Red Teaming

Ethical hacking

The core of offensive security lies in viewing security through the lens of a hacker. You cannot get closer to this view than with Red Teaming. Through realistic attack simulations, we measure your organization’s resilience against sophisticated attackers. While a penetration test can be seen as a regular test, Red Teaming is the final exam.

Unlike penetration tests, the goal of a Red Teaming is not to expose as many vulnerabilities as possible. Instead, this method verifies whether the total security measures adequately protect against an actual attacker.

In Red Teaming, detection and response measures are also investigated. Just like an actual attacker, we proceed as undetectable as possible, challenging your security team to detect an attack in their network without their knowledge.
Our hackers will try to stay in your network for an extended period. Under the radar, they acquire rights in your systems and information about your crown jewels. When they have all the pieces of the puzzle in their grasp, so-called Actions on objectives will be executed: malicious actions that demonstrate the impact of the attack.

Get in touch

What is Red Teaming

Red Teaming, also known as adversary simulation, is an offensive method for testing cybersecurity. A realistic attack simulation tests an organization’s cyber resilience against a sophisticated attacker. Like other offensive methods, it uses the mindset of hackers to look at an organization’s security. The ethical hackers running the simulation are called the Red Team. The various teams responsible for security within the organization to test together are called the blue team. For alignment and coordination, a select number of involved individuals from within the organization are tested, and together, they form the white team.

What is the purpose of a Red Teaming?

A Red Teaming serves two primary purposes. First, it is a measurement of the organization’s current resilience level. How mature is the organization regarding cybersecurity, and does it match expectations? This is an important starting point for defining a broader security strategy. Secondly, Red Teaming is an opportunity for security teams to learn from their adversaries. Discover how sophisticated attackers try to stay under the radar and how detection and response capabilities can be improved to detect the use of such techniques anyway.

Why choose The S-Unit?

Our approach goes beyond attack simulations. At The S-Unit, we provide an in-depth evaluation of your security measures and reveal valuable insights that protect your organization from advanced threats.

We apply a realistic attack simulation to verify whether your total set of security measures provides adequate protection against real attackers. We go beyond exposing vulnerabilities by investigating detection and response measures. Discreetly, we challenge your security team to detect an attack in their network.

At The S-Unit, we offer modular Red Teaming services so you can create the perfect combination of modules to suit your needs and requirements. We are the right choice if you are looking for a Red Teaming provider familiar with frameworks such as TIBER-NL, ART, or ZORRO. Our experienced hackers simulate advanced threat tactics with state-of-the-art capabilities. Make a wise choice and opt for Red Teaming at The S-Unit.

Modular Red Teaming

Using our modular Red Teamings, you can put together a Red Teaming project that exactly matches your needs and information requirements. We will be happy to discuss your needs with you to devise a suitable composition of modules.

Framework Red Teaming

Are you looking for a red teaming provider for a test using a framework like TIBER-NL, ART or ZORRO? Take advantage of The S-Unit's expertise and experience in simulating advanced threat actors with state-of-the-art capabilities.

Purple Teaming

A direct collaboration between our hackers and your security team to improve your detection and response capabilities. Choose a purple teaming workshop as part of your Red teaming or a standalone technique to take your security operations centre to the next level.

Team Collaboration in Red Teaming

Red Teaming is a crucial method for measuring an organisation's current resilience. Within this process, a colour code distinguishes different teams, each with a unique role and responsibility.

• Red team: this ethical hacking team performs realistic attacks to expose vulnerabilities and test security resilience.

• Blue team: the defensive team maintains security and discovers and stops attacks during the simulations.

• White team: are selected individuals responsible for coordinating and evaluating responses to the attack simulations.

• Purple team: A mix of red and blue, this team is focused on working together to discover vulnerabilities and improve security.

• Gold team: Also known as cyber crisis simulation, this team integrates the different colours into the Red Teaming process. Here, the specific colours indicate activities.

Red Teaming modules

The S-Unit offers Red Teaming services on a module basis. It allows red teaming to tailor to the client's needs and information requirements. The modules are divided into four phases. These phases and modules are based on the TIBER-NL and ART frameworks. The following modules are available for each phase:



'Where a penetration test can be seen as a test, a Red Teaming is the final exam.'

Please make an appointment with one of our red teaming consultants now

Red Teaming: more than cybersecurity testing

Red Teaming is more than an offensive cybersecurity testing method; it is a mindset. A realistic attack simulation tests resilience and provides valuable insights and learning opportunities. In short, Red Teaming with The S-Unit delivers a comprehensive evaluation of cybersecurity and useful insights and learning opportunities for organizations striving to maximize protection against advanced cyber threats.

Find out more

Red Teaming FAQ’s

What is the difference between a Red Teaming and a penetration test?

A penetration test efficiently helps to close as many specific gaps as possible. The technique thus tests measures that fall within the Protect function of the NIST framework. A red teaming is aimed at verifying whether the total set of security measures in place offers sufficient protection against a real attacker. This tests the Identify, Protect, Detect and Response functions from the NIST framework. 

More information

The core characteristics of a Red Teaming

Red Teaming is distinguished from other offensive tests by three core features. Depending on an organization’s information needs, these features can also be applied in a penetration test, creating a hybrid form. To get the maximum Red Teaming result, it should meet the following characteristics:

  1. An organization-wide implementation of the Red Teaming test. It means that an organization’s IT systems can be attacked. In addition, Red Teaming is not limited to attacks on only technology; people and processes can also be targeted. As a result, the results of a Red Teaming are affected as little as possible by scope limitations that an actual attacker does not know. Because of this feature, a Red Team can be used to determine the extent to which the organization has identified the right components that need to be protected. 
  2. A covert execution of the test. Only members of the red team and a select number of individuals from the organization being tested, such as the CISO, are informed of the exercise. This feature means that Red Teaming can be used to realistically test the organization’s detection and response measures. After all, if the blue team is aware that an offensive security test is being conducted, they will possibly proceed differently than if this is not the case. 
  3. A scenario-based implementation of the test. It involves a simulation of an actual attacker with an underlying motive, objective and corresponding method. An example could be an attacker whose motive is financial gain, whose objective is to receive a ransom and whose method is to hold IT systems hostage with ransomware. This scenario-oriented approach is a second requirement for realistically testing detection and response measures. Although multiple routes can reach an organization’s specific end goal, an attacker will only try to find one route. The red team should proceed similarly to test an organization’s ability to detect and stop such an attack. If the red team were to find additional routes, this would result in more detectable actions than necessary, which would no longer realistically test the detection capabilities.

Why is Red Teaming carried out company-wide?

Organization-wide execution of the test ensures that the results of a red teaming are influenced as little as possible by scope limitations that an actual attacker is not aware of either. It is necessary to determine to what extent the organization has identified the correct parts that must be protected.

Why is a Red Teaming conducted in secret?

The secret execution of a Red Teaming is required to realistically test the organization’s detection and response measures. After all, if the blue team is aware that a Red Teaming is carried out, they may proceed differently than if this is not the case.  

Why is Red Teaming scenario-focused?

A scenario-oriented approach is required to test the detection and response measures realistically. Although several routes can reach an organization’s particular end goal, an attacker will only try to find one route. The red team must proceed similarly to test whether an organization can detect and stop such an attack. If the red team were to look for additional routes, this would result in more detectable actions than necessary so that the detection capabilities would no longer be realistically tested. 

What are TIBER-NL, ART and ZORRO?

TIBER-NL, ART and ZORRO are the most widely used red teaming frameworks in Dutch organizations. The TIBER-NL framework stems from De Nederlandsche Bank's (DNB) program of the same name, which aims to increase the cyber resilience of the financial sector in the Netherlands. The short acronym stands for Threat Intelligence Based Ethical Red-teaming Netherlands. As the name suggests, threat intelligence plays an important role. Following the success of the TIBER-NL framework in the Netherlands, the European Central Bank (ECB) and the central banks of 12 EU countries introduced a similar framework: TIBER-EU. Several central banks also have their variant of the framework. The central bank of Germany, for instance, uses the TIBER-DE framework.
Testing according to the TIBER-NL framework is time-intensive, partly because it involves running multiple attack scenarios. To make its use more accessible to smaller organisations, DNB has introduced the Advanced Red Teaming (ART) framework. This framework uses a modular approach similar to The S-Unit's. A critical difference is that The S-Unit's modular approach has no minimum requirements for using modules.
Finally, ZORRO is a framework introduced by Z-CERT that is explicitly aimed at the healthcare sector in the Netherlands. The short acronym stands for Zorg Red Teaming Resilience Exercises. This framework is based on the TIBER-NL framework.

How does Red Teaming work?

The S-Unit offers Red Teaming services on a module basis. Therefore, it is possible to tailor red teaming to our customers' needs and information requirements. The modules are based on the TIBER-NL framework and are divided into four phases: preparation, targeted threat intelligence, Red Team test and closure. Preparation serves to fine-tune the project and gather the correct information from within the organization. The targeted threat intelligence phase gathers information to prepare relevant attack scenarios. During the red team test phase, the prepared scenarios are executed. During the closing phase, knowledge transfer increases the educational value. 

More information

More information about Red Teaming?

  • This field is for validation purposes and should be left unchanged.