How we work

Every client environment is different, but our delivery model is consistent: scope precisely, attack methodically, document thoroughly, and debrief honestly. Below are representative engagement patterns — anonymised to protect client confidentiality.

Breach simulation debrief with attack timeline visualisation
CFA-IMG-07 · Breach simulation debrief

CASE-01 · Financial services · Red team

Domain compromise in 72 hours

A mid-size wealth management firm engaged us to test whether their recent EDR rollout and MFA enforcement actually slowed an external attacker. Starting from a phished employee credential — provided by the client as a controlled seed — our team achieved domain administrator access within 72 hours through a chain involving Kerberoasting, misconfigured service accounts, and an unmonitored admin workstation.

The SOC generated three alerts during the engagement. Two were closed as false positives. One was escalated but not contained before objective completion. The debrief led to seven immediate control changes, including tiered admin access and new detection rules for unusual Kerberos ticket requests. Cluster A exposed the breach pathway; Cluster B validated that revised detections fired on a repeat attempt.

CASE-02 · Healthcare network · Detection engineering

From 14-day MTTD to 4 hours

A regional hospital group had invested heavily in SIEM infrastructure but struggled with alert noise and slow triage. Rather than starting with exploitation, we ran a detection engineering engagement: mapping their current rule set against ATT&CK techniques relevant to healthcare ransomware campaigns, retiring 23 rules that had not fired meaningfully in 18 months, and authoring 11 new correlation rules targeting lateral movement indicators.

We then executed a purple-team exercise where offensive operators attempted techniques while defenders monitored in real time. Mean time to detect for initial access dropped from 14 days (based on their prior tabletop estimate) to under four hours on the final simulation day. The CISO used our coverage map in board reporting to justify continued SOC staffing — backed by evidence, not vendor promises.

Detection engineering workshop with SIEM dashboard review
CFA-IMG-08 · Detection engineering

Four phases every engagement follows

1. Scoping & rules of engagement

We define in-scope assets, testing windows, communication protocols, and emergency stop contacts. Legal review ensures authorisation is documented. No testing begins without signed agreement.

2. Reconnaissance & execution

Operators map attack surfaces, execute planned scenarios, and adapt as they discover unexpected pathways. All activity is logged with timestamps for debrief reconstruction.

3. Reporting & prioritisation

Findings are ranked by exploitability and business impact. Executive summaries avoid jargon; technical appendices include reproduction steps and ATT&CK mappings.

4. Debrief & retest option

We walk your team through the attack narrative, answer questions, and optionally retest critical fixes within 30 days to confirm closure.

Your environment deserves the same rigour

We do not publish client names without permission. Ask us about relevant experience in your sector during a scoping call.

Book a security assessment