Red teaming

The core of offensive security lies in seeing security through the eyes of a hacker. You cannot get closer to this than with a red teaming. We use a realistic attack simulation to measure the resilience of your organization against an advanced attacker. Where a penetration test can be seen as a test, a red teaming is the final exam.

Ethical hacking

In a red teaming the detection and response measures are also examined. Just like a real attacker, we work as unobtrusively as possible, so that the Blue team (the SOC analysts), without their knowledge, are challenged to detect an attack in their network. 

Unlike a penetration test, the goal of a red teaming is not to expose as many vulnerabilities as possible. Instead, this method aims to verify that the total set of security measures in place provides adequate protection against a real attacker. 

Our hackers will try to stay in your network for a longer period of time. Under the radar, they acquire rights in your systems and information about your crown jewels. When they have all the pieces of the puzzle in place, so-called Actions on objectives are carried out: malicious actions that demonstrate the impact of the attack. 

Modular red teaming

Put together a red teaming project that exactly matches your wishes and information needs. We offer red teaming services based on modules, where a module contains one or more activities with a specific goal within the project. We would be happy to discuss your information needs with you in order to come to a suitable composition of modules together.


The TIBER-NL programme, led by the Dutch Central Bank, aims to increase the cyber resilience of the financial sector. The resulting framework is also very useful for other vital sectors, such as the healthcare, telecom or energy sector. Is your organization obliged to carry out a TIBER-NL or do you wish to use this framework? The S-Unit is the Red Team Provider for your TIBER-NL test.

Purple teaming workshop

A direct collaboration between our hackers (the red team) and your security team (the blue team) to improve your detection and response capabilities. Choose a purple teaming workshop as part of your red teaming or stand-alone technique to take your Security Operations Center (SOC) to the next level.

Red Teaming FAQ’s

What is red teaming?

Red teaming is an offensive method of cybersecurity testing. A realistic attack simulation tests the cyber resilience of an organization against an advanced attacker. As with other offensive methods, it uses the hacker mindset to look at an organization's security. We call the ethical hackers who run the simulation the red team. We collectively refer to the various teams that are responsible for security within the organization to be tested as the blue team. A select number of individuals from the organization to be tested are involved for coordination and coordination, who together form the white team. 

What is the purpose of a red teaming?

A red teaming serves two primary purposes. First, it is a measurement of the organization's current resilience level. How mature is the organization in the field of cyber security and does this meet expectations? This is an important starting point for determining a broader cyber security strategy. Second, a red teaming is an opportunity for the blue team to learn from their opponents. Which holes can the red team identify that were unknown to the blue team and which techniques are used that remain under the radar of the blue team.  

What is the difference between a red teaming and a penetration test?

A penetration test efficiently helps to close as many specific gaps as possible. The technique thus tests measures that fall within the Protect function of the NIST framework. A red teaming is aimed at verifying whether the total set of security measures in place offers sufficient protection against a real attacker. This tests the Identify, Protect, Detect and Response functions from the NIST framework. 

More information

What are the core features of a red teaming?

A red teaming has three core properties that distinguish it from a penetration test. The individual properties can also be applied within a penetration test, creating a hybrid form. However, a true red teaming has at least the following three properties: 

  1. The test is carried out organization-wide. This means that all IT systems of an organization can be attacked. In addition, red teaming is not limited to attacks on technology alone, but people and processes can also be targeted. 
  2. The test is performed in secret. Only members of the red team and a select few individuals from the tested organization, such as the CISO, are aware of the exercise. 
  3. The test is scenario-oriented. It is a simulation of a real attacker with an underlying motive, an objective and associated method. An example could be an attacker with the motive of financial gain, the aim of receiving a ransom and the method of holding IT systems hostage with ransomware. 

Why is red teaming carried out organization-wide?

Organization-wide execution of the test ensures that the results of a red teaming are influenced as little as possible by scope limitations that a real attacker is not aware of either. This is required to determine to what extent the organization has identified the correct parts that need to be protected.

Why is red teaming done in secret?

The secret execution of red teaming is required to realistically test the organization's detection and response measures. After all, when the blue team is aware of the fact that red teaming is being carried out, they may proceed in a different way than when this is not the case.  

Why is red teaming scenario-oriented?

The scenario-oriented approach is required to realistically test the detection and response measures. Despite the fact that several routes are possible to reach a certain end goal within an organization, a real attacker will only try to find one route. To test whether an organization can detect and stop such an attack, the red team must proceed in a similar way. If the red team were to look for additional routes, this would result in more detectable actions than necessary, so that the detection capabilities would no longer be realistically tested. 

What is TIBER-NL?

Threat Intelligence Based Ethical Red-teaming Netherlands (TIBER-NL) is a program of De Nederlandsche Bank (DNB) to increase the cyber resilience of the financial sector in the Netherlands. With regard to the social function that financial institutions, such as banks and insurers fulfill, a cyber attack on such an institution can have a major social impact. For that reason, periodic performance of a TIBER test is mandatory for specific financial institutions. TIBER tests are performed using the TIBER framework. Although this framework has been developed for the financial sector, it can also be applied to other sectors. Following the success of the TIBER-NL framework in the Netherlands, the European Central Bank (ECB) has introduced a comparable framework together with the central banks of 12 EU countries: TIBER-EU. Various central banks also have their own variant of the framework. For example, the central bank of Germany uses the TIBER-DE framework. Within The S-Unit, the TIBER-NL framework is used as a starting point for performing red teaming tests.

How does red teaming work?

The S-Unit offers red teaming services based on modules. This makes it possible to tailor red teaming to the wishes and information needs of our customers. The modules are based on the TIBER-NL framework and are divided into four phases: preparation, targeted threat intelligence, red team test and closure. The preparation serves to coordinate the project and collect the correct information from the organization. The targeted threat intelligence phase aims to collect information to create relevant attack scenarios. During the red team test phase, the prepared scenarios are actually implemented. During the closing phase, knowledge transfer takes place to increase the educational value. 

More information

More information about Red Teaming?

  • This field is for validation purposes and should be left unchanged.