Red team and adversary simulation for Australian organisations

Instead of black-box engagements that focus on low-value OPSEC skills, dotSec structures engagements as multi-stage exercises where offensive and defensive teams work collaboratively and iteratively to validate and improve detection and response. This produces more useful outcomes for organisations that have already invested in baseline security controls.

We avoid off-the-shelf red team tools since these are well known to EDR and SIEM engines, and instead use our own custom tooling to test whether your defences detect adversary behaviour at a deeper level.

How dotSec structures a red team engagement

dotSec’s red/purple team engagements are structured as multi-stage exercises with defined objectives at each stage. Stages currently delivered include:

External network reconnaissance: scanning of internet-exposed organisational assets to map external systems and network perimeter boundaries. This reconnaissance informs further stages such as social engineering or data exfiltration.
Email content filter bypass testing: iterative testing of email delivery, first without payloads to map content filter boundaries, then with progressively modified custom payloads to determine what the email and network gateways will and will not catch.
Token capture and replay testing: testing whether passwordless authentication tokens can be intercepted via adversary-in-the-middle phishing and replayed from a different host, and whether conditional access policies and identity protection detect anomalous token usage.
Assumed breach and EDR boundary testing: progressive payload capability testing to calibrate SOC detection thresholds under controlled conditions. Each iteration maps where endpoint detection starts and stops, so your blue team knows exactly which behaviours trigger alerts.
Active Directory Certificate Services (ADCS) misconfiguration assessment: certificate template and identity trust assessment for exploitable weaknesses, aligned to SpecterOps Certified Pre-Owned research.
Active Directory reconnaissance: targeted enumeration of Active Directory, Azure AD, and Entra using throttled collection methods to test whether identity protection controls detect measured reconnaissance, not just noisy automated tools.
Internal network reconnaissance: post-compromise discovery of accessible file shares, web applications, M365 services, and other data sources from an assumed-breach position. Tests what an attacker with unprivileged access could find, access, and potentially use to further an attack.
Application whitelisting assessment: trusted path abuse, script interpreter gaps, and DLL loading weaknesses. Tests whether your application control policies hold up against techniques that use legitimate system binaries and trusted execution paths.
Internal social engineering from legitimate account positions: simulates insider threat and post-compromise lateral movement, complementing dotSec’s social engineering and phishing exercises.
AI and Copilot prompt injection: direct and indirect prompt injection testing aligned to the OWASP LLM Top 10 and MITRE ATLAS. Tests whether internal AI systems can be used to surface data beyond the account’s intended access level or manipulate downstream actions. See also dotSec’s dedicated AI penetration testing service.
Data exfiltration testing: across multiple channels including email, cloud storage, DNS, and HTTP. Tests whether your DLP controls and egress filtering detect data leaving the environment through both common and less obvious exfiltration paths.

Note that each stage is scoped against your environment and objectives and not all stages apply to every engagement.

Traditional red team engagements often end with a report that confirms a breach was possible, but provide limited detail on what the defensive team actually detected along the way. dotSec’s approach inverts this: each stage is designed to produce a documented record of what was detected, what was missed, and where the detection threshold sits. This gives the organisation a structured view of control effectiveness. The result is a set of prioritised, actionable improvements rather than a pass/fail outcome.

Purple teaming and collaborative exercises

dotSec’s red team model operates as a purple team exercise. Each stage concludes with a findings review where red and blue teams compare timelines, review detection events, and document what was detected, what was missed, and where the detection threshold sits. The goal is calibration, not a surprise reveal.

This structure suits organisations that have been through conventional red teaming and found the outcomes limited. It directly supports blue team improvement and provides measurable evidence of what controls work and what needs attention. Findings are classified using MITRE ATT&CK technique references and reported with CVSS v4.0 severity ratings.

Organisations using this model as part of a maturity programme may also benefit from dotSec’s Essential Eight assessments and CIS 18 assessments, which provide a framework for measuring control effectiveness before and after red team exercises.

Why choose dotSec

A common frustration with traditional red teaming is the disconnect between attackers and defenders: many offensive teams know how to break into a network, but lack the operational context to help you secure it. At dotSec, our offensive specialists also actively defend against cyber attacks by spending dedicated time working within our MSIEM (Managed SIEM) Blue Team service.

This cross-pollination of skills gives our testers a dual-perspective advantage. Because our team understands alert fatigue, detection thresholds, and real-world SIEM tuning, they speak your defenders’ language. Rather than handing over a list of exploits, we translate our attack paths into practical, actionable detection logic, ensuring your security team receives insights they can implement.

Custom tooling

dotSec develops its own payloads, proof-of-concept malware, and EDR evasion techniques in-house.

Modern EDR solutions use behavioural analysis, machine learning models, and runtime heuristics alongside traditional signatures. Off-the-shelf red team tools are well known to these detection engines.

dotSec’s custom tooling is built to test whether your defences detect adversary behaviour at a deeper level, not just whether they recognise a known tool.

By avoiding or adapting commercial frameworks and commodity tools, we ensure that your environment is tested against novel techniques rather than known signatures, exposing gaps where your controls only catch what they have seen before.

Effective execution

The value of a red team engagement is not in proving a bypass exists but in producing a documented record that the blue team can act on. dotSec maintains detailed, timestamped logs of every action undertaken during the engagement, including the technique used, the time and duration of each activity, and the outcome.

In a collaborative purple team exercise, these activities are planned in advance and the blue team is briefed before each stage begins, so defenders know what to expect and can focus on whether their detection and response capabilities identify the activity. After each stage, red and blue teams compare timelines: what was detected, what was missed, how long detection took, and where the gaps sit.

This gives the organisation a precise, evidence-based view of detection effectiveness rather than a pass/fail assessment.

ADCS and identity testing

Active Directory Certificate Services misconfigurations remain one of the most impactful attack paths in mature Windows environments.

A single misconfigured certificate template can allow an authenticated user to request a certificate as any other account in the domain, without triggering the alerts that would accompany a conventional privilege escalation.

dotSec assesses certificate template configurations, enrolment agent permissions, identity trust relationships, and hybrid-cloud access controls for exploitable weaknesses. Where weaknesses are found, findings include the specific remediation steps required to close each path without disrupting legitimate certificate usage.

AI and Copilot testing

For organisations deploying Microsoft Copilot or other AI systems internally, dotSec tests whether prompt injection (direct and indirect) can surface data beyond intended access boundaries.

This includes testing whether an AI assistant with access to SharePoint, email, or internal databases can be manipulated into retrieving content that the prompting user’s account should not be able to reach, and whether injected instructions embedded in documents or emails can trigger actions on behalf of other users.

Testing aligns to the OWASP LLM Top 10 and MITRE ATLAS, and complements dotSec’s dedicated AI penetration testing service.

Red team FAQ

What is the difference between red teaming and penetration testing?

A penetration test targets a defined scope and seeks to identify and exploit vulnerabilities within that scope. Red teaming is broader: it simulates a motivated attacker operating across the entire environment, using multiple attack vectors, with the goal of testing detection and response capability. dotSec’s red team engagements are structured as collaborative exercises to maximise the value of each stage.

Is red teaming only for large organisations?

Red teaming is most valuable for organisations that already have mature security controls and want to validate that those controls work under adversarial conditions. If an organisation has not yet conducted penetration testing or addressed basic hygiene (patching, MFA, endpoint protection), a penetration test is a more appropriate starting point. dotSec can advise on which approach suits your current maturity level.

How long does a red team engagement take?

Scope determines duration. A typical multi-stage collaborative exercise runs over several weeks to months, with stages conducted sequentially or in parallel where dependencies allow. Each stage concludes with a findings review before the next begins. dotSec will scope the engagement to match your objectives and budget.

What frameworks does dotSec align to?

Engagement methodology aligns to MITRE ATT&CK for technique classification, SpecterOps Certified Pre-Owned research for ADCS testing, OWASP LLM Top 10 and MITRE ATLAS for AI-related testing, and CISA red team advisory publications for scenario design. Findings are reported with CVSS v4.0 severity ratings.

What next?

If your organisation has mature security controls and wants to validate them under adversarial conditions, or if you have been through conventional red teaming and found the outcomes limited, dotSec can design an engagement that produces practical results. Contact us to discuss your objectives, or read about our penetration testing services as a starting point.

Premier Australian cyber security specialists

ISO 27001 consulting

Practical and experienced Australian ISO 27001 and ISMS consulting services. We will help you to establish, implement and maintain an effective information security management system (ISMS).

Penetration tests

dotSec’s penetration tests are conducted by experienced, Australian testers who understand real-world attacks and secure-system development. Clear, actionable recommendations, every time.

PCI DSS

dotSec stands out among other PCI DSS companies in Australia: We are not only a PCI QSA company, we are a PCI DSS-compliant service provider so we have first-hand compliance experience.

WAF and app-sec

Web Application Firewalls (WAFs) are critical, protecting web apps and services by inspecting and filtering malicious requests before they reach your servers. Web page or API, a WAF is your first defence.

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. As part of this service, we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises, simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

Penetration testing

dotSec’s penetration testing services help you identify and reduce technical security risks across your applications, cloud services and internal networks. Clear, actionable recommendations, every time!

Managed SOC/SIEM

dotSec has provided Australian managed SOC, SIEM and EDR services for 15 years. PCI DSS-compliant and ISO 27001-certified. Advanced log analytics, threat detection and expert investigation services.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

dotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and improving resilience against attacks.

CIS 18 Critical Controls

Evaluation against the CIS 18 Controls establishes a clear baseline for stakeholders, supporting evidence-based planning, budgeting, maturity-improvement and compliance decisions

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.