Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
During my time delivering red team engagements over the last few years, I've had the luxury of working with organisations who’re just starting out with their red teaming approaches, all the way up to battling hardened and heavily monitored networks. In this experience, I’ve found that one of the key areas that makes or breaks a successful operation is the scoping, sizing and planning of an engagement. It can often be daunting to explore more threat-led and realistic testing approaches. Often organisations dive headfirst into large end-to-end engagements that are often cost prohibitive or are delivered in the same way as penetration testing leading to disappointment and wasted resources. So this blog aims to explain where you start, or, if you’re already exploring red team activities, how you can get further value with varying approaches. In this short article I will walk through areas of consideration when exploring the prospect of Red Teaming assessments and lend some hopefully useful insights.
So, to start from the top: what makes a red team engagement different than a penetration test? The short answer is: pen testing is out to give you a comprehensive list of vulnerabilities that you need to fix. Red teaming is out to circumvent your defences the way a real attacker would, delivering very valuable insights in the process.
The longer answer here is better: red teams are threat driven, meaning we use real threat intelligence as an ongoing guide for operations. This doesn't mean we simply follow a set play book with no deviation like a robot. Rather, we apply the same processes and approaches used by real threats to modify our techniques based on our target whilst adhering to the threat's ultimate operational goals and capabilities. Red team engagements are goal orientated, which ensures the attacking team remains focused on key areas that matter to the client.
A penetration test on the other hand seeks to find, evaluate, exploit and categorise all vulnerabilities in as short a time as possible whilst covering the maximum number of systems. A Red Team often follows the path of least resistance to achieve its objectives and is after depth over breadth in terms of coverage. Red Teaming is designed to take a holistic view of your defences at each level and the depth of detail in findings and recommendations should be apparent over normal penetration testing results.
Context is king. Within a red team engagement, we look to work within the confines of your technical and procedural controls. We do not ask for exceptions to be made and whitelisting actions to be taken, unless required based on time or financial restrictions (we call these fall backs or dechaining events). We provide you with insights into the wins and losses across an attack chain. If your defences excel in repelling initial access but your internal network is more of a chocolate fondant, then the Red Team will highlight this.
Penetration testing is often carried out from highly trusted networks using attacker-controlled devices in highly unlikely configurations that disregard all defensive protections that may lead to that point. With red teaming, very few findings are isolated and instead form part of a complete attack chain.
Detection and response matters! Red teams are not a red team without a counter or opposite, be that an external MDR, a dedicated internal security team, or even a growing security function. The red team provides an ideal opportunity to evaluate and enhance the protection offered by these services. All reports do (or should) contain detailed detection guidance where appropriate around the techniques and approaches used during the assessment. The red team should help to highlight detection gaps and provide realistic context on these blind spots. No one can (or will ever) detect everything, but what areas of the attack chain within a scenario should be focused on, where the attacking team are at their most vulnerable. An experienced red team will be able to provide this insight.
Maturity, objectives and complexity are the guiding principles I use when designing scenarios and proposals. These differ from the quantity-driven approaches often taken in a penetration test, in which complete coverage is wanted or samples are taken. With these principles we can provide project delivery estimates and costing that deliver the best value for a client and align outcome expectations early on. Red teams often work with wide scopes and targeted objectives. This wide to narrow approach ensures the attacking team have all the opportunities possible to achieve objectives in the same way a real attacker would, but their approaches and goals keep the engagement on track and stop it from drifting off course.
So, with some of the basic differences out of the way if you're looking to start a journey into red team testing to support your ongoing operations, here are some of the best ways to enhance your current testing approaches:
These engagements can be standalone or, pro tip here: added into existing penetration testing projects. Assumed breach assessments deliver the red team approaches without a lot of the more costly and complex aspects of a full red team test. By assuming an organisation can and will be breached at some point, the red team can design a scenario that puts the defensive layers of your organisation to the test. If you still want to include stealth or evasion to test a SOC, that can be done. Want to see what happens if someone clicks a phishing link? We can design that scenario and play it out to completion. You get all the findings, context, and recommendations from a full red team report without initial access overheads resulting in a significant reduction in complexity which allows for a lower day count. Simple as that.
Just want to focus on detection and response? Do you think your current SOC can handle the worst a ransomware gang can throw at it? Find out with a purple team in which the red and blue team, work hand in hand to evaluate and enhance the detection capabilities within an organisation to block numerous TTPs packaged up into a threat scenario which is delivered by the red team. These can be great to carry out incrementally and regularly to enhance protections before putting them to the test against a complete end to end red team engagement. The size and coverage of a purple team is entirely up to the organisation but we suggest starting in sections and carrying out smaller regular engagements that allow time for improvements and tuning for recommendations and cover phases of an attacker's playbooks.
The main event! At Bulletproof we have designed a robust, phased-based delivery approach. We always want to deliver the best results we can within the budgets and timelines of our clients wherever possible. We get it, not everyone has the budget for a full low-and-slow 3-month engagement focusing on novel attacks and complete realism. We will, however, do everything we can to manage expectations and deliver what we feel is best for you, even if that is not a Red Team. We can deliver what we call "Guided Red Teams" these follow the full end to end process of a Red Team test starting externally but have a larger amount of clear and direct fall back or dechaining checkpoints. This ensures that a Red Team engagement continues to move through the phases and delivers results across the attack chain on a more compressed timeline. A few examples of these would be:
These of course would usually also be a part of larger less compressed engagements but using a stricter timeline with a smaller set of very clear objectives can reduce costs. Again, it's all about managing complexity, maturity, and objectives and to a degree realism to correctly size an engagement. We are confident of this due to the planning and delivery approaches we have in place, which have been designed from experience delivering complex engagements over the years. This structured approach is always something I would recommend you look for in your providers regardless of who they are. Not a strict robotic check list but a clear understanding of the complexities and expectations from these operations is key.
The other side of the coin might be that you haven't had any form of testing done but want to look to explore red teaming. With all organisations I would always suggest that the basics are done before jumping in for a red team, though the waters are a bit less clear these days with some less reputable security providers selling penetration testing as red teaming and vice versa. But I'd always say red teaming is an evaluation of the organisation as a whole, and that a true sign of maturity is the basics done and done well. So, start small, ensure you have a handle on vulnerability management, carry out penetration testing, and align your systems and networks with hardening best practices. From there detection and prevention should also be considered, with these basics in hand and a good understanding of your security operation you should look to add in red team engagements in tandem with other tests or in isolation. This might mean starting with assumed breach or a tailored end- to-end red team.
When looking for a red team engagement, ensure you can go into a discussion with an open mind and a grasp on what's important to your organisation. The clearer the vision you have of what you want out of the engagement, the better the attacking team can design a scenario to fit. Red teaming exists to support, develop, and enhance your security posture, so make sure the projects do just that and support your organisation’s key areas of concern.
If you want to test a single web application as a red team, you're missing the key advantages of a red team and could probably get better results from a code review and web app penetration test. But if you want to see if it's possible for an attacker to gain access to the CI/CD pipeline and underlying code bases that underpin that web service, then that sounds like a good goal to me. Just be aware the more false constraints and assumptions you add to an engagement the greater you limit the value, and you may be better with other testing approaches or review activities. Like many things in life, no single approach is best for everything.
The next step is choosing a supplier, as most organisations are not in a position to have their own internal red team. That's where I’ve made my career as a consultant and red teamer for hire, and here are my views on selecting a provider. I may be biased on this but ensure you pick a supplier based on capabilities and track record. Look for an established methodology and organisation whose outcomes and approaches align with your organisation’s goals and expectations. Red teaming is highly complex and continues to get harder. Modern EDRs and protection mechanisms present more of a challenge and picking a provider that is suitable for your organisation’s maturity level is important. As I said before, we are here to elevate you, and the best red teams adapt to your organisation, tailoring approaches and operation to deliver you results and grow with you over repeat engagements.
The elephant in the room is of course... costing. It's a concern for all organisations, and the old adage "you get what you pay for" certainly applies here. There are tricks to limiting expense whilst maintaining good outcomes that we can apply to cost-conscious customers. At Bulletproof I make sure we always explore every option to deliver engagements within budget expectations. This comes back to both sides to being upfront and honest in terms of expectations and working towards an outcome that ultimately benefits the security of the organisation.
I hope this blog has provided a small insight into the different engagement options and approaches possible with red teaming. If you just don’t know if you need it or how to start, don’t be afraid to get in touch. We can have an impartial conversation around engagement options: we don’t want to sell you something that won’t give you value, so we’re always happy to discuss options and suggest relevant testing approaches.
Dominic’s role heading up Bulletproof’s red teaming division means he’s well versed in talking about adversarial security testing. You can find him writing about interesting approaches and insights across all areas of red teaming.
Explore the different red teaming options and find what you need to start thread-led security testing.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.