Fourteen services,
each scoped as a campaign.
// Every offering below maps to one or more MITRE ATT&CK tactics and ships with reproducible findings and proposed detections. Scoping starts from the campaign archetype that matches your sector and threat model, then the relevant services compose into the engagement plan.
Services.
Adversary emulation
Named-actor TTP replay. We emulate APT29, Volt Typhoon, and Scattered Spider on your stack, with their playbook.
- ▸Threat-intel scoped
- ▸ATT&CK-aligned plan
- ▸Atomic and chained tests
- ▸Purple-team option
Red team
Objective-based, full-scope. Initial access through impact. No scanners, no checklists, just operators with a real plan.
- ▸Black, grey, or white-box
- ▸OPSEC-tight infrastructure
- ▸Physical and social
- ▸Crown-jewel objectives
Continuous engagement
Always-on offensive operations. Quarterly operator rotations, persistent infrastructure, weekly findings into your Slack.
- ▸Dedicated operators
- ▸CTEM-aligned
- ▸Retest on patch
- ▸Slack and Teams integrated
External network
Perimeter attack surface. Forgotten subdomains, exposed APIs, leaked credentials, and the management interfaces that get left in production.
- ▸ASM-driven recon
- ▸Auth bypass
- ▸Cred spray, rate-aware
- ▸Exposed mgmt
Internal / Active Directory
Assume-breach. Domain Admin in days. ESC1 through ESC15. Kerberoast. BloodHound. The full identity layer.
- ▸ADCS abuse
- ▸Tier-0 attack paths
- ▸NTLM relay
- ▸Group Policy / GPO
Web app and API
Beyond OWASP Top 10. Business logic, IDOR chains, GraphQL, OAuth, SSRF-to-cloud.
- ▸Auth and session
- ▸Multi-tenant isolation
- ▸JWT and OIDC abuse
- ▸GraphQL introspection
Cloud · AWS / Azure / GCP
IAM is the new perimeter. We chain misconfigurations to root, then to your data.
- ▸IAM privilege chains
- ▸KMS and Secrets abuse
- ▸Cross-account trust
- ▸SSPM and CSPM gaps
Kubernetes and container
Pod to node to cluster to cloud. RBAC, admission, supply chain.
- ▸RBAC escalation
- ▸Container breakout
- ▸Sidecar abuse
- ▸Helm and Argo supply
Wireless
WPA3, 802.1X, captive portals, rogue APs, BLE and Zigbee, guest network leaks.
- ▸EAP relay, PEAP downgrade
- ▸PMKID
- ▸Rogue AP / Evil Twin
- ▸BLE / Zigbee
Physical and social
Badge cloning, tailgating, drop boxes, vishing campaigns. We get in, we plant, we exfil.
- ▸HID and Mifare cloning
- ▸Lock bypass
- ▸Pretext vishing
- ▸Implant deployment
Mobile
iOS and Android. Static, dynamic, and runtime analysis. Frida, Objection, root and jailbreak chains.
- ▸IPA / APK reversing
- ▸Cert pinning bypass
- ▸Keychain and KeyStore
- ▸Deeplink abuse
OT and ICS
Purdue model. Safe-by-design test plans. PLC, HMI, historian, and jump-host pivots.
- ▸L3.5 / DMZ review
- ▸Protocol fuzz (safe)
- ▸Historian and HMI
- ▸Vendor remote access
AI / LLM red team
Prompt injection, jailbreaks, training-data poisoning, RAG exfil, agent abuse.
- ▸Indirect prompt injection
- ▸Tool and agent jailbreak
- ▸RAG data exfil
- ▸Model DoS and cost abuse
Source code review
Manual review by operators who exploit what they find.
- ▸Auth and session logic
- ▸Crypto misuse
- ▸Supply chain
- ▸SAST tuning and triage
Campaign verticals.
// Each engagement is shaped against the threat model the sector actually faces. The cards below pair an industry to its campaign archetype, the actors emulated, and the objective the work pursues. The codename, the ops plan, and the actor list are real artifacts, drafted before the work begins.
Financial services
Healthcare & life sciences
Defense & public sector
Critical infrastructure
Tech & SaaS
Legal (AmLaw)
Retail & hospitality
Insurance & asset mgmt
// Verticals beyond this list are almost always still in scope. The eight above are simply the most common shapes the work has taken. Tell us about the environment and we will draft the archetype to match.