In depth
A red team engagement is not a longer penetration test. It is an objective-driven adversary simulation in which a small team of operators attempts to achieve a defined business impact — exfiltrate the crown-jewel dataset, gain domain admin, move money out of the treasury system — using whatever combination of technical, social and physical attack paths is in scope. Detection windows, alert quality and the Blue Team's response speed are first-class outcomes; the report frames findings as "how long did the SOC take to notice, contain and evict us" rather than "how many CVEs are open."
Engagements typically run six-to-twelve weeks and follow a TIBER-EU-style or CBEST-style threat intelligence phase first: open-source intelligence is gathered on the target organisation, a credible adversary profile is selected (think nation-state, organised crime, hacktivist), and the operator team then plans attack paths that the chosen adversary would realistically use. The MITRE ATT&CK matrix structures both the plan and the report — every action maps to a tactic and technique so the defender can map detections back to specific TTPs.
Common scope inclusions are initial access via phishing, password spraying or exposed services; persistence through scheduled tasks, registry run keys or cloud OAuth applications; privilege escalation through Active Directory misconfiguration or cloud IAM abuse; lateral movement via Kerberos abuse, SMB pivoting or cloud cross-account role assumption; and objective achievement against the named target system. The Blue Team is rarely told the engagement is happening — that opacity is the point. A debrief in the closing week then walks both teams through the timeline, the missed detection opportunities, and the controls that worked.
Red team is the right service when penetration tests already come back clean and the question has shifted from "do we have vulnerabilities" to "can we actually catch a determined attacker." See AxVeil Red Team and the explainer Red team vs. penetration test.
Engagements typically run six-to-twelve weeks and follow a TIBER-EU-style or CBEST-style threat intelligence phase first: open-source intelligence is gathered on the target organisation, a credible adversary profile is selected (think nation-state, organised crime, hacktivist), and the operator team then plans attack paths that the chosen adversary would realistically use. The MITRE ATT&CK matrix structures both the plan and the report — every action maps to a tactic and technique so the defender can map detections back to specific TTPs.
Common scope inclusions are initial access via phishing, password spraying or exposed services; persistence through scheduled tasks, registry run keys or cloud OAuth applications; privilege escalation through Active Directory misconfiguration or cloud IAM abuse; lateral movement via Kerberos abuse, SMB pivoting or cloud cross-account role assumption; and objective achievement against the named target system. The Blue Team is rarely told the engagement is happening — that opacity is the point. A debrief in the closing week then walks both teams through the timeline, the missed detection opportunities, and the controls that worked.
Red team is the right service when penetration tests already come back clean and the question has shifted from "do we have vulnerabilities" to "can we actually catch a determined attacker." See AxVeil Red Team and the explainer Red team vs. penetration test.