Advisory

Red & Purple Team Operations

Intelligence-led adversary simulation measured in MITRE ATT&CK coverage, detection latency and response gaps - not CVSS scores.

Full-scope attacks. Measured defences.

Red and purple team engagements go beyond vulnerability discovery. We replicate a real adversary's journey - from initial access through objective completion - testing whether your detection and response capabilities hold when it counts. Engagements run in three modes: classic stealth red team with your SOC unaware, assumed-breach starting from a known foothold, or collaborative purple team with red and blue working side-by-side so detections are tuned in real time. Outcomes are measured in MITRE ATT&CK technique coverage, detection latency per tactic, and response gap analysis - not CVSS numbers. Physical, social, cloud and network objectives all on the table.

Deep dive into the capabilities
MITRE ATT&CK coverage
200+TTPs
Avg engagement
4-8weeks
Operator certs
OSCP · OSEP · CRTO
Domains tested
Cyber · Physical · Social

How our red teams operate differently.

The same named team stays with you from kick-off through delivery. Engagements are shaped to your risk profile, not our template library.

Three engagement modes

Stealth red team, assumed-breach or collaborative purple team - right-sized to your SOC maturity, not forced into a one-size-fits-all template.

MITRE ATT&CK-measured

Every engagement produces a technique-coverage matrix showing which of the 200+ TTPs you detected, missed or prevented.

Purple-team debrief

Detection rules, hunt queries and runbook updates handed to your SOC during the engagement, not months after a PDF lands.

Full-scope by default

Cyber, physical, social engineering and cloud objectives in a single scope. Organised-crime TTPs, not an internal pen test with a new name.

The adversary lifecycle we follow.

Every engagement follows the same six-step CREST-aligned methodology. You get visibility into every phase and an audit trail of every action taken by the test team.

  1. 01

    Threat modelling

    Select adversary, define objectives, agree rules of engagement and scope safeguards with your exec sponsor.

  2. 02

    Reconnaissance

    Passive and active OSINT, social media mapping and attack-surface discovery - not targeting your asset register.

  3. 03

    Initial access

    Weaponised phishing, credential stuffing, supply-chain or physical vectors depending on the agreed scope.

  4. 04

    Establish foothold

    Persistence, C2 infrastructure, defence evasion and elevation to an operational beachhead ready for actions on objective.

  5. 05

    Actions on objective

    Lateral movement, privilege escalation, data discovery and objective completion under live monitoring.

  6. 06

    Purple-team debrief

    Technique-by-technique replay with your SOC, detection content handover and prioritised tuning recommendations.

Scoping options on the table.

No tiered upsells, no "platinum" package. What you see is what you get - one contract, one team, one number to call.

Adversary emulation

APT-style campaigns modelled on threat actors actively targeting your sector and region - not generic playbook content.

Social engineering

Phishing, voice pretext, targeted spear-phishing and business-email-compromise simulations with measurable human-layer metrics.

Physical intrusion

On-site tailgating, lock-bypass, device-drop and badge-cloning assessments with agreed scoping safeguards and damage controls.

Cloud objectives

AWS, Azure and GCP lateral-movement scenarios including IAM role chaining, token theft and cross-tenant escalation.

Detection-gap hunting

Hypothesis-driven hunts paired with your blue team to find blind spots in SIEM content, EDR coverage and hunt queries.

Purple-team runbook tuning

Live detection tuning during engagement with delivered hunt queries, SIEM analytic content and runbook updates.

What a mature red team delivers.

Every engagement runs through a unified portal. Scope, schedule, consume findings and measure the program across years of history - without a single PDF attachment hitting your inbox.

Detection-gap analysis

Identify which TTPs your current stack can't see, ranked by real-world exploitation frequency in your sector.

Response-time measurement

Cold-hard numbers on how long each attack phase takes to detect, escalate and contain - per tactic, per host, per team.

MSSP validation

Tests whether your outsourced SOC actually delivers what the SLA claims, not just whether alerts fire.

Breach simulation

Full-chain attack rehearsal so your IR runbooks are proven under pressure before the real adversary applies them.

Board-level reporting

Executive narrative translating TTP coverage into business risk, regulatory exposure and remediation spend priority.

MITRE-aligned remediation

Remediation roadmap mapped directly to ATT&CK tactics so your SOC can sequence uplift against the gaps that matter most.

Hard numbers we leave you with.

Measurable, reportable, auditable - every outcome tracks to a control in your compliance framework.

  • MITRE ATT&CK technique coverage matrix showing detected vs missed vs prevented tactics

  • Cold-numbers detection latency measurement per TTP and per attack phase

  • Response-gap analysis ranked by exploitation frequency and business impact

  • Hardened SOC detection content - SIEM rules, hunt queries and runbooks delivered during the engagement

  • Executive-level narrative report and regulator-facing evidence pack suitable for APRA and SOCI submission

Operator credentials on the bench.

OSCP OSEP CRTO CRTP CRTE CREST CRT CREST CCT GXPN OSCP OSEP CRTO CRTP CRTE CREST CRT CREST CCT GXPN

Red & purple teaming, explained.

Can't find the answer here? The team responds to scoping queries within one business day - usually faster.

Ask the team directly
What's the difference between a red team and a pen test?

A pen test finds as many vulnerabilities as possible within a defined scope. A red team replicates a real adversary pursuing a specific objective - exfiltrate customer data, compromise the admin domain, move money. Red team measures detection and response; pen test measures vulnerability coverage.

What's the difference between red and purple teaming?

Red team operates covertly - your SOC doesn't know the engagement is running. Purple team operates collaboratively - red and blue in the same room, tuning detections as attacks run. We do both, and most mature customers alternate between modes across years.

Do we need to tell our SOC?

Depends on the mode. Classic red teams are stealth - only the executive sponsor and one or two safety stakeholders know. Purple teams are openly collaborative. Assumed-breach engagements can go either way. We agree communications discipline at kick-off.

How much does SOC maturity matter?

For a stealth red team, enough maturity that you'd actually expect to catch something matters - otherwise the engagement proves nothing. Purple teaming is the right first step for less-mature SOCs; we help you build detection as we run the attacks.

Do you actually go physical?

Yes, when scope permits. Tailgating, lock-bypass, device-drops, badge cloning and social-engineering entry are all on the table - with agreed damage controls, legal authorisation and a physical safety plan.

How is the engagement scoped to prevent real damage?

Rules of engagement documented with the exec sponsor, pre-approved destructive-action restrictions, live bridge to your security lead during all on-target phases, and agreed kill-switches for any action that risks availability.

What does the final deliverable look like?

Three artefacts: (1) an executive narrative for the board, (2) a technical report with full chain-of-evidence and ATT&CK matrix, and (3) a SOC package containing detection content, hunt queries and prioritised uplift recommendations.

Security, engineered around you.

Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.

+61 8 8208 0800 1800 816 044 info@vectra-corp.com