Products
Red Team Subscription.
An adversary you can put on retainer. Scenarios run on a quarterly cadence - phishing-led, assumed breach, ransomware objective - with joint defender debriefs and a trend line your board can read.
Why a subscription
One red team tells you a story. A subscription tells you a trend.
A single engagement answers 'would we notice?' on the day. A subscription answers 'are we getting better?' over the year. Detection and response capability is a muscle - it atrophies between exercises. Continuous scenarios keep it in shape, give you trend evidence for the board, and make sure controls you bought actually do the work you bought them to do.
Two tiers
Standard. Plus.
Both tiers are operator-led adversary simulation, scheduled around your programme. Plus adds threat-intel cadence, leadership tabletops, and an open communication channel between scenarios.
Quarterly Adversary Simulation
Standard
Four scenarios per year, run on a planned cadence with full defender side debrief.
Ideal for
- - Organisations with established defensive controls who want to know whether they actually work.
- - Security teams answering board, customer, or insurer questions about detection and response capability.
Key features
- • 4 scenarios per year (one per quarter)
- • Pick from the Pentiq scenario library or commission custom
- • Defender-side debrief per scenario (not just a findings report)
- • MTTD, MTTR, and control-efficacy measurement
- • Quarterly executive summary
Human touch
Each scenario is run by a Pentiq red team operator end-to-end. Debriefs are joint sessions with your SOC, IT, or MDR provider - constructive, not adversarial.
POA - get a quote.
Talk to us about Standard →Continuous Adversary Programme
Plus
Six scenarios per year plus standing threat-intel input and a tabletop programme.
Ideal for
- - Mature programmes that need to demonstrate continuous adversary readiness to regulators, insurers, or boards.
- - Organisations using TIBER-EU, CBEST, GBEST, or similar frameworks who want a like-for-like cadence outside formal exercises.
Key features
- • 6 scenarios per year (alternating depth)
- • Monthly threat-intel update aligned to your sector
- • Quarterly tabletop exercise with the leadership team
- • Open communication channel with your Pentiq operators
- • Annual programme review with trend analysis
Human touch
Everything in Standard, plus a named Pentiq lead operator, monthly intel briefings, and quarterly tabletops run by the same operators executing the scenarios - so the exercise is informed by the work.
POA - get a quote.
Talk to us about Plus →Scenario library
The kinds of attacks real adversaries actually run.
Every scenario can be tuned to your environment, sector, and threat model. We'll suggest which ones make sense for where your programme is and rotate them over time so the trend line is meaningful.
Phishing-led initial access
Targeted spear-phishing campaign progressing to credential theft, MFA bypass, and lateral movement.
Assumed-breach to crown-jewel data
Operator placed inside the perimeter - objective is to reach a defined critical data set within the agreed window.
Ransomware-objective simulation
Full kill-chain emulation up to the simulated detonation point, with hard safety controls and rollback.
Active Directory abuse
Identity-led attack paths - Kerberoasting, ACL abuse, ADCS misconfigurations, hybrid-identity exploitation.
Insider-threat simulation
Operating with the access of a typical employee or contractor to test internal segmentation, DLP, and monitoring.
Supply-chain or vendor compromise
Simulated exploitation of a trusted third party connection - VPN, SaaS integration, or managed service path.
Not seeing what you need? Custom scenarios are part of the subscription - including bespoke threat-actor emulation when intel warrants it.
What's measured
Numbers your board can read, not just findings the SOC can fix.
Mean Time to Detect (MTTD)
How long between operator action and your team noticing it - measured per stage of the attack chain.
Mean Time to Respond (MTTR)
From first detection to containment, with the steps taken and where coordination broke down.
Control efficacy
Which controls prevented, detected, slowed, or missed each stage - grounded in evidence, mapped to MITRE ATT&CK.
Defender confidence
Honest debrief of how the team felt under pressure - what was clear, what was confusing, what they wanted but didn't have.
Subscription or one-off
Two different shapes for two different questions.
Most mature programmes run both - a subscription for cadence and trend, a one-off engagement when a specific moment calls for a deeper, single-objective exercise.
Subscription
Repeated scenarios over time, building a trend line - does detection improve quarter on quarter? Are recurring scenarios catching the team out the same way? Run for programme assurance and continuous improvement.
You're on this page
One-off Red Team Operation
A single objective driven engagement - typically larger in scope, longer in duration, and tied to a specific question (regulator exercise, board ask, post-incident assurance). Run for a defined moment, not a continuous cadence.
See one-off Red Team Operations →Every tier includes
The baseline you get at any tier.
- Pentiq operator-led delivery - no scanner output dressed up as red teaming.
- Joint defender debrief per scenario, not a one-way findings report.
- MITRE ATT&CK mapping for every scenario.
- 12-month minimum commitment.
What it isn't
To be straight - what the subscription doesn't cover.
- Annual point-in-time pen testing - those engagements are scoped separately as Services.
- Vulnerability management and CVE-mapped scanning - see Vulnerability Scanning.
- Autonomous platform-driven exposure validation - see CSAS.
- Regulatory exercises requiring formal accreditation (CBEST, GBEST, TIBER-EU) - scoped as separate engagements; ask if you need one alongside.
Common questions
Frequently asked questions.
How is this different from a one-off red team engagement?
A one-off engagement answers one question, once: 'if a determined attacker came at us right now, would we notice?' The subscription answers it on a quarterly cadence so you can see whether your detection and response actually improves over time. Most clients use a one-off red team for a specific moment (regulator exercise, post-incident assurance) and the subscription for ongoing programme evidence.
Do scenarios get repeated, or is each one different?
Mix of both. We run new scenarios to expand coverage, and re-run earlier scenarios with variations to test whether the team has actually learned. The trend line is what makes it valuable; that's hard to build from one-off engagements alone.
What if our team is already busy responding to real incidents?
Scenarios are scheduled with you. We don't run them blind - your security leadership knows the engagement window. The SOC may not, depending on what you want to test. We adapt around real incidents and reschedule when needed.
Can we use this to satisfy CBEST, GBEST, or TIBER-EU requirements?
Not directly - those are formal regulator-led exercises with specific accreditation requirements. The subscription runs alongside as a like-for-like cadence between formal exercises, keeping defender muscle in shape. We'll tell you straight when a formal exercise is the right answer.
Who from our side needs to be involved?
A named security leadership contact for scheduling and post-scenario debriefs. SOC, IT, and MDR teams are involved in debriefs, not pre-engagement. Optional: a CISO-level sponsor for the quarterly executive summary at Plus.
Talk to us about Red Team Subscription
Find out whether your defenders would actually catch us.
A 30-minute call is usually enough to know whether a subscription fits, or whether a one-off engagement is the right starting point. We'll tell you straight either way.