify and Remediate
Critical Deficiencies

Critical security deficiencies along the attack path are identified, and detailed remediation advice is provided.

Raise Executive Awareness

Engagement outcomes are articulated in business risk terms, enabling decision making at the board and C-Suite level.

Up-skill the Blue
Team

Debriefing sessions with your blue team enable up-skilling as well as uplift of detection and response capabilities.

Key Services

Red Team

In a red team exercise, we are not given any prior knowledge of your systems and controls, or access to any asset. This results in a highly realistic exercise that highlights the overall effectiveness of the security stack.

Best for

Organisations that are under threat from medium to lower sophistication threat actors.

Best When

Establishing baseline security levels or after a significant transformation uplift.

Continuous Red Team

The Continuous Red Team focuses on testing an environment against newly discovered techniques, blending with regular operations.

Best for

Mature organisations looking to proactively remediate against emerging threats and techniques.

Best When

A Baseline has been established and no major remediation work is planned.

CORIE

Cyber Operational Resilience Intelligence-Led Red Teams have been designed by the RBA to improve cyber security resiliency in the Australian financial system.

Best for

Regulated Financial Services organisations.

Best When

A regulatory requirement is presented.

Advanced Red Team

The Advanced Red Team employs sophisticated attacker techniques and tactics, extending operations over a longer duration compared to a standard red team.

Best for

Organisations and industries targeted by sophisticated and nation state threat actors.

Best When

Establishing a baseline, after a significant uplift or when threat is elevated .

Assumed Breach

In Assumed Breach exercise we skip external testing, assuming either an insider threat or that an external attacker would eventually breach our perimeter.

Best for

Organisations with a clear understanding of external breach risk, or specific concerns for insider threats

Best When

Establishing baseline security levels or after a significant transformation uplift.

Methodology

01

Reconnaissance

Collection and collation of publicly available information on the target organisation, relating to business structure, employees, technical footprint, and security controls in use.

02

Initial Foothold

Technical vulnerability exploitation and/or social engineering used to gain a “foot in the door”.

03

Lateral Movement

Leveraging weaknesses in the network, systems, and security controls, to compromise additional assets, with the goal of obtaining high privileges across the IT estate.

04

Impact Demonstration

Identification of specific adverse impacts that would be of interest to threat actors and safely demonstrating how they can be achieved, given the control of the network.

05

Analysis & Debrief

Reviewing security deficiencies identified along the attack path to provide remediation guidance.

Our Red Team Experts

We bring unparalleled expertise in offensive security to the Australian and global market.

Shahar Zini

Shahar Zini previously served as CTO of an elite cyber technology department in the Israeli government. He had a significant role in leading the development and enhancement of the department's technological capabilities, while mentoring the new generation of cyber security professionals. Shahar won the Israeli Defence Award at the age of 25.

In addition, Shahar served as Chief Architect at XM Cyber, a pioneer in Breach and Attack Simulation technologies, where his work received numerous awards and patents.

Shahar commonly shares his passion about cyber security with his peers through CTF events he builds, and participation in leading conferences, including RSA.

Read more

Alex Hill

Alex is an offensive security specialist with a wide range of domestic and international experience. He previously led PwC’s Sydney-based cyber security team as a team lead, mentor, and technical cyber specialist. He personally designed and executed hundreds of bespoke offensive technical assessments and cyber uplifts for some of Australia’s biggest brands.

He prides himself on being able to not only break IT systems though – he also does the hands on building and fixing. Alex has been a go-to cyber specialist for Sydney’s fintech/ startup scene as a security architect – building mature, zero-trust corporate and cloud-only product environments.

He has personally operated live incident response teams for public companies performing the hands-on attack investigation, timelining, and remediation. And he filled in as a virtual CISO for one of Australia’s mid-tier banks for a little over a year.

Over the last few years Alex has continued to focus on the offensive red team space where he excels at getting the most out of exercises by engaging closely with blue teams. As someone with experience breaking, building, and investigating, Alex is the ideal person to provide technical training to upskill defenders and help them get the most out of their tools.

Alex holds a Bachelor of Information Technology (Co-op) from the University of Technology Sydney and a list of cyber-specific testing and architecture certifications.

Read more

Chris Archimandritis

With well over a decade of cybersecurity experience, and almost twenty years of experience in different aspects of IT, Chris has led complex security assessments across every industry, spanning three continents. His experience includes both planning and executing sensitive engagements that encompass, among others, critical infrastructure, industrial and residential hardware, core financial and banking systems, purpose-built devices, and cutting-edge smart deployments.

During this time, Chris has also delivered trainings, workshops, and talks for conferences across the world and the APAC region, such as DefCon and AusCERT.

His previous experience as part of academic research groups has provided the tools to tackle any novel problem and assist organisations with cutting edge solutions and platforms.

Having performed engagements on all levels of abstraction, he not only able to both work on the tools as well as analyse and evaluate high level design, but most importantly is able to bridge the gap of management and engineers to provide the best possible strategy to enhance an organisation’s security posture.

His most recent research interests revolve around hardware security, industrial IoT, smart devices and enterprise data platforms.

Chris holds a Bachelor of Computer Science and a master’s degree in Information Systems and has attended several trainings by some of the world's foremost security experts.

Read more

Peter Szot

Peter is a senior penetration tester at Skylight Cyber specialising in Red Team and advanced persistent threat simulations. He has conducted several highly successful Red Team engagements against both locally and internationally situated clients with varying levels of security maturity, whilst achieving stealthy compromise of critical assets.

Constantly striving to improve methodologies, Peter regularly researches new vulnerabilities, and pushes the boundaries of existing technology stacks to circumvent protective measures and help security teams harden systems against modern threats.

Peter previously worked at several cybersecurity consulting companies, working on a vast range of products, from bespoke applications to critical telecommunication hardware.

As such, he has accumulated extensive experience in penetration testing and security assessments across several programming languages and development frameworks.

Peter graduated with Honours (first class) from the University of Sydney and holds a Bachelor of Information Technology.

Read more

Speak to our team

FAQs

What is the difference between a Penetration Test and Red Team?

A pen-test usually focuses on a specific system with a well defined scope, following a more rigid and structed process of testing against known vulnerabilities. A red team exercise on the other hand is usually objective based, aiming to test the effectiveness of the security stack of an organisation as a whole. A mature security program will combine both penetration-testing and red teaming to make sure coverage is maximised.  

What is the difference between a Penetration Test and Red Team?

We recommend performing a red team assessment in one of the following points in time:

  1. The organisation hasn’t conducted such exercise in a long time (or ever) and would like to establish a certain baseline for risk. This baseline will help understand critical issues, as well as the effort and sophistication required to compromise key assets of the organisation. 

  2. The security posture of the organisation has gone through a significant uplift, and the red team can assist in establishing the effectiveness of the new security stack.
  3. A change to the threat level of the organisation has been established, requiring a stress-test of the existing stack against a more advanced threat actor.

Our team can help you understand if a red team is the right service for you in a given point in time, or other services might provide better value. Specifically, we believe that organisations that are very early in their security journey get better value with a security uplift.

How do you define success in a Red Team assessment?

We generally look at two dimensions:

  1. The added value of the exercise to overall improvement in the effectiveness of the security stack. This, in turn, is usually a function of specific technical findings, deeper insights we can extrapolate from findings, and not less important, change in the perception of the organisation’s security posture. Our most successful exercises resulted in significant organisational security culture changes and alignment of management and board around the importance of security.
  2. The level of effort and sophistication we had to employ to compromise critical assets, compared to the likely threat actor for the target organisation. As an example, if the organisation is threatened mostly by low sophistication attackers and we had to use very advanced techniques over a prolonged period of time to eventually compromise key assets, it means that the existing security posture is generally effective against the relevant threats.

Who should be aware of the Red Team? 

Our recommendation is to keep the number of people in-the-know to a bare minimum, maintaining a high level of realism for the exercise. The way we commonly establish the bare minimum is by making sure that if the red team is detected, one of the people who is aware of the exercise is highly likely to be notified quickly and can manage the escalation. 

What techniques do you use in your Red Teams?

We generally match the techniques and tactics we use to the target organisation. Since we want to understand the minimal level of threat that can compromise the target, we commonly start with low sophistication techniques, slowly raising the pressure until the security stacks gives in, or we run out of time. 

How long is the exercise commonly and what happens if the time is insufficient?

The length of the exercise depends on the size of the target organisation and the sophistication required, with most red teams falling within the range of 4 to 8 weeks. We time-box different phases in the exercise so as to not spend all of our time looking at one part of security stack. For example, we may spend two weeks gaining a foot in the door. If not successful, and in consultation with the customer’s representative, we may assume breach and advance to the next phase. 

What happens if the Red Team is detected?

Our goal is to try and extract the maximum value out of the exercise, even in the case of detection. As such, our recommendation is to let the blue team respond according to their existing procedures and try and evict us from the network (we’ll be fighting back!). Some of the most interesting insights in a red team engagement can be gleaned from this process, regardless of whether the team is notified that this is an exercise or not. 

When is the exercise concluded and what are usually the next steps?

The exercise is concluded in the event that all objectives have been met, e.g. reaching a highly privileged position in the environment, or when we have exhausted the allotted time.  If objectives are met significantly faster than planned, we commonly use the remaining time to try to identify additional weaknesses in the environment. 



Once the exercise is concluded we will provide you with a detailed report outlining overall risk, our technical findings and recommendation for remediation. We will work with you if needed communicate the results to executives and the board. Once issues have been remediated, we will also work together with you to validate that the applied remediation indeed fixes the issue as intended.