Scoped
Single starting position, 1–2 crown jewels. Wake-up engagement for first-time programs.
2 weeks
$18k — $35k
Engagement Brief · MITRE ATT&CK Aligned · TLP: Red
Authorized Operation
Section 01 // Overview
Red Team.
Crown jewels
tested.
Full kill-chain adversary simulation. Distinct from pentest — focused on crown jewel access and detection / IR validation.
Variants
3
Scoped · Full · Retainer
Duration
2 — 6 weeks
Per engagement
Framework
MITRE ATT&CK
TA0001 → TA0040
Operational Model
White Cell
CISO · IR · Sponsor
Section 02 // Engagement Variants
Three engagement shapes.
Full
Multi-vector, 3–5 crown jewels, external + assumed-breach starts. Mature programs testing detection depth.
4 — 6 weeks
$40k — $90k
Continuous
Monthly TTPs and quarterly full engagement. Purple-team cadence for mature, continuous programs.
Ongoing
$15k — $30k / mo
Not sure which fits
Send us the shape of your program (maturity, prior engagements, the question you're trying to answer) and we'll recommend a variant.
Section 03 // Primary Goals
What question are you trying to answer.
Pick one. Every engagement is shaped around a single primary objective so the report has a clear answer.
GOAL · 01
Detection Validation
Test what your SOC actually catches end-to-end. We map every TTP to your rules; the gap analysis ships as Sigma.
GOAL · 02
Crown-Jewel Access
Prove an attacker can reach the asset you actually care about. Success is binary: did we touch the data or not.
GOAL · 03
IR Process Validation
Test what the blue team does when they're triggered. We don't just measure detection — we measure response time and decisions.
GOAL · 04
Board-Level Risk
Show executives the real attack path, not a CVSS spreadsheet. Deliverable is the briefing your CEO will actually read.
GOAL · 05
Vendor / Customer Ask
A signed engagement letter and clean report that meets the procurement / compliance bar your customer is asking for.
Section 04 // Crown Jewels
Success is reaching these.
The crown jewels are the success criteria — the assets that, if compromised, materially harm the business. We pick 1–5 per engagement and the engagement scope is built backwards from them.
01Domain Controller / Domain Admin equivalent
02Production customer database (read access)
03Source code repository
04Payment systems / PCI-scoped network
05Executive email (CEO / CFO)
06Cloud management plane — AWS / Azure / GCP org root
07Customer-facing application deployment access
08HR / payroll systems
09Named PII / PHI dataset (engagement-specific)
Impact demonstration ladder.
Per MITRE TA0040. You choose how loud the proof-of-impact is. We stop at the level you authorize — no further.
LVL · 01 · Quietest
Document only
We prove access. No actions on the target system.
LVL · 02
Stage data
Stage exfil-ready data on the target. Nothing leaves the network.
LVL · 03
Simulated exfil
Move decoy data to a controlled endpoint. Detection rules get a real test.
LVL · 04 · Loudest
Encryption capability
Demonstrate we could deploy ransomware. We do not execute it — ever.
Section 05 // Starting Positions
Where the engagement begins.
Two families: external (internet only, no inside access) and assumed breach (an attacker already has X — what next). Most Full engagements run both, sequenced.
START · EXT
Internet Only
We start with nothing but your public surface and OSINT. Closest to a real adversary's day 1.
START · AB1
Phished Workstation
We're handed a managed laptop with a stage-2 implant. Simulates a successful phish.
START · AB2
Compromised Cloud Credentials
Low-privilege AWS / Azure key. Tests blast radius from a leaked CI secret or harvested token.
START · AB3
Compromised VPN / Insider
Standard user creds on a managed device — what an insider, or a credential-stuffing win, could do.
Section 06 // TTPs in Scope
Tactics, techniques, procedures.
Tap any category to expand. Each module is independently scoped — you can opt categories in or out at the engagement-letter stage.
01
Phishing
Per engagement
MITRE T1566
All-employee campaigns (HR notice per local labor law)
Targeted group campaigns — engineering, finance, leadership
Listed targets only (max 25, named in engagement letter)
AiTM credential harvest — Evilginx-style proxy
Malicious document — macro / LNK / HTA loaders
OAuth consent abuse — Microsoft / Google tenants
02
Vishing & Smishing
Optional module
MITRE T1566.004
IT-helpdesk impersonation — password reset / MFA bypass calls
SMS pretext flows — courier, payroll, security alert
Voice-clone (deepfake) where explicitly authorized
Outcomes scored: callback rate, credential surrender, MFA push approval
03
Physical / On-Site
+1 week, +travel
MITRE T1091 / T1200
Tailgating + badge cloning (HID / iCLASS where in scope)
USB drops in mapped social spaces
Drop-box implants on unattended network ports
Reception / lobby pretext to reach internal zones
Coordination with local law enforcement if scope requires
04
External Exploitation
Per scope
MITRE T1190
N-day exploitation of internet-facing services
Subdomain / cert / GitHub / paste-site reconnaissance
Cloud misconfig — public buckets, exposed metadata, vulnerable CI
VPN / RMM / edge-device abuse where authorized
05
Post-Compromise Movement
Whole engagement
MITRE TA0008 / TA0006 / TA0004
Credential access and harvesting (NO LSASS dumping by default)
Lateral movement — Kerberoasting, ADCS abuse, NTLM relay
Privilege escalation — local + domain
Cloud lateral — IAM path enumeration, role chaining
Persistence (removed at engagement end, evidence retained)
06
Out of Scope · Always
Non-negotiable
Hard Limits
Ransomware deployment — even simulated, even in test segments
Real exfil to attacker-controlled infrastructure
Persistence that survives past the engagement end
DoS / availability attacks unless explicitly scoped
Targeting individual employees as "investigations"
Section 07 // White Cell & Blue Posture
Who knows the engagement is live.
Three blue-team postures. Pick one per engagement; you can switch postures mid-engagement at the readout for the next round.
Posture I · Stealth
Cold
Blue team is not informed. Only the white cell knows (CISO, IR lead, exec sponsor). The truest test of detection from cold — and the slowest learning loop.
Posture II · Balanced · Most chosen
Time-Window Aware
Blue team knows the engagement is occurring within a window. They don't know the vectors, the TTPs, or the targets. Best signal-to-noise for detection programs.
Posture III · Purple
Full Disclosure
Blue team knows the full plan. Live TTPs are run side-by-side with detection engineering. Maximum learning per dollar, minimum surprise.
White cell membership. Typically three people: CISO, IR lead, exec sponsor. Each carries a mobile number for stop-test triggers. Communication runs over an encrypted Signal group, Slack Connect channel, or whatever your IR program already uses.
Section 08 // Pricing & Adjusters
Base price, then adjusters.
Engagement price is the base variant plus any modules you turn on. No retainer fees, no per-finding charges, no SOW surprises.
Base Variant
USD
Scoped · 2 weeks · 1 starting position · 1–2 crown jewels
$18k — $35k
Full · 4–6 weeks · 2–3 starting positions · 3–5 crown jewels
$40k — $90k
Continuous · Monthly TTPs + quarterly full engagement
$15k — $30k / mo
Module · Adjuster
Effect
Phishing > 250 users (infra warming)
+ $3k
Physical / on-site module (travel + days)
+ $8k
OAuth consent abuse infrastructure
+ $2k
Full stealth (vs balanced posture)
+ 25 %
Custom payload development beyond standard loaders
+ $5k
Three or more starting positions
+ 20 %
Purple-team workshop add-on (2 days)
+ $5k
Cloud red team (deep IAM path analysis)
+ $8k
Fixed overhead included: one week of report writing (the executive briefing is heavy), two days of readout (executive + technical), and a 15% schedule buffer because engagements drift.
Section 09 // What We'd Recommend
Engagement selection, by signal.
Honest, repeatable recommendations. If your situation matches the left column, the right column is where we'd start.
First-ever red team, immature SOC. You've never been tested at this depth. Detection program is in flight or absent.
Scoped · Balanced posture · Wake-up engagement
Mature program, testing detection. Established SOC, defined IR plan, dollars to spend.
Full · Balanced or Stealth · Sophisticated TTPs
Compliance ask — "we need a red team report." Procurement or framework auditor is the audience.
Scoped · Non-stealth · Clean deliverable
Post-incident hardening verification. You shipped fixes after an incident and want to know they hold.
Scoped · Focused on the previous attack vector
Continuous mature program. Detection engineering is its own team. You want a constant sparring partner.
Retainer · Monthly TTPs · Quarterly full engagement
Section 10 // Deliverables
What you receive.
01
Executive Briefing
Board-level narrative of the engagement, the attack path, and the business impact. Delivered live to the executive team.
02
Technical Attack Narrative
Day-by-day write-up of every action, the rationale, screenshots, and the corresponding detection opportunity.
03
IOC Package
Indicators of compromise — domains, file hashes, command-and-control IPs, beacon profiles — formatted for SOC back-fill.
04
Detection Gap Analysis
Every TTP we ran mapped against your SIEM rules. Where you had no coverage, we ship Sigma rules.
05
Remediation Roadmap
Prioritized fixes — sequenced for the security engineering team, not just the SOC.
06
Purple-Team Workshop · Optional
Two-day live workshop running our TTPs alongside your detection engineers. Add-on, +$5k.
Section 11 // Engagements We Decline
What we won't take.
Stated up front so neither of us wastes time. If your situation matches one of these, we'll tell you and recommend the right path instead.
×
No crown jewels defined. An engagement with no success criteria drifts. We'll help you pick before we sign.
×
No SOC, no IR plan, no detection. You need a pentest first — and probably a detection engineer. We'll say so.
×
Phishing in restrictive jurisdictions without HR. EU works councils and similar require coordination. No shortcut.
×
Refusing the purple-team readout. Without the readout the engagement is a vanity exercise. We require it.
×
"Test a specific employee." That's an HR investigation, not a red team. We refer it back.
×
Won't sign a named Authorization Letter. Without explicitly named systems and authorized actions, we don't operate.
×
Ransomware actually deployed. Refuse, period. We demonstrate the capability — we never execute it.
×
Active unresolved incident. Incident response first. Red team is for after the dust settles and the fixes ship.