Adversarial
Emulation
Your security controls have never been tested against a skilled operator executing APT29's lateral movement playbook. Your pen test result tells you which CVEs exist. It does not tell you whether your SOC would detect hands-on-keyboard credential harvesting, custom C2 beaconing, or exfiltration over trusted channels. Adversarial emulation closes that gap.
Threat-Led Adversarial Emulation Methodology
Unlike a penetration test, which produces a vulnerability list, adversarial emulation tests whether your security operations can detect and respond to a skilled operator executing a named threat actor's playbook. The question is not "are you vulnerable?" The question is "would you know if APT29 was inside your network right now?"
Threat Actor Profiling
We profile your organisation based on sector, geography, data assets, and live threat intelligence to select the actors most likely to target you. Common profiles include APT29 for government and technology, FIN7 for financial services, and LockBit for cross-sector ransomware scenarios. No off-the-shelf playbooks.
Full Kill Chain Execution
Operators execute the complete ATT&CK kill chain: Initial Access, Lateral Movement, Privilege Escalation, Persistence, and Exfiltration. We define crown jewel objectives before the engagement begins and pursue them using the named threat actor's specific tradecraft.
EDR Bypass & Payload Engineering
Custom payloads designed to evade CrowdStrike, SentinelOne, and Defender for Endpoint. We test whether your team detects novel threats that signature-based tooling has never encountered before.
Custom C2 Channels
Command-and-control infrastructure purpose-built to replicate the named threat actor's communication patterns. We deploy Cobalt Strike, Brute Ratel, or Sliver with actor-specific malleable profiles and domain fronting configurations.
Purple Team Debrief
Every engagement includes a collaborative debrief with your SOC team present. Individual ATT&CK techniques are replayed in real time. Techniques that were missed become detection engineering tasks: we develop custom detection rules and SIEM queries, and validate them live before the engagement closes.
Detection Gap Analysis
The primary output is not a vulnerability list. It is a Detection Gap Analysis: every technique mapped to an ATT&CK technique ID, assessed for detection fidelity, and accompanied by a deployable detection rule. Delivered with pre- and post-engagement ATT&CK Navigator heatmaps.
Detection Reality Check
Most organisations discover their detection gaps during a real incident. Adversarial emulation reveals them before that happens.
Average Detection Rate
Average SOC detection rate during first adversarial emulation engagement. The majority of techniques go undetected.
Target Coverage
Target detection rate after purple team close-out and detection rule deployment. Measured improvement in ATT&CK coverage.
Techniques Per Engagement
Minimum ATT&CK techniques executed per single-actor engagement. Each mapped, assessed, and accompanied by a detection rule.
BAS tools replay known techniques. We test whether your team would catch a real operator.
Breach and attack simulation tools provide continuous automated coverage but are architecturally limited to catalogued techniques. Adversarial emulation answers a different question entirely: would your people, process, and technology detect and respond to a skilled human operator executing novel tradecraft?
Get a Scoping CallWhich Threat Actors Do We Emulate?
Each engagement begins with a threat actor selection process. We profile your sector, geography, and data profile against current threat intelligence to identify the adversaries most relevant to your organisation.
APT29
Cozy Bear
Government, Defence, Technology
- T1078 Valid Accounts
- T1071 App Layer Protocol
- T1560 Archive Collected Data
FIN7
Carbanak
Financial Services, Retail
- T1059 Command Scripting
- T1021 Remote Services
- T1486 Data Encrypted
Sandworm
Voodoo Bear
Energy, Critical National Infrastructure
- T1561 Disk Wipe
- T1499 Endpoint DoS
- T1190 Exploit Public App
LockBit
Ransomware Operators
Cross-sector ransomware
- T1486 Data Encrypted
- T1489 Service Stop
- T1082 System Info Discovery
Volt Typhoon
Bronze Silhouette
Telecoms, Energy, Government
- T1133 External Remote Services
- T1036 Masquerading
- T1003 OS Credential Dump
Lazarus Group
Hidden Cobra
Financial Services, Cryptocurrency, Defence
- T1566 Phishing
- T1055 Process Injection
- T1105 Ingress Tool Transfer
The list above is illustrative. Every engagement begins with a threat actor selection workshop. We profile your organisation against current threat intelligence, sector targeting data, and your specific risk profile to identify the adversaries most relevant to you.
Detection Engineering Deliverables
The engagement closes with a Detection Gap Analysis report and a live purple team debrief. Every technique executed during the emulation is mapped, assessed, and accompanied by a deployable detection rule.
Engagement Outputs
Every deliverable is designed to be immediately actionable by your SOC team and detection engineers.
Detection Gap Analysis
Illustrative output from a 14-technique adversarial emulation engagement.
TECHNIQUE STATUS FIDELITY ───────────────────────────────────────── T1566.001 ▌ Phishing MISSED - T1059.001 ▌ PowerShell DETECTED High T1003.001 ▌ LSASS Dump MISSED - T1021.002 ▌ SMB Lateral NOISY Low T1071.001 ▌ HTTPS C2 MISSED - T1078.002 ▌ Domain Accts DETECTED Med T1048.003 ▌ DNS Exfil MISSED - COVERAGE SUMMARY ───────────────────────────────────────── Techniques executed: 14 Detected: 4 (29%) Detected with noise: 3 (21%) Missed: 7 (50%) POST-ENGAGEMENT TARGET: >70% detection
Close the Gap.
Keep It Closed.
The detection rules and logic produced during your adversarial emulation engagement are deployable directly into Precursor's Managed SOC and MDR services. If you already run your own security operations, we hand over the full rule library. If you do not, we implement them for you so the gap we found on day one is closed before day thirty.
Explore 24/7 MonitoringManaged SOC
Deploy detection rules from your engagement directly into 24/7 monitoring.
MDR Service
Managed detection and response tuned to your specific threat landscape.
Red Team Operations
Broader red team engagements beyond specific threat actor emulation.
Penetration Testing
Targeted vulnerability discovery across networks, applications, and cloud.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
A penetration test identifies vulnerabilities in a system and produces a list of findings ranked by severity. Adversarial emulation goes further: it tests whether your people, processes, and technology can detect and respond to a skilled human operator executing the tactics, techniques, and procedures of a specific threat actor. The output is not a vulnerability list but a detection gap analysis with custom detection rules, SIEM queries, and ATT&CK coverage metrics.
We profile your organisation based on sector, geography, data profile, and current threat intelligence to select the most relevant threat actors. Common actors include APT29 (Cozy Bear) for government and technology targets, FIN7 for financial services and retail, Sandworm for energy and critical national infrastructure, LockBit for cross-sector ransomware scenarios, and Volt Typhoon for telecommunications and government. The threat actor selection is documented and agreed with your team before the engagement begins.
Your SOC team receives a Detection Gap Analysis that maps every technique executed against your current detection coverage using the MITRE ATT&CK framework. Rather than providing detection rules directly, the engagement gives your analysts the visibility and technique-level understanding they need to close their own detection gaps — what fired, what didn't, and why. The close-out debrief session replays findings with your SOC team so they can build and validate the right detection logic for your environment and tooling.
Breach and attack simulation tools such as Picus, Cymulate, and AttackIQ automate the replay of known attack techniques. They provide continuous coverage but are limited to catalogued techniques and cannot replicate novel tradecraft, social engineering chains, or business logic exploitation. Manual adversarial emulation by skilled operators tests detection against novel and custom techniques, and produces actionable detection engineering outputs that can improve your BAS tool rule sets. Both approaches are complementary.
This depends on the engagement model. A traditional red team engagement is covert: your SOC team is not notified and must detect the activity independently. A purple team engagement is collaborative: your SOC team is present and participates in real time. We recommend a purple team close-out phase regardless of the initial model, so your detection team benefits directly from the findings.
A standard adversarial emulation engagement targeting a single threat actor profile typically takes 2 to 4 weeks. Extended engagements covering multiple threat profiles take 4 to 8 weeks. Pricing starts from £15,000 for a 2-week single threat actor engagement.
Yes. We use de-fanged payloads throughout the engagement. Our command-and-control infrastructure is designed to appear malicious to your detection stack, but the payload itself is benign. We do not execute destructive actions against production systems without explicit written authorisation. All engagement activities are logged and can be paused or reversed at any point. A pre-engagement rules of engagement document defines all permitted and prohibited actions.