Researcher Login
Client Login
RED TEAMING · ADVERSARY SIMULATION

CREST-Certified Red Teaming & Adversary Simulation for UK Businesses

Intelligence-led red team assessments mapped to MITRE ATT&CK tactics, techniques, and procedures. Goal-driven adversary simulation that tests whether your SOC, controls, and people detect a real-world attack — delivered under STAR-aligned and TIBER-UK methodology.

CREST Member · Verify ↗
Red Team & Adversary Simulation
MITRE ATT&CK MAPPED
14 Tactics · Real-World TTPs
STAR-ALIGNED · TIBER-UK
Intelligence-Led Methodology
CREST
Approved Provider
MITRE
ATT&CK Mapped
STAR
Aligned + TIBER-UK
24h
Scope to Active Test
82%
of penetration tests trigger a SOC alert in the first 24 hours. Real adversaries operate quietly for weeks. Red teaming tests whether your defences detect either.

Pen tests find vulnerabilities. Red teams find attack paths.

A penetration test stops when one finding is proven. Our red team services chain findings end-to-end. A red team assessment chains findings — phishing → credential reuse → privilege escalation → lateral movement → exfiltration — to test your actual resilience, the way an APT or financially motivated criminal would.

Our adversary simulation is intelligence-led, mapped to MITRE ATT&CK tactics and techniques, and delivered under STAR-aligned and TIBER-UK methodology. Engagements run 2–6 weeks with full stealth-mode TTP emulation. Reports satisfy ISO 27001 A.5.30 ICT readiness, ISO 27001 A.16 incident management, DORA, FCA Operational Resilience, and SOC 2 CC7.4 — and prepare regulated firms for CBEST / GBEST / TIBER-UK testing where applicable.

14 MITRE ATT&CK TACTICS

Adversary Simulation Across the Full MITRE ATT&CK Kill Chain

Our red team services emulate the full MITRE ATT&CK Enterprise tactic chain. Every TTP traceably mapped, every action logged, every detection gap quantified.

TA0043

Reconnaissance

OSINT, employee profiling, target enumeration, infrastructure mapping.

TA0042

Resource Development

C2 infrastructure, phishing kits, credential harvesting platforms, malware dev.

TA0001

Initial Access

Phishing, exposed services, supply chain, valid accounts, drive-by compromise.

TA0002

Execution

Command-line interpreters, scripting engines, PowerShell, WMI, scheduled tasks.

TA0003

Persistence

Registry run keys, scheduled tasks, service installation, account creation.

TA0004

Privilege Escalation

UAC bypass, token impersonation, kernel exploits, sudo abuse, AD escalation.

TA0005

Defense Evasion

Process injection, obfuscation, valid accounts, indicator removal, AV bypass.

TA0006

Credential Access

Kerberoasting, AS-REP roasting, mimikatz, browser-stored creds, LSASS dumping.

TA0007

Discovery

Active Directory enumeration, BloodHound, network share discovery, system enum.

TA0008

Lateral Movement

Pass-the-hash, RDP, PsExec, WMI, WinRM, internal spearphishing.

TA0009

Collection

Data staging, screen capture, keylogging, email collection, archive collected.

TA0011

Command & Control

C2 frameworks (Cobalt Strike, Sliver, Mythic), DNS tunnelling, encrypted channels.

TA0010

Exfiltration

Data transfer to C2, cloud upload, alternative protocols, automated exfiltration.

TA0040

Impact

Data destruction, ransomware deployment simulation (no-impact mode), defacement.

FOUR-PHASE METHODOLOGY

Red Teaming — From Threat Intel to Detection Review

Intelligence-led from day one. Goal-driven through every phase. Detection-validated at the end. Aligned to STAR / TIBER-UK structures.

1

Threat Intelligence

Sector-specific threat actor profiling. TTP selection from real campaigns. Goal definition with the customer’s white team. Rules of engagement signed.
2

Initial Access

Phishing campaigns, exposed-service exploitation, valid-account abuse, supply chain. Stealth operations under custom C2 infrastructure.
3

Lateral Movement

Privilege escalation, AD attacks, BloodHound mapping, internal pivots, defence-evasion validation. Goal pursuit until objective is achieved or detection happens.
4

Detection & Report

SOC detection review with blue team, attack-path narrative, MITRE ATT&CK heatmap, executive + technical reports. Optional purple-team replay.

Verified Accreditations Auditors Accept

Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.

ISO 9001
ISO 27001
UK Cyber Security Council
Crown Commercial Service Supplier
COMPLIANCE READY

Red Team Reports Mapped to Every Framework

Findings tagged to MITRE ATT&CK technique IDs and your specific compliance framework. Audit teams submit directly without translation.

MITRE ATT&CK

Full coverage of all 14 Enterprise tactics. Heatmap visualisation showing detection coverage and gaps across the kill chain.

STAR-Aligned + TIBER-UK

Methodology aligned to CREST STAR and TIBER-UK structures. Suitable preparation for CBEST / GBEST / regulator-mandated tests.

DORA (EU + UK)

Threat-Led Penetration Testing (TLPT) evidence under the Digital Operational Resilience Act, mandatory for in-scope financial entities.

FCA Operational Resilience

Severe-but-plausible scenario evidence, important business service mapping, impact tolerance validation.

ISO 27001

A.16 information security incident management evidence, A.12.6.1 vulnerability management, A.5.30 ICT readiness.

SOC 2 Type II

CC7.4 incident detection and CC7.5 response activities evidence accepted by SOC 2 auditors.

TRANSPARENT PRICING

Transparent Red Teaming Pricing

All tiers include the same depth of testing. Price varies by scope complexity — number of attack vectors, duration, regulatory framing, and clearance requirements.

FOCUSED RED TEAM
£15,000 – £35,000
Depends on scope complexity

Goal-driven, 1-2 attack vectors (e.g., phishing → privilege escalation), 2-3 week engagement. Pure red team without TIBER-UK process overhead.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
MOST COMMISSIONED
FULL ADVERSARY SIMULATION
£35,000 – £75,000
Depends on scope complexity

Multi-vector full-chain emulation, threat-intel-led, 3-5 week engagement, MITRE ATT&CK heatmap, optional purple-team replay.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
REGULATED / TIBER-UK STRUCTURE
£75,000+
Depends on scope complexity

STAR-aligned and TIBER-UK methodology delivery, 5-6 week engagement, white-team coordination, regulator-acceptable reporting structure.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation

Red Teaming for Your Sector

Threat actor profiles vary by sector. We emulate the adversaries your industry actually faces.

FINTECH

Fintech

Financial sector threat groups (FIN7, Carbanak, Cobalt Group), DORA TLPT evidence, FCA Operational Resilience.
SAAS

SaaS

Tenant-isolation breakout, supply-chain compromise emulation, cloud-edge initial access, SOC 2 evidence.
HEALTHCARE

Healthcare

Ransomware groups targeting NHS supply chain (Conti, BlackCat-style TTPs), DSP Toolkit, NHS DTAC.
INSURANCE

Insurance

Cyber-underwriter evidence, claims-data exfiltration emulation, broker-API supply chain, FCA / PRA framing.
LAW FIRMS

Law

Privileged-data exfiltration emulation, conveyancing fraud, business email compromise, SRA Cyber Standard.
PUBLIC SECTOR

Public Sector

Nation-state TTPs, supply-chain attack emulation, NCSC-aligned, SC-cleared red team operators available.

What You Actually Get

Five things that distinguish our red team services from pen tests dressed up as “adversary simulation”.

🎯

What You Get From Red Team Services

Goal-driven adversary simulation, full MITRE ATT&CK kill-chain coverage, SOC detection-gap heatmap, and free retest of detection improvements.
🔭

Intelligence-Led, Not Scripted

Every engagement starts with sector-specific threat actor profiling. We emulate the adversaries your sector actually faces — not a generic red-team checklist.
🛡

Goal-Driven Adversary Simulation

Red team goals are agreed up front. We pursue them through the kill chain — phishing, lateral movement, exfiltration — until we achieve the objective or you detect us.
📊

MITRE ATT&CK Heatmap Reports

Every TTP traceably mapped to MITRE ATT&CK techniques. SOC detection coverage shown as a heatmap. Detection gaps quantified and prioritised.
🇬🇧

UK CREST + STAR-Aligned + TIBER-UK Methodology

CREST member, STAR-aligned methodology, TIBER-UK delivery structure. Suitable preparation for CBEST / GBEST / regulated TLPT cycles.

Frequently Asked

How long does a red team assessment take?

A focused red team services engagement (1-2 attack vectors) typically takes 2-3 weeks. A full adversary simulation (multi-vector, threat-intel-led) takes 3-5 weeks. STAR-aligned and TIBER-UK structured delivery takes 5-6 weeks including the threat intelligence phase. Test duration is determined during scoping.

How much does red teaming cost in the UK?

Focused red team engagements range £15,000-£35,000. Full adversary simulation (most commonly commissioned) £35,000-£75,000. STAR-aligned / TIBER-UK structured delivery £75,000+. UK day rates for red team operators are £1,500-£2,500 per operator per day.

What’s the difference between a red team and a penetration test?

A pen test stops when one finding is proven. A red team assessment chains findings end-to-end — phishing, credential reuse, privilege escalation, lateral movement, exfiltration — to test whether your detection and response works against a goal-driven attacker. Pen testing tests vulnerabilities. Red teaming tests resilience.

What is adversary simulation?

Adversary simulation is the modern term for goal-driven red teaming where each test emulates the specific TTPs of real-world threat actors. Unlike a generic red team, adversary simulation profiles a known threat group (e.g., FIN7 for fintech) and emulates their actual playbook end-to-end.

Are you TIBER-UK certified?

We are not directly accredited under TIBER-UK or CBEST. We deliver under TIBER-UK methodology — meaning our engagement structure, threat intelligence integration, and reporting align with TIBER-UK requirements. For TIBER-UK regulated tests where the regulator requires an accredited provider, we recommend partnering with a CBEST / TIBER-UK accredited firm; we frequently support these as the threat intelligence cell or red team cell.

Do you map findings to MITRE ATT&CK?

Yes. Every TTP we use is mapped to a specific MITRE ATT&CK technique ID (e.g., T1078 Valid Accounts, T1003 OS Credential Dumping, T1486 Data Encrypted for Impact). The final report includes a MITRE ATT&CK heatmap showing coverage and detection gaps across all 14 Enterprise tactics.

Can you do social engineering and phishing as part of red team?

Yes. Initial access via phishing (T1566) and social engineering is part of most red team engagements. We design custom phishing campaigns, pretext call scenarios, and where authorised, physical access attempts. All social-engineering activity is pre-approved in writing during scoping.

What about physical red team (on-site access attempts)?

Physical red team engagements are offered as an extension to digital red team. This includes RFID badge cloning, tailgating, dropbox deployment, USB drops, and visitor-pretext access attempts. Requires explicit written authorisation including specific buildings and time windows. Always paired with a ‘get-out-of-jail’ letter.

Can red teaming damage our production environment?

No. We use safe-by-default exploits and explicit damage-prevention controls. Ransomware deployment is simulated in no-impact mode (encryption deferred to a sandbox; we never encrypt customer data). Data exfiltration is to controlled test endpoints. Any potentially disruptive technique is paused for explicit white-team approval before execution.

How does red teaming prepare us for DORA / TIBER-UK / CBEST?

Regulated TLPT cycles (DORA, TIBER-UK, CBEST, GBEST) require structured threat intelligence, stealth red team execution, and detection review. A focused red team engagement is excellent preparation — it identifies detection gaps and TTP coverage holes before the regulated test begins. Many of our regulated-sector clients run a focused red team 3-6 months before their CBEST / TIBER-UK cycle.

Are your operators UK-based and what certifications do they hold?

All red team operators are vetted UK or international engineers. Relevant certifications across the team include CREST CRT and CCT INF, OSCP, OSEP (Offensive Security Experienced Penetration Tester), CRTO (Certified Red Team Operator), and platform-specific specialisms. SC-cleared operators are available for regulated and public-sector engagements.

Do you sign NDAs?

Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients. White-team contact list and escalation paths are agreed in writing before engagement starts.

READY TO SCOPE

Book a Red Team Scoping Call

30 minutes with a CREST-certified red team operator. Fixed-price quote within 24 hours. No sales pipeline.

EJN Labs

EJN Labs

We are an CREST certified, AI led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top