Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Bulletproof sat down with Jordan and Gillian, two of our red team penetration testers to find out more about what they do, what a business gets out of it, and what their best stories are. If you’d like to watch rather than read, here’s the video:
Essentially at Bulletproof we like to distinguish the difference. So, for a Black Team we focus on physical assessment. We're not hacking a network or a system, we are hacking a site or a physical building. And it’s not just a building that's in scope so we also include staff. On the contrary, a Red Team would focus on the networks and the actual systems that they have in scope. Jordan
Essentially at Bulletproof we like to distinguish the difference. So, for a Black Team we focus on physical assessment. We're not hacking a network or a system, we are hacking a site or a physical building. And it’s not just a building that's in scope so we also include staff. On the contrary, a Red Team would focus on the networks and the actual systems that they have in scope.
You can also blend them together with a 'simulated attack' where you have components from a Black Team and a Red Team in scope. As an example, you could use a Red Team to gain access to an organization's networks and potentially modify security camera footage or open doors for the Black Team to then go into the building. Jordan
You can also blend them together with a 'simulated attack' where you have components from a Black Team and a Red Team in scope. As an example, you could use a Red Team to gain access to an organization's networks and potentially modify security camera footage or open doors for the Black Team to then go into the building.
We have OSINTs as well so 'open-source intelligence' stages, where we look at information that's available online through public repositories and websites and that helps us with the research for a lot of these engagements, especially with the Black Team side of things because the staff are also in scope, we need to understand our targets. Jordan
We have OSINTs as well so 'open-source intelligence' stages, where we look at information that's available online through public repositories and websites and that helps us with the research for a lot of these engagements, especially with the Black Team side of things because the staff are also in scope, we need to understand our targets.
Recently, in a Black Team engagement we incorporated some phishing elements. We found that having access to staff's phone numbers and being able to send phishing emails at the same time allowed us to reproduce a convincing requirement for us to be on site. If it was a random case of somebody wanted to remotely access your laptop to ensure that it was compliant, and you were from the IT team you'd be suspicious. But because we'd already figured out a way to enter the site, being able to phone up employees and say, 'I'm on site on this day can I come to your desk, and we can do this?' That implies a 'higher level' of trust, they assume that you're meant to be there. If you're able to walk to the desk the likelihood is that they're going to give you the laptop. That’s ultimately how Black Team, Red Team OSINT and phishing can all work together in a simulated attack. Jordan
Recently, in a Black Team engagement we incorporated some phishing elements. We found that having access to staff's phone numbers and being able to send phishing emails at the same time allowed us to reproduce a convincing requirement for us to be on site. If it was a random case of somebody wanted to remotely access your laptop to ensure that it was compliant, and you were from the IT team you'd be suspicious. But because we'd already figured out a way to enter the site, being able to phone up employees and say, 'I'm on site on this day can I come to your desk, and we can do this?' That implies a 'higher level' of trust, they assume that you're meant to be there. If you're able to walk to the desk the likelihood is that they're going to give you the laptop.
That’s ultimately how Black Team, Red Team OSINT and phishing can all work together in a simulated attack.
Customers want to focus on their physical buildings. We will also use some OSINT.
Customers want to focus on intrusion detection systems (IDS), SOC capabilities and external security.
Pen tests are just more narrowly defined. Usually with a pen test you’re only attacking a web application, or an internal infrastructure. With a Red team it's almost all bets off. While you can't impersonate a police officer, you can phone people up, send them a phishing email, try to break in, plug into the network. So, it's much broader, and usually when we get Red Teams signed it's for people that say, 'Do whatever you want I just want to see how far you can get, and what information you can get from it'. Gillian
Pen tests are just more narrowly defined. Usually with a pen test you’re only attacking a web application, or an internal infrastructure. With a Red team it's almost all bets off. While you can't impersonate a police officer, you can phone people up, send them a phishing email, try to break in, plug into the network. So, it's much broader, and usually when we get Red Teams signed it's for people that say, 'Do whatever you want I just want to see how far you can get, and what information you can get from it'.
Personally, I quite like phishing just because you're a bit farther removed. You just send that email, and you see credentials coming in. Gillian
Personally, I quite like phishing just because you're a bit farther removed. You just send that email, and you see credentials coming in.
I love the initial step of getting access into the building. Sometimes it's difficult and we get a little bit stumped, sometimes it's super easy. But I like the idea of creating the illusion or bypassing reception, tailgating, and basically gaining the initial foothold. Gillian prefers working her way around once we’re in the building so, usually we do assessments together and we make a pretty good team on that front. Jordan
I love the initial step of getting access into the building. Sometimes it's difficult and we get a little bit stumped, sometimes it's super easy. But I like the idea of creating the illusion or bypassing reception, tailgating, and basically gaining the initial foothold.
Gillian prefers working her way around once we’re in the building so, usually we do assessments together and we make a pretty good team on that front.
Sometimes businesses have good protection systems against phishing and people will be quite well trained. You phone them up and they're immediately suspicious, but then you can just walk in! Sometimes it's the other way around; a phishing email goes through, you ring someone up, they're happy to meet you, give you their password etc, but walking in will be difficult. Gillian
Sometimes businesses have good protection systems against phishing and people will be quite well trained. You phone them up and they're immediately suspicious, but then you can just walk in! Sometimes it's the other way around; a phishing email goes through, you ring someone up, they're happy to meet you, give you their password etc, but walking in will be difficult.
I think having that fake level of confidence is hard because when we're planning an assessment, we create stories that we're going to use on the day to get past reception, to get through doors or to tell security guards. One thing that's difficult is to think 'Okay but if they come back with this question? What are we going to say, what's believable, what do we have on us that could like help with that illusion of trust?' Jordan
I think having that fake level of confidence is hard because when we're planning an assessment, we create stories that we're going to use on the day to get past reception, to get through doors or to tell security guards.
One thing that's difficult is to think 'Okay but if they come back with this question? What are we going to say, what's believable, what do we have on us that could like help with that illusion of trust?'
If you get to reception and you look nervous like you're not supposed to be there, people notice straight away. If you have that 'fake level' of confidence people don't tend to question you as much. But I guess another one of the hardest things is if you gain entry to the building, looking like you know where you're going because you need to get to point B and you don't know where point B is! Jordan
If you get to reception and you look nervous like you're not supposed to be there, people notice straight away. If you have that 'fake level' of confidence people don't tend to question you as much. But I guess another one of the hardest things is if you gain entry to the building, looking like you know where you're going because you need to get to point B and you don't know where point B is!
If you're able to do it, it works even if you're wrong! We had an assessment where I walked into the building, I went into a meeting room to try and see if I could plug in, (because usually that has ethernet ports) and someone came in and they said, 'Where are you from?' I just gave a name and apparently, this wasn't even the office we were supposed to go to and the name I gave made no sense to the people that I said it to, but they were like. 'Oh, okay’ and everybody just left, and let me be on my way. Gillian
If you're able to do it, it works even if you're wrong! We had an assessment where I walked into the building, I went into a meeting room to try and see if I could plug in, (because usually that has ethernet ports) and someone came in and they said, 'Where are you from?' I just gave a name and apparently, this wasn't even the office we were supposed to go to and the name I gave made no sense to the people that I said it to, but they were like. 'Oh, okay’ and everybody just left, and let me be on my way.
The last assessment we did as soon as you walked in, had a massive touchscreen with every floor, and it had a floor plan of where each room was. That was perfect because Gillian went in first and took pictures of each floor and I hadn't been in yet so I could study each one. So, even though I hadn't been in the building when I went to each floor, I'd memorized the floor plans, so I knew where I was going, and because I knew where I was going, I didn't look suspicious. Jordan
The last assessment we did as soon as you walked in, had a massive touchscreen with every floor, and it had a floor plan of where each room was. That was perfect because Gillian went in first and took pictures of each floor and I hadn't been in yet so I could study each one. So, even though I hadn't been in the building when I went to each floor, I'd memorized the floor plans, so I knew where I was going, and because I knew where I was going, I didn't look suspicious.
On scoping calls, I often get people saying, ‘why do we need to do internal tests, because someone would need to break into our building, and who's going to do that?' But you can prove to people that it is possible to do and that it is needed. Gillian
On scoping calls, I often get people saying, ‘why do we need to do internal tests, because someone would need to break into our building, and who's going to do that?' But you can prove to people that it is possible to do and that it is needed.
We have some examples where we managed to get in, tried to plug in and nothing happened. And that is something that companies can get out of it. We also take a holistic view. We don't just say, 'Oh you need to fix just one thing,' we go at it in layers, find out if people are being educated and if they have an extra layer of security if someone breaks in. Taking a holistic view can pinpoint issues that need to be addressed as well'. Gillian
We have some examples where we managed to get in, tried to plug in and nothing happened. And that is something that companies can get out of it.
We also take a holistic view. We don't just say, 'Oh you need to fix just one thing,' we go at it in layers, find out if people are being educated and if they have an extra layer of security if someone breaks in. Taking a holistic view can pinpoint issues that need to be addressed as well'.
Sometimes it's better to work backwards. If you do an internal infrastructure and you say, 'These are all the things that are wrong in the network.' Then when we do a Black Team assessment we can say, 'here's how easy it would be for an attacker to break in.' what we do is basically provide a bridge. It can also help a CISO (Chief Information Security Officer) to say how easy or hard it would be for an attacker. I've worked in some large banks and what they do when we raise a lot of issues is they will often reduce the severity that's available externally. Say we find SQL injection- which is a big issue if it is unauthenticated. They reduce the ‘rest rating’ quite significantly if it is only available internally. Us being able to do a Black Team assessment and bridge that gap to say, 'You know, this is how easy it would be to break in,' gives everything more context. Jordan
Sometimes it's better to work backwards. If you do an internal infrastructure and you say, 'These are all the things that are wrong in the network.' Then when we do a Black Team assessment we can say, 'here's how easy it would be for an attacker to break in.' what we do is basically provide a bridge. It can also help a CISO (Chief Information Security Officer) to say how easy or hard it would be for an attacker.
I've worked in some large banks and what they do when we raise a lot of issues is they will often reduce the severity that's available externally. Say we find SQL injection- which is a big issue if it is unauthenticated. They reduce the ‘rest rating’ quite significantly if it is only available internally. Us being able to do a Black Team assessment and bridge that gap to say, 'You know, this is how easy it would be to break in,' gives everything more context.
On the technical side, organizations don't really get a chance to properly test their SOCs or their Intrusions Detection Systems (IDS) against being targeted by trained professionals. Quite often, random attacks on the internet are loud scans that are easy to detect. Red Team scans are slightly harder, so it’s good for a company to know if a hack team were to target them, would they pick that up. Jordan
On the technical side, organizations don't really get a chance to properly test their SOCs or their Intrusions Detection Systems (IDS) against being targeted by trained professionals. Quite often, random attacks on the internet are loud scans that are easy to detect. Red Team scans are slightly harder, so it’s good for a company to know if a hack team were to target them, would they pick that up.
Yes, if they want to have that collaboration, it very much depends how companies want to approach it. On one of the tests, they wanted to have their blue team (their defensive team) be aware of what we were doing only after they realized we were doing something. So, we just did it in stages. At first, we tried to be quiet, and then upped it a little bit, and then at one point we threw a lot at the network. Then it became a Purple Teaming collaboration where we would say, 'Okay we've done this did you pick it up? We've done that did you pick it up?' Gillian
Yes, if they want to have that collaboration, it very much depends how companies want to approach it. On one of the tests, they wanted to have their blue team (their defensive team) be aware of what we were doing only after they realized we were doing something. So, we just did it in stages. At first, we tried to be quiet, and then upped it a little bit, and then at one point we threw a lot at the network. Then it became a Purple Teaming collaboration where we would say, 'Okay we've done this did you pick it up? We've done that did you pick it up?'
Don’t use Black Teaming when… You have an organization that's very remote, has very few sites, and the sites they do have aren't really connected to their internal network (it's literally, just like a shared office with access to Wi-Fi), then there’s not much value in a black team assessment because most of the company resources are not on site. Do use Black Teaming when…Your organization has at least one site where there's a lot of potential sensitive data, that's either on the network or stored in files or there are server rooms, that's when black teams can become beneficial. If you have a lot of sites, then obviously it's going to be more beneficial, because the physical attack surface is much bigger. Jordan
Don’t use Black Teaming when… You have an organization that's very remote, has very few sites, and the sites they do have aren't really connected to their internal network (it's literally, just like a shared office with access to Wi-Fi), then there’s not much value in a black team assessment because most of the company resources are not on site.
Do use Black Teaming when…Your organization has at least one site where there's a lot of potential sensitive data, that's either on the network or stored in files or there are server rooms, that's when black teams can become beneficial. If you have a lot of sites, then obviously it's going to be more beneficial, because the physical attack surface is much bigger.
Because some organisations use similar security controls across multiple sites, companies may choose a select approach, for example testing one or two out of five possible customer support centres. and the recommendations that we raise can be applied to all the sites in scope. Jordan
Because some organisations use similar security controls across multiple sites, companies may choose a select approach, for example testing one or two out of five possible customer support centres. and the recommendations that we raise can be applied to all the sites in scope.
Where a Red team differs from a standard pen test is when you have security controls in place, like a mature SOC and you want to understand the full attack path. As pen tests have a narrow scope that focuses on one thing, to test something like whether an attacker would be able to get from outside the company (for example, on the internet) to three or four internal networks in, a Red Team is going to give you that knowledge. Jordan
Where a Red team differs from a standard pen test is when you have security controls in place, like a mature SOC and you want to understand the full attack path. As pen tests have a narrow scope that focuses on one thing, to test something like whether an attacker would be able to get from outside the company (for example, on the internet) to three or four internal networks in, a Red Team is going to give you that knowledge.
The first one that we did together I think was cool just because it looked a bit hopeless from the start. It's one where we were there the day before and there were turnstiles everywhere and guards. We went around the back looking for a side entrance, and immediately someone walked up to us and asked what we were doing there. So, I thought 'This isn't going to work.' Then we went to a parcel shop, got a little parcel ticket made, tried to get in that way, they stopped me and took my parcel. So, someone got an empty parcel that day. Gillian
The first one that we did together I think was cool just because it looked a bit hopeless from the start. It's one where we were there the day before and there were turnstiles everywhere and guards. We went around the back looking for a side entrance, and immediately someone walked up to us and asked what we were doing there. So, I thought 'This isn't going to work.' Then we went to a parcel shop, got a little parcel ticket made, tried to get in that way, they stopped me and took my parcel. So, someone got an empty parcel that day.
We saw there was a box filled with lanyards and with key cards on top of the reception desk. Jordan had the idea to pretend to be drunk, knock it over and then I pick one up, which we didn't go for, but that would have been funny! What we did instead was Jordan went in pretending to be an IT engineer and the moment the receptionist looked away he grabbed a pass, came back outside, and gave it to me. I went in, tried to beep it but it didn’t work so I went to reception and said, 'Hey you just gave me a pass that's not working.' And they said, 'Oh so sorry', and gave me a new one! That's how we got in. Gillian
We saw there was a box filled with lanyards and with key cards on top of the reception desk. Jordan had the idea to pretend to be drunk, knock it over and then I pick one up, which we didn't go for, but that would have been funny! What we did instead was Jordan went in pretending to be an IT engineer and the moment the receptionist looked away he grabbed a pass, came back outside, and gave it to me. I went in, tried to beep it but it didn’t work so I went to reception and said, 'Hey you just gave me a pass that's not working.' And they said, 'Oh so sorry', and gave me a new one! That's how we got in.
There was quite a lot of like moving parts to that one. When we stole a badge from the box it wasn't simple because there were so many cameras and security guards all looking at this box. How do you steal something in plain sight? Jordan
There was quite a lot of like moving parts to that one. When we stole a badge from the box it wasn't simple because there were so many cameras and security guards all looking at this box. How do you steal something in plain sight?
When I went in the following day, I wore a fake badge that Gilly had made. My plan was to take my badge and put it in the box, pretend that I forgot something, run in, and when I went to get my badge, take a different one. It ended up being much better because when I put my badge in the box, the receptionist for whatever reason turned around to sort some paperwork, the security guard was behind me and my body was blocking the box, so I just swapped it instead. Jordan
When I went in the following day, I wore a fake badge that Gilly had made. My plan was to take my badge and put it in the box, pretend that I forgot something, run in, and when I went to get my badge, take a different one. It ended up being much better because when I put my badge in the box, the receptionist for whatever reason turned around to sort some paperwork, the security guard was behind me and my body was blocking the box, so I just swapped it instead.
The police got called because the fake badge used my real name to match the name on the car. After I swapped it in the box they realised when they emptied the badges at the end of the day that my badge was wrong, and they phoned the police, but we managed to catch it before they came. Jordan
The police got called because the fake badge used my real name to match the name on the car. After I swapped it in the box they realised when they emptied the badges at the end of the day that my badge was wrong, and they phoned the police, but we managed to catch it before they came.
Jordan is a Bulletproof Penetration Testing Manager, with several years' experience of Red Team testing and managing complex projects. He still gets involved in regular penetration tests and has a particular flair for Red and Black teaming.
Get a real-world test of your security maturity with a red team test
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.