Sandline — Risk Based Security
Services

Red Team

Realistic adversary simulation that measures how your detection, response and people behave under a sustained attack — not how a checklist looks on paper.

How we work

A Sandline red team operation simulates a determined adversary across the full attack chain — initial access, persistence, lateral movement, privilege escalation, data staging and exfiltration. Engagements are scoped to your threat model: a financial-services adversary looks different from a state-sponsored actor targeting an energy operator, and we tailor TTPs accordingly. The output is not a CVE list — it is a narrative of how a real attacker would have moved through your environment, how your detection stack performed, and what the SOC actually saw versus what it should have seen.

Outcomes

  • A measured baseline of detection-and-response performance against MITRE ATT&CK techniques relevant to your sector
  • A prioritised list of detection-engineering improvements (sigma rules, EDR policies, log sources)
  • Executive narrative for the board, plus technical reproduction steps for blue-team exercises
  • Audit-grade evidence that adversary simulation has been performed and acted upon

Deliverables

  • Scoping document and rules of engagement
  • Operations narrative and timeline (executive)
  • Technical reproduction package (blue team)
  • Detection coverage matrix mapped to MITRE ATT&CK
  • Remediation backlog with priorities

Engagement Workspace · 90 days free

Included with this engagement: a Centraleyezer SaaS deployment for 90 days where you generate reports on demand. At day 90 it either closes (your DOCX/PDF reports and attestation letter stay with you) or extends as a paid SaaS subscription if you want to keep using it.

Frequently asked

How is a Sandline red team different from a penetration test?

A red team is objective-driven and persistent — typically 4–8 weeks against a defined goal (e.g. exfiltrate the customer database from a fully patched environment). A pentest is scope-bounded and finding-driven — typically 1–3 weeks against a list of assets. Red team output is a story about your detection and response; pentest output is a list of findings.

Will the SOC know it is a drill?

Only the people you nominate. Standard practice is to keep the operation white-card to the CISO and one or two trusted contacts; the SOC is treated as a real adversary so the detection signal is honest.

Do you do TIBER-EU and DORA Article 25 TLPT?

Yes. We run threat-led penetration tests aligned to TIBER-EU methodology, including the threat-intelligence-led targeting phase. DORA Article 25 obligations for significant financial entities are explicitly in scope.

What does a red team report contain?

An executive narrative for the board, a technical reproduction package the blue team can replay, a detection-coverage matrix mapped to MITRE ATT&CK, and a prioritised detection-engineering backlog. We never deliver a CVE list — that is what a pentest is for.

How long does a red team engagement take?

Typical 4–8 weeks elapsed, including the threat-intelligence and planning phase. Time inside your environment is usually 2–4 weeks of active operations.

Book a 30-minute call

Tell us about the regulation you need to satisfy and the systems in scope. We will come back with a scoping note and a fixed-price proposal within three working days.

Book a consultation