Offensive Security
Active Directory Red Team: Kerberoasting, Golden Ticket und DCSync im Pentest
Vincent Heinen12 Min.
Red Teaming
How far can an attacker get
inside your organisation?
Multi-vector. Weeks on end. Undetected. We simulate APT attacks - and show you exactly where your defences fail.
MITRE ATT&CK TIBER-EU OSCP-certified
RED TEAM - OPERATION TIMELINE
W1
RECONNAISSANCE
37 employee profiles identified. 4 exposed subdomains. VPN gateway with known CVE.
W2
INITIAL ACCESS
Spear-phishing to IT department. 3 of 12 staff clicked. Credential harvesting successful.
W3
LATERAL MOVEMENT
Kerberoasting - service account compromised. Access to file server with customer data obtained.
W4
OBJECTIVE ACHIEVED
Domain Admin privileges obtained. Access to ERP system and financial data demonstrated.
Blue Team Detection: 0 Alerts Dwell Time: 26 days
Trusted by organisations across industries
- of red teams achieve their objective
- 94%
- median dwell time (Mandiant)
- 11 days
- weeks engagement duration
- 4-8
- freelancers - in-house experts only
- 0
Why organisations need red teaming now
Automated scanners and annual pentests are no longer enough. Modern attackers think in campaigns - your defence should too.
DORA TLPT since January 2025
Articles 26-27 DORA mandate Threat-Led Penetration Testing (TLPT) for significant financial entities every 3 years. TIBER-EU is the approved methodology.
60% start with phishing
More than half of all ransomware incidents in 2024 started with phishing. 33% of employees click on phishing links. A pentest won't find that - a red team will.
74 days to patch
An attacker needs 4 days to move through a network. The median time to patch a critical vulnerability: 74 days. Red teaming shows how attackers exploit this window.
Multi-Vector Attack
Four attack vectors - just like a real APT
A real attacker is not limited to a single channel. Our red team strikes your organisation in a coordinated way across all relevant vectors.
Technical Exploitation
Network exploitation, Active Directory attacks (Kerberoasting, Pass-the-Hash), privilege escalation, custom C2 infrastructure. Fully documented according to MITRE ATT&CK.
MITRE ATT&CK Cobalt Strike Mimikatz BloodHound
Social Engineering
Spear-phishing with personalised pretexts, vishing (telephone attacks against helpdesk/IT), smishing, pretexting. We test whether your employees respond to targeted manipulation.
Spear-Phishing Vishing Credential Harvesting
Physical Security
Attempts to access secured areas, badge cloning (RFID/HID), tailgating, USB drop attacks, dumpster diving. Photo and video documentation available on request.
Badge Cloning Tailgating USB Drop
OSINT & Reconnaissance
What can an attacker find out about you? Employee data, infrastructure leaks, exposed services, GitHub repositories, dark web entries, social media profiles.
Maltego SpiderFoot Dark Web Monitoring
Three Engagement Models
We select the right scenario based on your security maturity and objectives.
Full External Attack
Our team receives only the company name. Complete black-box simulation: OSINT, phishing, technical exploitation, physical access - everything an APT actor would do.
4-8 weeks - From EUR 25,000
Assumed Breach
We begin with a compromised foothold (employee account, infected device). Focus on lateral movement, detection capability, and incident response speed.
2-4 weeks - From EUR 15,000
TIBER-EU / DORA TLPT
For regulated financial entities: threat intelligence phase, red team test against live systems, mandatory purple team phase. Reporting to supervisory authorities.
3-6 months - From EUR 50,000
What does a red team engagement cost?
Transparent pricing. Fixed-price quote in 24 hours. No hidden costs.
Assumed Breach
from 15,000 EUR
2-3 weeks
Full External
from 25,000 EUR
4-6 weeks
Full-Scope + Physical
from 40,000 EUR
6-8 weeks
TIBER-EU / TLPT
from 50,000 EUR
3-6 months
Includes purple team debrief, MITRE ATT&CK documentation, and retest of identified vulnerabilities.
Continuous red teaming - quarterly, plannable
Retainer model for organisations that want to continuously test their defences. Includes purple team exercises and ATT&CK coverage tracking.
Cyber Kill Chain
Our red team process
Aligned with the Lockheed Martin Cyber Kill Chain and documented according to MITRE ATT&CK.
01
Threat Intelligence & Scoping
Analysis of your threat landscape together with the white team. Definition of attack objectives and Rules of Engagement. For TIBER-EU: engagement of a Threat Intelligence Service Provider (TISP).
02
Reconnaissance & OSINT
Comprehensive passive and active intelligence gathering: social media profiles, LinkedIn scraping, technical infrastructure, DNS enumeration, certificate transparency logs, dark web monitoring, supply chain analysis.
03
Initial Access
Coordinated attack via the most promising vector: spear-phishing, VPN exploitation, physical access, supply chain compromise. Establishment of a C2 connection.
04
Lateral Movement & Privilege Escalation
Movement through the network: AD enumeration, Kerberoasting, Pass-the-Hash, exploitation of trust relationships. Objective: Domain Admin or access to defined crown jewels.
05
Objective Achievement
Proof of access to defined targets: customer database, ERP system, SWIFT access, production control systems. Documented as proof-of-concept - no actual data exfiltration.
06
Purple Team Debrief & Report
Joint debrief with your blue team. Full disclosure of the attack chain with timestamps. Live replay of techniques in the SIEM. Prioritised recommendations and ATT&CK heatmap.
Red Teaming vs. Pentest vs. Vulnerability Scan
Three disciplines - a maturity ladder. Each has its place.
| Vulnerability Scan | Penetration Test | Red Teaming | |
|---|---|---|---|
| Objective | Find vulnerabilities | Prove exploitability | Test defences |
| Scope | Broad coverage | Defined systems | Entire organisation |
| Vectors | Technical (scanner) | Technical (manual) | Tech + People + Physical |
| Duration | 3-5 days | 1-3 weeks | 4-8 weeks |
| Blue team informed? | Yes | Yes | No |
| Best for | Compliance baseline | All organisations | Mature security teams |
| Regulatory | NIS-2, ISO 27001 | NIS-2, ISO, NIST | TIBER-EU, DORA, KRITIS |
Not sure what you need? We'll figure it out together in a free consultation.
TIBER-EU & DORA TLPT
Threat-Led Penetration Testing for the financial sector
Since January 2025, DORA (Articles 26-27) mandates TLPT for significant financial entities every 3 years. TIBER-EU - developed by the ECB and Deutsche Bundesbank - is the approved methodology. Supervisory authorities receive the closure report.
Threat Intelligence Phase: Targeted Threat Intelligence Report on sector-specific APT actors
Red Team Test Phase: Attack against live production systems based on the TTI report
Purple Team Phase: Joint remediation with the blue team - mandatory under TIBER-EU 2025
Closure Report: Submission to the competent supervisory authority
Sample Document
Red Team Report
See how we document the complete attack chain - with ATT&CK mapping and detection gap analysis.
01 Executive Summary & Risk Assessment
02 Complete Attack Chain Narrative
03 MITRE ATT&CK Heatmap & Coverage
04 Detection Gaps & Purple Team Recommendations
Request a sample red team report
See an anonymised red team report showing how we document attack chains and identify detection gaps - free and without obligation.
By submitting you agree to our Privacy Policy. No spam - only the requested report.
How far would an attacker get inside your organisation?
Free 30-minute call with our red team. Fixed-price quote in 24 hours.
Kostenlos · 30 Minuten · Unverbindlich
Is red teaming right for you?
Red teaming is the pinnacle of offensive security - but it is not always the right starting point.
Red teaming is the right choice if you...
- +...already operate a SOC, SIEM, or EDR solution
- +...want to know whether your defences can withstand an APT
- +...need to comply with TIBER-EU, DORA, or KRITIS requirements
- +...already run regular pentests and want to take the next step
- +...want to test your incident response team under realistic conditions
Start with a pentest instead if...
- !...you do not yet have a dedicated security team
- !...you have never conducted a penetration test before
- !...your primary goal is a structured vulnerability list
- !...you want to test a single application or system
Legally compliant from the first minute
Red teaming operates at the intersection of IT security and criminal law. We ensure every step is legally authorised.
Signed Rules of Engagement
Before every engagement: written authorisation by a legally authorised representative with clearly defined scope, permitted techniques, and emergency contacts.
Authorised under GDPR & NIS-2
Our authorisation is legitimised as a technical and organisational measure under GDPR Article 32 and NIS-2. Written consents protect against criminal liability.
In-house experts only
No freelancers, no subcontractors. All testers are full-time AWARE7 employees bound by strict NDAs. Data is processed exclusively in Germany.
Why AWARE7 for your red team engagement
Was uns von anderen Anbietern unterscheidet
Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.
Forschung und Lehre als Fundament
Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.
Digitale Souveränität - keine Kompromisse
Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.
Festpreis in 24h - planbare Projektzeiträume
Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.
Ihr fester Ansprechpartner - jederzeit erreichbar
Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.
Für wen sind wir der richtige Partner?
Mittelstand mit 50–2.000 MA
Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.
IT-Verantwortliche & CISOs
Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.
Regulierte Branchen
KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.
Mitwirkung an Industriestandards
LLM
OWASP · 2023
OWASP Top 10 for Large Language Models
Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.
BSI
BSI · Allianz für Cyber-Sicherheit
Management von Cyber-Risiken
Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).
Referenzen aus der Praxis
Live Hacking & AwarenessLive Hacking & AwarenessLive Hacking & Awareness
PAYBACK GmbH
Remote Live Hacking Awareness Show für 150+ Mitarbeiterinnen und Mitarbeiter
150+
Teilnehmerinnen und Teilnehmer
90
Minuten Veranstaltungsdauer
Munich Re
(Remote) Live Hacking Show auf den Security Days in München
39.000+
Mitarbeitende im Konzern
3
Jahre der Zusammenarbeit
Fujitsu
Fujitsu Experience Days 2023 - Live Hacking Roadshow in sechs Städten
6
Städte in der Roadshow
60
Minuten pro Show
Security is also social responsibility
AWARE7 is committed beyond day-to-day business: as the founder of a scholarship at Ruhr University Bochum, we support the next generation of cybersecurity professionals. We are a member of the BSI Alliance for Cyber Security and train our own specialists. Our R&D certificate confirms our commitment to cybersecurity research and innovation.
Learn more about AWARE7Frequently asked questions about red teaming
How does red teaming differ from a penetration test?
A pentest systematically identifies technical vulnerabilities in defined systems - the scope is clearly bounded and the blue team is informed. Red teaming simulates a real APT attack across all vectors: technology, people, and processes. The blue team does not know when or how the attack is coming. The goal is not a list of vulnerabilities, but the answer to a single question: can a motivated attacker reach your crown jewels - and how quickly does your defence detect the intrusion?
How long does a red team engagement take?
A typical engagement runs 4-8 weeks: 1-2 weeks for reconnaissance and OSINT, 2-4 weeks for the active attack phase (initial access, lateral movement, objective achievement), and 1 week for reporting and debrief. TIBER-EU-compliant engagements for the financial sector run 3-6 months including the threat intelligence phase and purple team exercises.
Does our IT or security team know about the engagement?
Typically only a "white team" knows the timeline and scope - usually senior management, the CISO, and legal. The blue team (SOC, IT security) is deliberately not informed, so their detection and response capabilities can be tested under realistic conditions. After the engagement, a joint purple team debrief is held in which we walk through the complete attack chain and collaboratively close detection gaps.
Is red teaming relevant for mid-market companies?
Red teaming is suited for organisations that already have a security foundation - a SOC or SIEM, endpoint detection, trained staff. For SMEs without a dedicated security team, we recommend starting with a penetration test or our SME Security Assessment. A red team engagement delivers maximum value once you want to know whether your existing controls can withstand a coordinated attack.
What does a red team engagement cost?
Costs depend on scope, duration, and complexity. A focused technical engagement (2-3 weeks) starts from approx. EUR 15,000. A full-scope engagement including social engineering and a physical component over 4-8 weeks is typically EUR 25,000-50,000. TIBER-EU-compliant engagements for the financial sector start from approx. EUR 50,000. You receive a binding fixed-price quote - no hourly rates, no additional charges.
Which frameworks do you use?
We document all attack techniques according to MITRE ATT&CK - the international standard for adversary behaviour. For regulated financial entities we follow the TIBER-EU/TIBER-DE framework developed by the ECB and Deutsche Bundesbank. We also use the Lockheed Martin Cyber Kill Chain to structure campaigns and PTES (Penetration Testing Execution Standard) as a methodological foundation.
What is an assumed breach scenario?
In the assumed breach model, we begin with an already-compromised foothold inside your network - for example a regular employee account or an infected endpoint. This skips the perimeter phase and focuses testing on your internal defences: network segmentation, privilege escalation protection, lateral movement detection, and incident response capability. Ideal for organisations that have already tested their perimeter.
What happens during the purple team debrief?
In the debrief we walk your blue team through the complete attack chain - step by step, with timestamps, tools used, and artefacts generated. We show exactly which logs and alerts should have fired, why they did not, and how to tune your detection rules. On request we replay techniques live so your SOC can observe artefacts in real time in the SIEM and develop detection use cases.
Is red teaming required for NIS-2 compliance?
NIS-2 (Article 21 NIS2 Directive) mandates "security testing" as a minimum measure but does not explicitly name red teaming. For critical infrastructure operators and NIS-2-affected organisations with mature security programmes, red teaming is the most effective way to demonstrate the real-world effectiveness of your controls. For the financial sector, DORA (Articles 26-27) makes Threat-Led Penetration Testing (TLPT) mandatory every 3 years - and TIBER-EU is the approved methodology.
How do you ensure legal compliance?
Every engagement begins with a signed Rules of Engagement document (RoE), signed by an authorised representative of your organisation. It clearly defines scope, permitted techniques, emergency contacts, and data handling. This written authorisation protects against criminal liability. All testers are full-time employees of AWARE7, bound by strict NDAs, and process data exclusively in Germany.
Do you offer TIBER-EU/TIBER-DE and DORA TLPT for the financial sector?
Yes. We conduct engagements according to the TIBER-EU/TIBER-DE framework, which since 2025 is also the official methodology for DORA TLPT. The process includes: a threat intelligence phase (Targeted Threat Intelligence Report), a red team test phase against live production systems, and a mandatory purple team phase. Results are reported to the relevant supervisory authority.
Three steps to a red team engagement
No lengthy procurement process. You speak with us - and we get started.
1
Initial consultation
30 minutes, free of charge. We define attack objectives, scope, and terms.
2
Fixed-price quote in 24h
Binding, transparent, no hidden costs. Includes Rules of Engagement.
3
Red team begins
Our team starts reconnaissance. Your blue team knows nothing.
ISO 27001:2022
OSCP · OSCP+ · OSWA · OSWP
MITRE ATT&CK
BSI Alliance for Cyber Security
100% Germany
Ready for the ultimate test?
94% of all red teams achieve their objective. Test your defences before a real attacker does.
Kostenlos · 30 Minuten · Unverbindlich
