◢ THREAT-INFORMED METHODOLOGY

Every finding maps to an
offensive technique and a defensive countermeasure.

// Every campaign opens with a written ATT&CK plan and closes with findings indexed against both ATT&CK techniques and D3FEND countermeasures. The matrix, the kill chain, the attack-path graph, and the deliverable artifacts below describe the engagement end to end.

§01 MITRE ATT&CK × D3FEND

The matrix.

// Click any technique tile to see the actors observed using it, the D3FEND countermeasures it maps to, and how the technique is replayed in your environment. Heatmap intensity weights by observed adversary frequency in 2024–2026 threat intelligence.

§02 THREAT-INTEL SCOPED · NAMED EMULATION

The groups we study.

// Each campaign emulates the actors most likely to target your sector. We rebuild their TTP chains from current threat intelligence and run them on your environment with their opsec, their dwell, and their tooling.

RU · SVR ◆

APT29

aka Cozy Bear / Midnight Blizzard

OAuth abuse, Golden SAML, living-off-cloud, subtle and patient C2.

RU · GRU 26165 ▲

APT28

aka Fancy Bear / Forest Blizzard

Credential phishing, Outlook exploits, router malware.

CN · PLA ◢

Volt Typhoon

aka Vanguard Panda

Living-off-the-land, SOHO router pivots, long dwell across critical infra.

EN · FIN ✦

Scattered Spider

aka UNC3944 / Octo Tempest

SIM swap, help-desk vishing, MFA fatigue, Okta abuse.

DPRK · RGB ◉

Lazarus

aka Hidden Cobra

Supply chain, 3CX / X_TRADER, fake recruiters, wipers.

RU · GRU 74455 ⬢

Sandworm

aka Voodoo Bear / Seashell Blizzard

NotPetya, Industroyer, BlackEnergy. Destructive lineage.

FIN ◆

FIN7

aka Carbanak / Sangria Tempest

POS malware, BadUSB, ransomware affiliate ops.

CN · DUAL-USE ◣

APT41

aka Wicked Panda / Brass Typhoon

Supply chain, 0-days, crypto theft, espionage plus crime.

§03 OBJECTIVE-BASED RED TEAM · ASSUME-BREACH

A typical Day-1 timeline.

T+0:00

Recon

OSINT, ASM, leaked credentials, DNS history.

T+0:48

Initial Access

Phish or exposed management service.

T+1:12

Foothold

Beacon, persistence, situational awareness.

T+2:30

Privilege Escalation

Token theft, BYOVD, kerberoast.

T+4:15

Lateral

PtH, RDP, SMB, SCCM.

T+6:40

Domain Admin

Tier-0 reached. Persist and exfil.

T+12:00

Crown Jewels

Objective met. Cleanup.

// Times observed across the last 50 internal engagements. Your environment may run faster.

§04 REAL-SHAPE · ANONYMIZED

One attack path.

// Every engagement ships with BloodHound-style attack-path graphs. The sample below shows a tier-0 chain through ADCS template abuse, reconstructed from a recent engagement with all customer identifiers replaced.

● ENTRY ● HOST ● USER ● SERVICE ● VULN ★ CROWN JEWEL

§05 DELIVERABLES · SEVEN ARTIFACTS

What lands in your inbox.

// Every engagement ships seven artifacts. The board reads the executive narrative, the SOC reads the detection asks, the platform team reads the operator report, and the IR team gets the raw artifacts for tabletop and drill use.

ARTIFACT.01

Executive narrative

Plain English, board-ready, four pages max. One page per finding tier, one page on what changes if nothing is patched.

ARTIFACT.02

Operator report

Every finding with reproduction steps, evidence, ATT&CK technique, and a D3FEND-mapped fix. Indexed for triage.

ARTIFACT.03

Attack-path graphs

BloodHound-style, sanitized, owner-tagged. One graph per crown-jewel objective reached.

ARTIFACT.04

Detection asks

Sigma rules with Splunk SPL, Sentinel KQL, and Elastic ESQL translations, tuned against your data sources before handoff.

ARTIFACT.05

Retest window

Free retest within sixty days of patch on every finding, scoped to the original attack chain end to end.

ARTIFACT.06

Read-out call

Live walkthrough with your blue team, recorded for archive. Operator-led, slide-free.

ARTIFACT.07

Raw artifacts

Beacons, scripts, IOCs handed off for your IR drills, with a full chain-of-custody log of operator actions.

Every finding maps to an offensive technique and a defensive countermeasure.