What we test
A Red Team exercise is always carefully scoped to ensure that the client’s specific objectives are addressed. A great deal of preparation goes into every Red Team engagement, including the creation of test infrastructure, domains, personal identities, and malware payloads all designed to breach the client’s infrastructure.
Typically, a combination of the following areas is tested:
Social Engineering: Simulated social engineering attacks are often a crucial part of Red Team engagements. This includes phishing attempts, pretexting, and other techniques to assess an organization’s susceptibility to manipulation.
Physical Security: Red Teams may conduct physical security assessments, including attempting to gain unauthorized access to facilities, server rooms, and sensitive areas within an organization.
IoT and OT Security: Assessing the security of Internet of Things (IoT) devices and operational technology (OT) systems, which are increasingly becoming targets for cyberattacks.
Third-Party and Supply Chain Risk: Often overlooked, the evaluation the security of third-party vendors and partners who have access to an organization’s systems or data.
Network Security: Red Teams often assess the security of an organization’s network infrastructure. This includes testing firewalls, routers, switches, and other network devices for vulnerabilities and misconfigurations.
Web Applications: Web applications are a common target for attackers. Red Teams assess the security of web applications by attempting to exploit vulnerabilities such as SQL injection, cross-site scripting (XSS), and authentication flaws.
Endpoint Security: Testing the security of individual devices such as computers and mobile devices to identify vulnerabilities and determine if attackers can gain access to sensitive data or compromise the devices.
Incident Response: Testing an organization’s incident response capabilities by simulating a security incident and evaluating how well the organization can detect, respond to, and recover from the attack.