What a real red team engagement looks like
A red team engagement is not a longer pentest. The objective is different: pentest finds vulnerabilities, red team measures whether your blue team can detect a determined adversary inside your environment.
For Indian banks, fintechs, and regulated entities, this matters because RBI guidelines now reference detection capability as part of cyber resilience. SEBI CSCRF requires evidence of intrusion detection effectiveness. The DPDP Act assumes "reasonable security safeguards" — measurable only through testing.
Bachao.AI runs red team exercises in three phases over 6–8 weeks. This page describes the methodology.
Phase 1: Reconnaissance (Weeks 1–2)
The red team operates with the same intelligence as a real adversary. We assume zero internal access. Starting from public information only.
Activities:
- External attack surface mapping (subdomains, exposed services, third-party integrations)
- OSINT on executives and employees (LinkedIn enumeration, breach data, social media)
- Phishing infrastructure setup (domains registered to look-alike of your brand)
- Initial access vector selection (most likely entry point for your environment)
Phase 2: Initial Access + Lateral Movement (Weeks 3–5)
The red team attempts to gain initial access through realistic vectors:
- Phishing campaign targeted at finance/IT staff (with safe-words pre-agreed)
- Exploitation of external-facing vulnerabilities discovered in Phase 1
- Supply chain vector through identified third-party SaaS dependencies
- Physical reconnaissance if scope includes office locations
- Privilege escalation toward target assets (typically: customer data, financial systems, AD/Okta admin)
- Persistence mechanisms (would the blue team detect long-dwell adversaries?)
- Defence evasion (AV bypass, EDR evasion, log tampering attempts)
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanPhase 3: Detection Reconciliation (Weeks 6–8)
This is where the value compounds. Every action the red team took is compared to what the blue team detected.
The deliverable is a coverage matrix:
| MITRE ATT&CK technique | Red team performed | Blue team detected | Time to detect | Time to respond |
|---|---|---|---|---|
| T1566.001 (Spear-phishing attachment) | Yes | Yes | 18 min | 41 min |
| T1078.004 (Cloud accounts) | Yes | No | — | — |
| T1003.008 (OS Credential Dumping: /etc/passwd) | Yes | Yes | 7 min | 22 min |
| T1547.001 (Boot or Logon Autostart) | Yes | No | — | — |
Pricing
| Engagement scope | Duration | Fee |
|---|---|---|
| External-only (no internal lateral movement) | 4 weeks | ₹5L |
| Standard (external + internal up to 2 target assets) | 6 weeks | ₹10L |
| Advanced (purple team component + detection rule authoring) | 8 weeks | ₹16L |
| Full TIBER-style (threat-led, regulatory-grade, multiple safe-words) | 10–12 weeks | ₹22L |
When red team is right (and when it's not)
Red team is the right choice when:
- You have an existing security team with SIEM/EDR running
- You need to test detection capability, not find vulnerabilities
- You have regulatory pressure to demonstrate cyber resilience (RBI, SEBI)
- Your last pentest was already comprehensive on findings, but you don't know what your team would catch
- You have no internal security team (use VAPT first, build the team, then red team)
- You haven't run a basic vulnerability scan in the last 6 months (do that first)
- You don't have an EDR or SIEM (red team will catch nothing — there's nothing to detect with)
How to start
A red team engagement starts with a 90-minute scoping workshop. We confirm the in-scope assets, the safe-words, the escalation contacts, the success metrics. Engagement letter within 5 working days. Phase 1 starts the week after.
Schedule the red team scoping workshop →
Related: Red Team Case Study: Mumbai Bank Reveals 4 Critical Gaps · VAPT vs Red Team — What's Right for Your Stage
