Red Team Knowledge Base

Continuous security testing replaces periodic penetration tests with always-on adversary simulation and automated security validation. This guide covers the cost-benefit case against annual pentests, how to implement continuous red teaming, the CART platform landscape, and practical steps for transitioning to an always-on testing model.

Threat intelligence-led red teaming uses real-world adversary data to drive attack simulations against your organisation. This guide covers the TIBER-EU gold standard, the CTI-to-red-team workflow, Diamond Model and Kill Chain integration, MITRE ATT&CK mapping, and how to build a CTI-red team pipeline that produces operationally relevant results.

Zero trust security eliminates implicit trust from networks. Every access request is verified, every session is scoped, every device is checked. This guide covers the principles, architecture, Swiss compliance context, and practical implementation for organisations of all sizes.

The average enterprise AI deployment has 14.3 attack surface components, up 347% since 2023 (Gartner, 2025). This guide maps every component: APIs, RAG pipelines, system prompts, vector stores, AI coding tools, and supply chains, with real CVEs and defence recommendations.

The EU AI Act mandates adversarial testing for high-risk AI systems by August 2, 2026. This guide breaks down Article 9 risk management, high-risk classification, the penalty structure (up to EUR 35M or 7% turnover), GPAI obligations, and how AI red teaming satisfies compliance.

AI red teaming and AI audit: test AI systems for prompt injection, security vulnerabilities, safety failures, and compliance gaps. Covers the OWASP Top 10 for LLMs, a 7-step testing methodology, the McKinsey Lilli breach analysis, EU AI Act requirements, and the tools you need.

Full guide to model poisoning and training data attacks covering data poisoning taxonomy (backdoor, clean-label, gradient-based), training data extraction, supply chain poisoning, RAG poisoning, defense strategies, and real-world case studies including the McKinsey Lilli breach.

73% of LLM deployments have at least one critical vulnerability, but only 12% of organisations test for them (OWASP, 2025; Gartner, 2025). This guide covers testing methods for each OWASP Top 10 for LLM category, prompt injection testing, AI audit approaches, plus Garak, PyRIT, NIST AI RMF mapping, and MITRE ATLAS.

Prompt injection is the #1 LLM vulnerability (OWASP, 2025), exploitable in virtually every deployment that accepts user input. This guide covers direct, indirect, and multi-turn attacks, case studies (McKinsey Lilli, EchoLeak), CVE examples, detection methods, and defence strategies.

Red teaming is a full-scope adversarial assessment that simulates real cyberattacks against your people, processes, and technology. This guide covers the definition, methodology, costs, tools, frameworks, and what 500+ engagements have taught us about how organisations actually get breached.

Red teaming simulates a full adversarial attack against your entire organisation. Penetration testing finds technical vulnerabilities in a defined scope. This guide breaks down when you need each, what they cost, and how to sequence them based on your security maturity.

Red teams attack. Blue teams defend. Purple teams bridge the gap. This guide explains how the adversarial model works, what metrics matter, how to build a programme, and what 500+ engagements reveal about the organisations that get this right.

Red team methodology broken into 8 phases: planning, reconnaissance, initial access, persistence, privilege escalation, lateral movement, exfiltration, and reporting. Mapped to MITRE ATT&CK and aligned with CREST, TIBER-EU, and Cyber Kill Chain frameworks.

MITRE ATT&CK is a knowledge base of 14 tactics and 216 techniques observed in real cyberattacks. This guide shows how red teams use ATT&CK to plan engagements, select adversary TTPs, and produce reports that blue teams can act on immediately.

TIBER-EU is the European framework for intelligence-led red teaming of critical financial infrastructure. Adopted by 15+ EU member states plus Switzerland (TIBER-CH), it requires threat intelligence-driven red team tests of live production systems. 94% of participants report improved cyber resilience.

The Cyber Kill Chain is a 7-phase model of a cyberattack: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, C2, and Actions on Objectives. Disrupting any phase stops the attack. This guide covers each phase from both the attacker's and defender's perspective.

CREST is the leading accreditation body for cybersecurity testing organisations, with 500+ member companies worldwide. This guide covers individual certifications (CRT, CCT, CCSAS, CCSAM), company accreditation requirements, and how CREST standards apply to Swiss and European red teaming.

Initial access (MITRE ATT&CK TA0001) is the phase where attackers gain their first foothold. Exploits account for 33% of initial access, stolen credentials for 16%, and phishing for 14% (Mandiant M-Trends, 2025). This guide covers all 11 initial access techniques with field data and defence strategies.

Privilege escalation (MITRE ATT&CK TA0004) occurs in 78% of successful breaches (CrowdStrike, 2025). This guide covers Windows and Linux local escalation, Active Directory domain escalation, cloud privilege abuse, and tools including BloodHound, Rubeus, and PowerUp.

Social engineering is the initial access vector in 60% of breaches involving the human element (Verizon DBIR, 2025). This guide covers phishing, vishing, pretexting, physical social engineering, and defence strategies as used in professional red team engagements.

Lateral movement (MITRE ATT&CK TA0008) is how attackers spread through networks after initial access. Average breakout time is now 29 minutes (CrowdStrike, 2026). This guide covers pass-the-hash, Kerberoasting, AD exploitation, cloud pivoting, and detection strategies.