Case Study: Mumbai Bank Red Team Exercise Revealed 4 Critical Detection Gaps

The situation

A mid-tier Mumbai-based scheduled commercial bank (we'll call them "BankCo") had completed a successful annual VAPT and a SEBI CSCRF audit. Their CISO was preparing for the next board cycle and wanted to answer one specific question:

"If a real adversary spent 6 weeks inside our environment, would we know?"

BankCo's profile:

1. 4,500 employees, 280 branches
2. Tier-2 SIEM operational for 3 years
3. EDR on all employee endpoints
4. Recent ₹140 Cr investment in cybersecurity tooling
5. No prior red team exercise

How the engagement was scoped

The engagement charter was signed in 3 working days:

1. 8-week red team (Advanced tier, ₹16L)
2. External-only initiation (no insider assistance)
3. 3 target objectives: (1) compromise a domain admin account, (2) access customer KYC database, (3) exfiltrate test data outside the network without trigger
4. Three safe-words for emergency stop
5. Blue team kept blind for the first 6 weeks

Phase 1: Reconnaissance findings

The red team's external attack surface map revealed:

1. 47 subdomains discoverable via DNS enumeration
2. 8 forgotten dev/staging environments still publicly accessible
3. 12 employee LinkedIn profiles disclosed full technical stack
4. 3 third-party SaaS integrations with weak SAML configurations
5. 1 publicly indexed S3 bucket containing legacy data (no customer data found, but a clear OPSEC issue)

Phase 2: Initial access + lateral movement

Week 3 — Initial access achieved on Day 4

A spear-phishing email targeted 12 employees in BankCo's finance team. 3 clicked, 1 entered credentials on the cloned Microsoft 365 login page. The captured credentials had no MFA enforced (the user was a recent transferee from a system that didn't require it — a process gap).

Week 4 — Lateral movement to file shares

Using the initial foothold, the red team:

1. Enumerated file shares (had broad read access by default)
2. Identified 14 files containing privileged credentials in plain text
3. Used a service account credential to pivot into the internal AD environment

The red team chained Kerberoasting + a misconfigured service account → domain admin. From there:

1. Accessed the customer KYC database (target objective 2 ✓)
2. Exfiltrated a 500-row sample of test customer records (target objective 3 ✓)
3. Established 2 persistence mechanisms

What the blue team caught and missed

After 6 weeks, the engagement entered Phase 3. The reconciliation matrix:

Caught (7 of 11):

1. Spear-phishing email (Office 365 ATP flagged it, but the user clicked anyway before it was quarantined)
2. Cloned domain access (network proxy flagged the look-alike domain visit)
3. AD reconnaissance (SIEM rule for \net group "Domain Admins"\ triggered)
4. Kerberoasting attempt (Defender detected the TGT request pattern)
5. File share enumeration (DLP rule for bulk file listing)
6. Service account abuse (SIEM correlation rule for non-interactive login from new IP)
7. Exfiltration attempt (DLP rule for KYC data outside network)

1. Forgotten dev/staging environments enumeration — no monitoring on these subdomains. Adversary recon went entirely undetected.
2. Pivot to internal AD — the lateral movement crossed network segments. The detection rule for cross-segment movement didn't fire because the user account had legitimate cross-segment access historically.
3. Persistence via scheduled task — Defender flagged the new task but the alert was deduplicated as "common admin activity" and never escalated to tier 2.
4. DNS exfiltration channel — the red team used DNS TXT records to exfiltrate the KYC data sample. SIEM did not have DNS exfiltration detection rules.

What changed after the engagement

BankCo implemented all 4 detection gap closures in 6 weeks post-engagement:

1. Decommissioned 6 of the 8 dev/staging environments; the 2 retained got proper monitoring + WAF
2. Added cross-segment movement velocity rule (rate-of-segment-crossing per user) to SIEM
3. Adjusted scheduled task alert tuning + escalation policy
4. Deployed DNS query volume + entropy detection rules

What it cost

What BankCo's CISO said

"We went in expecting to be told everything was fine. The red team found ways through our defences that I would never have predicted. The value isn't in the breach demonstration — it's in the four detection rules we added afterwards. That's the difference between a vendor report and an exercise that changes how we operate."

Pattern this engagement followed

This is the most common shape of a Bachao.AI red team engagement:

1. Existing security team with measurable controls (not greenfield)
2. Regulatory pressure or board-driven need for detection evidence
3. Willingness to keep blue team blind for the full duration
4. Commitment to act on detection gaps after the engagement

Schedule the red team scoping workshop →

Related: Red Team Methodology India · Adversary Simulation for Indian Banks