Red Team: Adversarial Simulation with a Concrete Goal
Custom C2 (Cobalt Strike, Mythic, Sliver), proper OPSEC, TTPs mapped to MITRE ATT&CK. For companies that already matured pentest and want to test detection.
Why now
The real pain
Pentest covers breadth. Red Team covers adversarial depth. For companies that already have a SOC, EDR and annual pentest running — and need to know if the defensive team can spot a real attack or only SIEM tickets. Without a white card it's a crime. With a white card, it's the only honest way to measure blue team MTTD/MTTC.
Applicable frameworks
/attack-surface
Red Team
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Initial access
Spear phishing, malicious USB drop LNK, supply chain when authorized, external exposure exploitation.
C2 and infrastructure
Cobalt Strike / Mythic / Sliver with redirectors, aged domains, beacons with high sleep + jitter, custom malleable profiles.
Internal recon and Active Directory
BloodHound, Kerberoasting, AS-REP roast, Pass-the-Hash, ACL abuse, AdminSDHolder, golden/silver ticket.
Persistence
Scheduled task, WMI subscription, service install, COM hijack, golden ticket — always via 'blue-team-expected' vector to test detection rules.
Lateral movement and escalation
PsExec, WMI, WinRM, DCOM, RDP, Atexec — with OPSEC to dodge EDR. Escalation to Domain Admin / Tier-0.
Simulated exfiltration
DNS tunneling, HTTPS via redirector, cloud storage covert channel — always with dummy or encrypted data.
Detection and blue team report
Map of missed detection opportunities, purple team recommendations, SOC tabletop.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Caixa Econômica Federal — recognized as best technical pentest in a competitive evaluation. Banco BMG. TIBER-EU-aligned engagements in Portugal.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — Red Team
Does every company need Red Team?
No. It makes sense for organizations that already mature annual pentest, have an active SOC (internal or MSSP) and want to test detection and response. Without a SOC, Red Team becomes an expensive pentest.
How long does a Red Team take?
4 to 16 weeks. Typical banking engagement: 8-12 weeks with a long Pre-engagement window and an initial quiet period.
Do you run Red Team with your own C2?
Yes. We operate Cobalt Strike, Mythic and Sliver with custom payloads, redirector infra, proper OPSEC and a TTP chain mapped to MITRE ATT&CK.
Does it include social engineering?
Yes, within the scope authorized by the white card. Spear phishing, vishing, physical pretexting when applicable.
How does the client know it was simulated and not a real attack?
The white card issued by the sponsor (CISO + legal) identifies the exercise and the on-call contact. Upon detection, the white card is presented and the sponsor decides to continue or pause.
/contact
Talk to us about Red Team
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.