{"id":22290,"date":"2025-12-30T09:34:27","date_gmt":"2025-12-30T09:34:27","guid":{"rendered":"https:\/\/www.synetis.com\/red-team-purple-team\/"},"modified":"2026-05-11T12:05:01","modified_gmt":"2026-05-11T12:05:01","slug":"red-team-purple-team","status":"publish","type":"page","link":"https:\/\/www.synetis.com\/en\/ssi-audit\/red-team-purple-team\/","title":{"rendered":"Red Team & Purple Team"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\tAccueil<\/a>\n<\/span>\u203a<\/span>\n\tSSI audit<\/a>\n<\/span>\u203a<\/span>\n\tRed Team & Purple Team\n<\/span><\/div><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t

Redteam \/ Purpleteam<\/h1>\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

A Redteam mission to simulate the behavior of an attacker in real-life conditions against your Information System, as well as a Purpleteam mission to train your BlueTeam team!<\/p><\/div><\/div><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tContact our teams<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Go beyond the intrusion test: simulate the offensive of a determined attacker<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Contrary to what you might think at first glance, the Redteam mission is not a penetration test. The Redteam mission is a type of attack designed to simulate the point of view of an external, motivated attacker, whose aim is to break into your organization’s network<\/b> with a view to carrying out sabotage<\/b> operations, stealing strategic data<\/b>,installing ransomware or<\/b> even persistence software<\/b>, etc. The Redteam mission is not an intrusion test. <\/p>

Unlike penetration testing, which is limited to a restricted perimeter (a URL, a Web application, an office computer network, etc.), Redteam’s mission is to target the organization in its entirety: both its online aspects (external exposure, collaborators on Linkedin-type platforms, searching for leaked passwords on the Darknet, etc.) and its physical aspects (intrusion into premises, depositing malicious USB keys, lock-picking, tail-gating).<\/p>

During a penetration test, the auditors conduct the most exhaustive research possible into the vulnerabilities that could impact the perimeter under test. A Redteam mission, on the other hand, is aimed more at obtaining various trophies, representing key objectives to be achieved by a simulated attacker (exfiltration of sensitive data, access to business software, etc.). <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Discover the benefits of a Redteam mission<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The Redteam mission provides answers to the following questions:<\/p>

  • What sensitive data can your organization obtain from the Internet?<\/li>
  • Are your employees sufficiently aware of social engineering practices (phishing, spear-phishing)?<\/li>
  • What are the consequences of losing or stealing a company laptop?<\/li>
  • Is someone from outside the organization capable of infiltrating the premises in search of sensitive documents? Are employees aware of these intrusion attempts? <\/li>
  • What compromises are possible from within your company (malicious employees, phishing, etc.)?<\/li>
  • Are your security teams\/tools capable of providing “real-time” detection and efficient response during an attack?<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
    \n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t\t

    Prerequisites for a Redteam mission<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    We recommend intrusion tests on your infrastructure applications and then on your internal network, to ensure a minimum level of security for your organization.<\/p>

    Once these services have been completed and your overall security level has been strengthened, starting a Redteam mission will enable you to put your cyber posture (solutions, organization, processes) and your security teams to the test.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

    \n\t\t\t\t\t
    \n\t\t
    \n\t\t
    \n\t\t\t\t<\/div>\n\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Rely on a rigorous, proven approach<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t\t

    The role of the sponsor<\/h3>\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Redteam’s mission sponsor is the organization’s single point of contact during the service, and its role is to define :<\/p>

    • Boundaries of the perimeter ;<\/li>
    • Sensitive targets ;<\/li>
    • Priority employees or those to be avoided during the phishing phase ;<\/li>
    • Premises targeted by physical intrusion attempts ;<\/li>
    • Authorized methods.<\/li><\/ul>

      <\/p><\/div><\/div>

      Its aim is to determine the angles of attack that will highlight the sensitive points in the organization’s cybersecurity posture, by validating or proposing trophies.<\/p>

      In the event of a blockage during the service (e.g. due to the detection of security teams), he will be responsible for determining the next stage of the service:<\/p><\/div>

      • Assumed breach” approach: this<\/strong> concerns the situation where the auditors encounter a blocking point when attempting to gain initial access to the Information System. The client may then propose the “voluntary” execution of a malicious attack, or VPN access to a first environment, in order to allow the mission to progress; <\/li>
      • Switch to Purple Team<\/strong>;<\/li>
      • End of performance<\/strong> and debriefing of trophies<\/strong> won.<\/li><\/ul><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
        \n\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t

        The striker's role<\/h3>\t\t\t\t<\/div>\n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t

        The approach is different from the “classic” one: the auditor takes on the role of an attacker from outside the organization and, unlike a classic approach where he will attempt as many tests as possible<\/b> in order to test the audited perimeter to the maximum, he will rely on stealth in order to achieve the defined trophies without raising alarms or suspicions from the security teams.<\/p>

        The attacker can then simulate an existing group of real attackers (LockBit, RansomHub, Scattered Spider…) using the same techniques, in order to assess the response of security tools\/teams. This simulation can be carried out using the MITRE ATT&CK matrix, which references the techniques, tactics and procedures used by these attackers. <\/p>

        The RedTeam approach aims to simulate realistic (non-destructive) attacks, to thoroughly test the security of a given perimeter. This approach makes for greater efficiency and enables advanced attack scenarios to be carried out, combining logical intrusion with social engineering, phishing and more. <\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

        \n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
        \n\t\t
        \n\t\t\t\t<\/div>\n\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t

        Trophies<\/h3>\t\t\t\t<\/div>\n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t

        Red Teaming is based on<\/b> predefined trophies<\/b> agreed between the auditors and the customer.<\/p>

        These can be of various kinds:<\/p>

        • Access to the back-office of an e-commerce site ;<\/li>
        • Access to a customer database ;<\/li>
        • CRM base infiltration ;<\/li>
        • Obtaining Domain Admin access ;<\/li>
        • AD compromise;<\/li>
        • Access to VIP messaging ;<\/li>
        • ERP access ;<\/li>
        • Access to a server room ;<\/li>
        • …<\/li><\/ul>

          <\/p><\/div><\/div>

          These contextualized trophiesillustrate real risks<\/b> that could impact your organization. Winning these trophies validates feasibility, exposure and impact. <\/p>

          As a result, a Redteam approach is not destined to be the most exhaustive in terms of security tests against assets (unlike a “classic pentest”), but is geared towards a global, tactical and efficient compromise to get as close as possible to real attacks via trophies.<\/p>

          One of the objectives is also to define the impact of a real attack on an organization, and the cost of the associated measures.<\/p><\/div><\/div><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

          \n\t\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t

          The different routes of intrusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
          \n\t\t\t\t\t\t\t\t\t

          As part of their Redteam missions, auditors may be required to use a variety of methods, including computer-based (logical intrusion), cognitive (social engineering) and physical (physical intrusion).<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

          \n\t\t\t\t\t\t\t
          \n\t\t\t
          \n\t\t\t\t\t