Red team operations delivered by CREST-certified practitioners for regulated enterprises across APAC. We simulate the adversaries targeting your industry and tell you what they can achieve against your organisation.

Our red team retainers run for consecutive years. The same senior team, every engagement.

OVERVIEW

What is red teaming?

Red teaming is a goal-based adversary simulation. A Theos red team operates like a skilled, persistent attacker: no predefined scope, no announced start, and no limits on the techniques used within agreed rules of engagement. The objective is to determine whether a specific goal can be achieved against your organisation.

That objective might be reaching a core banking system, exfiltrating regulated data, or gaining domain administrator access. The red team attempts it using the same techniques, tools, and tradecraft that real threat actors use in this region. Your security controls, your people, and your detection capabilities are all in scope.

What Red Teaming Includes:

Technology, people, and process all in scope
Specific objective agreed before testing begins
Techniques matched to real threat actors active in your region
Testing follows the path an adversary would take
Every step of the attack path documented with evidence
Findings contextualised for action

Business Outcome:

You know exactly what a real adversary can achieve against your organisation today. Your security team understands where detection performed and where it can be improved. Your board has documented evidence of how your defences were tested and what changed as a result.

THE CHALLENGE

Compliance testing tells you what you have. Red teaming tells you what works.

Most regulated enterprises in APAC run annual penetration tests, maintain security policies, and invest in detection tooling. What they rarely test is whether all of it holds together when an adversary is actively targeting them.

A penetration test identifies vulnerabilities within a defined scope. Red teaming goes further, testing your people, your detection and response, and your ability to identify and stop an attacker who is already inside.

Red teaming changes that. It is the closest thing to a real breach you can experience on your own terms.

What red teaming tests beyond compliance programmes:

Detection capabilities tested against real adversary behaviour in progress

Security team response validated when an alert fires under realistic conditions

Lateral movement paths from low-privilege entry points to critical assets confirmed

Physical and social engineering controls tested under realistic pressure

Third-party access paths assessed for exploitable exposure

THEOS APPROACH

Intelligence-led adversary simulation. Practitioner-delivered findings your programme can act on.

Theos cyber red team practitioners work with the mindset, tooling, and patience of the threat actors targeting APAC enterprises. They carry direct knowledge of the tactics used by financially motivated and state-linked threat actors operating in this region.

Threat-Informed Planning

Every red team engagement begins with a threat intelligence brief specific to your industry and operating markets. We identify the threat actors most likely to target your organisation, the techniques they favour, and the objectives they typically pursue. The engagement is built around your specific threat picture.

Full-Spectrum Operations

Theos red teams operate across the full attack surface: external perimeter, internal network, identity and access management, cloud environments, physical access where in scope, and social engineering against your people. Every vector a real adversary would consider is within scope.

Stealth and Persistence

Theos operates with the patience and operational security that real threat actors apply. Operating undetected over weeks produces the findings that matter most.

Findings That Drive Programme Change

The red team report documents every step of the attack path with evidence: how initial access was achieved, how the team moved laterally, what was reached, and what detection capabilities fired and where coverage gaps exist. Findings are mapped to MITRE ATT&CK and prioritised by the business impact of each gap. The debrief is conducted with both your security team and your leadership, because the implications are relevant to both.

BENEFITS

What Theos Red Teaming delivers for your organisation.

Realistic threat assessment

Confirmed view of what a skilled adversary can achieve against your organisation.

Detection gap identification

Confirm whether your detection programme catches real adversary behaviour.

Response validation

Test whether your incident response procedures work under realistic conditions.

Board-level evidence

Documented proof that your security posture has been tested against real-world attack scenarios.

Regulatory confidence

Red team evidence increasingly recognised under MAS TRM TLPT requirements and HKMA iCAST frameworks.

Programme intelligence

Findings feed directly into MDR detection tuning, VAPT scope prioritisation, and IR playbook development.

HOW IT WORKS

How a Theos red team engagement works.

Define the Objective

Before testing begins, Theos works with your leadership team to agree the engagement objective, the rules of engagement, and any constraints. The objective might be reaching a specific system, exfiltrating a defined dataset, or demonstrating domain compromise. Everything else is open.

Threat Intelligence Brief

Theos produces a threat intelligence brief covering the adversaries most relevant to your industry and market. This brief shapes the techniques, tools, and approach the red team will use throughout the engagement.

Initial Access

The red team gains initial access using phishing, credential stuffing, exploitation of public-facing systems, or supply chain compromise. Every technique is applied with the discipline a real adversary would use.

Lateral Movement and Persistence

Once inside, the team moves toward the objective using the same techniques a persistent attacker would apply: privilege escalation, lateral movement, credential harvesting, and maintaining persistence while evading detection.

Objective Completion

The team attempts to achieve the agreed objective and documents the outcome with full evidence. Whether the objective is achieved or blocked, the findings are equally valuable.

Report and Debrief

Theos delivers a full attack narrative with evidence at every step, MITRE ATT&CK mapping, and prioritised recommendations. Two debrief sessions are conducted: one technical, one executive. Your security team and your leadership leave with a clear picture of what was found and what needs to change.

CAPABILITIES

Red team capabilities.

External network and perimeter exploitation
Phishing and spear-phishing campaigns
Credential-based attacks and password spraying
Web application exploitation as an initial access vector
Active Directory and identity-based lateral movement
Cloud environment exploitation and privilege escalation
Physical access simulation (where in scope)
Insider threat simulation
Supply chain and third-party access path exploitation
Command and control infrastructure operation

SCOPE COVERAGE

What is in scope for a Theos red team.

People

Social engineering, phishing, and pretexting against your staff
Technology

External perimeter, internal network, identity, cloud, and application layers
Process

Incident response, escalation procedures, and detection workflows
Physical

Access control, tailgating, and on-site social engineering (where agreed)
Third parties

Vendor and partner access paths where they represent a realistic attack vector

PROOF

What the work produces.

Years, Average Red Team Retainer

CREST

Certified Practitioners, Every Engagement

8.9

Client Satisfaction Score

5,000+

Incidents Managed Across the Practice

METHODOLOGY

How Theos red teams operate.

Theos red team engagements are intelligence-led and tradecraft-driven. Our practitioners select techniques, tools, and operational security practices based on what real threat actors in this region use.

Frameworks:

MITRE ATT&CK

Adversary tactics, techniques, and procedures mapped and reported against the framework

TIBER-EU and TIBAS

Intelligence-led red team frameworks recognised by financial regulators

MAS TRM TLPT

Threat-led penetration testing requirements for Singapore financial institutions

HKMA iCAST

Intelligence-led cyber attack simulation framework for Hong Kong

Operational Approach:

Theos red teams operate with full operational security: custom infrastructure, clean tooling, and techniques calibrated to replicate real adversary behaviour. The goal is to operate as a real adversary would, with the patience and discipline that produces findings that matter.

RED TEAMING vs ALTERNATIVES

Red teaming, VAPT, and purple teaming: what is the difference?

Capability

Scope

Objective

People in scope

Detection testing

Duration

Output

Best suited for

Red Teaming

No predefined scope. Follows real attack paths.

Achieve a specific goal against your organisation.

Yes. Social engineering, phishing, physical.

Yes. Tests whether your SOC catches it.

Weeks to months.

Full attack narrative and MITRE ATT&CK mapping.

Mature security programmes testing holistic resilience.

VAPT

Defined scope, agreed before testing begins.

Identify and validate vulnerabilities.

Usually no.

No.

Days to weeks.

Vulnerability report with remediation steps.

All organisations validating their attack surface.

For organisations that want the offensive rigour of red teaming combined with active detection and response validation, Theos Purple Teaming runs the red team and blue team simultaneously, measuring detection and response in real time.

USE CASES

Who Theos Red Teaming is built for.

Regulated financial institutions under TLPT or iCAST requirements

MAS TRM includes threat-led penetration testing requirements for significant financial institutions in Singapore. HKMA iCAST sets equivalent expectations in Hong Kong. Theos red team engagements are structured to meet these frameworks and produce findings documentation that satisfies regulatory scrutiny.

Organisations with mature security programmes

Red teaming is most valuable when you already have controls in place and want to know whether they hold. If your organisation has invested in MDR, SOC, endpoint protection, and security awareness training, a red team engagement confirms whether that investment is performing as intended.

Organisations preparing for or following a security incident

A near-miss or an actual breach is a signal that something in your programme did not hold. Theos red team engagements following an incident identify what the attacker exploited and confirm the attack surface has been tightened following remediation.

Boards and leadership teams that need evidence

Regulators, insurers, and boards increasingly ask for evidence that security controls have been tested under realistic conditions. A Theos red team engagement produces it: a documented, independent, practitioner-led assessment of what a real adversary can achieve against your organisation.

OBJECTIVES

What does a red team objective look like?

Data exfiltration

Reach and extract a defined dataset (regulated customer records, intellectual property, or board-level communications) to demonstrate the complete attack path from initial access to data loss.

Persistent access

Establish and maintain a foothold across the environment for the full duration of the engagement, operating while evading detection. Tests whether your monitoring programme catches a skilled attacker operating with patience and discipline.

Domain or system compromise

Achieve administrative control of a critical system (Active Directory, a core banking platform, an OT environment, or a cloud management console) to demonstrate the business impact of a full compromise.

Operational disruption

Demonstrate the capability to disrupt a defined business process or system. Common for regulated entities that need to understand their exposure to ransomware or destructive attack scenarios.

Physical access

Obtain physical access to a restricted area (a server room, a trading floor, or a data centre) through social engineering, tailgating, or access control exploitation. Tests the full attack surface, including physical controls.

Third-party compromise

Exploit a vendor or partner access path to reach your environment. Confirms supply chain exposure is understood and that third-party access is governed to the standard your security programme requires.

WHEN DO YOU NEED RED TEAMING

When does your organisation need a red team engagement?

Your regulatory framework requires it

In Singapore, MAS TRM requires threat-led penetration testing for significant financial institutions. Theos delivers red team engagements in Singapore structured to meet those requirements.

In Hong Kong, HKMA iCAST requires intelligence-led cyber attack simulation testing for authorised institutions above a defined threshold. HKMA C-RAF also references adversary simulation as a component of cyber resilience assessment.

In Malaysia, BNM RMiT requires threat-led testing as part of the cyber resilience framework. Red teaming satisfies the advanced testing tier.

In the Philippines, BSP Circular 982 and related circulars require periodic security assessments for BSP-regulated entities. Red teaming satisfies the advanced assessment requirements for larger institutions.

Your detection programme has not been independently validated

If your organisation has been running MDR, EDR, or a SOC for twelve months or more without independently testing those capabilities, a red team engagement gives your team a confirmed answer.

Following a significant security incident

A breach or near-miss is a signal that something in the programme did not perform as expected. A red team engagement following an incident validates whether the gaps have been closed and confirms the attack surface has been tightened following remediation.

Before or after a significant technology transformation

Cloud migrations, mergers, acquisitions, and large infrastructure programmes change your attack surface. A red team engagement following significant change tests whether your controls have kept pace with your environment.

Your board or regulator requires resilience evidence

When your board, your insurer, or your regulator asks whether your security controls have been tested under realistic conditions, a Theos red team engagement produces documented, practitioner-led evidence, structured for board review and regulatory submission.

WHY THEOS

Why Theos Red Teaming

Findings that change programmes

Every engagement ends with a debrief that connects findings to programme decisions: what your MDR needs to detect, what your IR playbooks need to cover, and what your next VAPT should prioritise.

Intelligence that reflects this region

Theos practitioners deliver red team APAC engagements with direct knowledge of the threat actors targeting enterprises in this region: the techniques they use, the industries they favour, and the objectives they pursue in each market.

Continuity across every engagement

Theos red team retainers run for consecutive years with the same senior team. That continuity means practitioners who know your environment, your changes, and your risk profile at programme depth.

Connected to your full security programme

Theos red team findings feed directly into MDR detection tuning, VAPT scope prioritisation, and IR playbook development. Clients who work with Theos across multiple service lines benefit from intelligence that compounds across every engagement. A detection gap found in a red team becomes a detection rule in MDR. A lateral movement path identified in a red team becomes a priority in the next VAPT.

Delivered by CREST-certified practitioners

Theos holds CREST accreditation across our offensive security services practice. Every red team engagement is delivered by CREST-certified practitioners, meeting the standards that regulated enterprise procurement and regulatory frameworks require.

GET PROTECTED TODAY

Security is not a product you buy. It is an outcome you earn.

A Theos red team tells you whether your controls hold against a real adversary, with practitioner-led findings your programme can act on.

We deliver outcomes.

Talk to Theos

FAQ

Frequently Asked Questions

The questions regulated enterprises ask most often before commissioning a purple team exercise.

What is the difference between red teaming and penetration testing?

Penetration testing is a structured, time-bound assessment that identifies, validates, and reports vulnerabilities across a defined scope.

Red teaming, also referred to as adversary emulation, is goal-based and broader in scope. Rather than finding every vulnerability, the engagement tests whether specific objectives can be achieved: gaining persistent access, exfiltrating data, or disrupting operations, by replicating the tactics, techniques, and procedures of a skilled and persistent adversary over an extended period, typically four to twelve weeks.

A red team engagement goes beyond finding gaps. It tests whether your people, processes, and technology can detect and respond when a skilled adversary is already inside.

How long does a red team engagement typically run?

Red team engagements at Theos typically run between four and twelve weeks, depending on scope, objectives, and the complexity of the environment being tested. The extended timeframe is deliberate. Replicating the behaviour of a skilled and persistent adversary requires time to move through reconnaissance, initial access, lateral movement, and objective execution at a pace that reflects how real attacks unfold.

Engagement length is agreed during scoping and aligned to your objectives and the scenarios being simulated. The timeline is set to give the red team the conditions needed to deliver findings that reflect genuine adversarial exposure.

What TTPs do you simulate and how do you choose them?

Theos designs red team engagements around the MITRE ATT&CK framework, using it as the foundation for selecting and mapping the tactics, techniques, and procedures relevant to your engagement. TTPs are chosen based on three inputs: your industry and the threat actors known to target it, your specific environment and the attack vectors most likely to be exploited, and your defined objectives for the engagement.

Theos also conducts intelligence-led red teaming, where TTPs are based on threat intelligence to ensure engagements reflect real-world adversary behaviour and current threats.

The engagement reflects how a real adversary would approach your organisation, built around your sector, your environment, and the threats that are targeting you.

Do you follow TIBER-EU or similar frameworks?

Depending on the needs and focus of the test, Theos aligns engagements to adversary simulation frameworks such as TIBER-EU, TIBAS, and iCAST where appropriate. This allows the exercise to follow recognised testing methodologies while ensuring TTPs remain tailored to your threat landscape, environment, and objectives.

Who in our organisation needs to know about the engagement?

Red team engagements begin with a kick-off session that defines the rules of engagement and communication channels. Knowledge of the engagement is typically limited to a small group of senior stakeholders who oversee the exercise, ensuring the broader security team responds to simulated activity as they would a real incident.

Theos works with your team at the outset to agree communication protocols, escalation paths, and the boundaries of the engagement.

What happens after the red team finds a critical gap?

Critical findings identified during the engagement are escalated to your nominated point of contact immediately, keeping your team informed as the exercise progresses. This gives your team the opportunity to contain or remediate urgent risks before the engagement concludes.

At the conclusion of the engagement, Theos submits a draft report covering the full results of the exercise, followed by a review and Q&A session with your team. A final report is then delivered including an executive summary suitable for board and leadership review. Findings are structured around the objectives agreed at the outset, with clear context on what was achieved, how, and what it means for your security posture.

Can you simulate a specific threat actor relevant to our industry?

Yes. Threat actor simulation is a core part of how Theos designs red team engagements. Using threat intelligence on adversaries known to target your sector and the markets you operate in, we replicate the tactics, techniques, and procedures associated with those actors across the attack lifecycle, from reconnaissance and initial access through to lateral movement and objective execution.

This gives your organisation a clear view of how a relevant real-world adversary would operate in your environment, and how effectively your detection and response capabilities perform against that specific threat.

What is adversary emulation and how does it differ from standard red teaming?

Adversary emulation is a form of red teaming that models the behaviour of a specific real-world threat actor or threat group. Rather than testing broadly across a range of possible attack paths, adversary emulation focuses on replicating the known tactics, techniques, and procedures of an identified adversary based on threat intelligence.

Standard red teaming is typically objective-led, designed to achieve agreed outcomes such as gaining access to critical systems or sensitive data, using the most effective paths available. Adversary emulation is more threat-led, with the exercise shaped by how a particular adversary is known to operate. In practice, Theos can deliver both approaches depending on whether the priority is to test against a defined threat, a business risk, or a specific objective.

Red Teaming Services: Test whether your controls hold against a real adversary.