ThreatSpike
By Curt Hems, Red Teamer and Marketing Lead
Red team engagements are often misunderstood as one-off penetration tests or a simple checklist of vulnerabilities.
In reality they are controlled simulations that mirror how a real adversary would target, penetrate and operate inside an organisation. Their value lies not just in uncovered vulnerabilities but in the hard evidence they provide about people, processes and the maturity of detection and response capabilities.
Organisations buy controls and tools to reduce risk; attackers succeed by exploiting gaps between those controls — mismatches in process, identity, configuration and human behaviour. Red teaming exposes those gaps under realistic conditions. It shows not only whether an attacker can get in but how long they can operate undetected and what impact they could cause.
For leaders it answers three simple questions:
Phase 1 — reconnaissance: building the attacker’s picture Every intrusion begins with information. Reconnaissance assembles an attacker’s view using open-source intelligence and passive discovery to map public apps, subdomains, employee profiles and third-party integrations. Typical outputs include a catalogue of exposed assets and software versions; email naming patterns useful for social engineering; and a list of suppliers that expand attack surface. Defensive takeaway: inventory your external footprint; run routine OSINT monitoring; limit what employees publish publicly; audit vendor directories.
Phase 2 — initial access: finding the weak door With recon complete the red team seeks realistic access vectors: credential-harvesting emails, unpatched internet-facing apps, misconfigured VPNs, or reused credentials from prior breaches. Mid-market environments commonly fall to phishing and poorly configured remote access. ThreatSpike uses low-impact techniques under strict rules of engagement to replicate adversary behaviour without harm. Defensive takeaway: enforce multi-factor authentication, prioritise patching, implement credential monitoring, and run regular phishing simulations paired with user education.
Phase 3 — escalation: gaining momentum After a foothold the focus shifts to privilege escalation and lateral movement. Attackers use token impersonation, service misconfigurations, weak local privilege settings and abuse of admin tooling. Modern adversaries often “live off the land”, using legitimate tools to blend in; signature-based detection becomes less effective. Defensive takeaway: apply least privilege to users and service accounts; harden identity management; monitor for anomalous privilege escalations; instrument admin tools for telemetry.
Phase 4 — persistence and lateral movement: staying hidden Persistent techniques include scheduled tasks, service modifications and weak backup processes; lateral movement broadens reach to high-value assets. Detection needs endpoint telemetry, network flow analysis and contextual logs to stitch a coherent timeline. Defensive takeaway: deploy broad EDR with tuned detections; segment networks to limit east-west movement; validate backup and restore procedures.
Phase 5 — objective execution: proving impact A red team simulates real objectives such as data theft, exfiltration or disruption while stopping short of destructive acts. This phase creates the most persuasive board-level narrative: what an attacker could achieve, where controls failed and how quickly things escalate. Defensive takeaway: use data classification, DLP and egress monitoring; rehearse incident decision-making through tabletop exercises.
Phase 6 — detection, response and the purple team debrief A thorough debrief with SOC and IT turns findings into operationaly useful improvements; missed detections are converted into new rules, playbooks and training. The debrief should output prioritised remediation, detection tuning, playbooks, and identified training gap.