◢ ADVANCED PERSISTENT TEST · U.S. OPERATORS

Persistence
is the
technique.

// An advanced persistent threat is the adversary that wins by waiting. Real groups spend months on quiet reconnaissance and months more rotating through trusted systems before they ever make a move. We are that adversary, available for hire and pointed at your estate: the same patience, the same tradecraft, the same custom tooling, with every step surfaced as it happens and the full chain indexed in your report.

scope_engagement → browse_campaign_verticals view_methodology

◉ 100% U.S. BASED ◉ CLEARED · VETTED ◉ NIST 800-115 · PTES

OPS · CAMPAIGN CLOCK · 84 DAYS ● ACTIVE · DAY 41 / 84

EVENT ACTIVE WORKING OBSERVE HOLD PLANNED

◆ DAY 28 · initial access, single beacon, sleep 3600s, jitter 60%.

◆ DAY 41 · current. Mapping a tier-0 path through ADCS template WebServer-V2.

◆ DAY 52 · planned. Path validation, off-hours window.

◆ DAY 70 · planned. Live readout with the blue team.

TRUSTED BY ↦ FORTUNE 500 BANK GLOBAL HEALTHCARE NET DOD SUBCONTRACTOR AM-LAW 100 CRITICAL INFRA · ENERGY PUBLIC SAFETY · CJIS NATIONAL INSURER SAAS UNICORN

§01 14 OFFERINGS · ALL ATT&CK-ALIGNED

What we do.

// Every engagement is scoped as a campaign with a named adversary, a written ops plan, and a pair of dedicated operators. Three of the fourteen offerings are previewed below. View all services →

SVC.01 adv-em

Adversary emulation

Named-actor TTP replay. We emulate APT29, Volt Typhoon, and Scattered Spider on your stack, with their playbook.

▸Threat-intel scoped
▸ATT&CK-aligned plan
▸Atomic and chained tests
▸Purple-team option

SVC.02 red

Red team

Objective-based, full-scope. Initial access through impact. No scanners, no checklists, just operators with a real plan.

▸Black, grey, or white-box
▸OPSEC-tight infrastructure
▸Physical and social
▸Crown-jewel objectives

SVC.03 cont

Continuous engagement

Always-on offensive operations. Quarterly operator rotations, persistent infrastructure, weekly findings into your Slack.

▸Dedicated operators
▸CTEM-aligned
▸Retest on patch
▸Slack and Teams integrated

§02 MITRE ATT&CK × D3FEND

How we work.

// Every campaign is built on a written ATT&CK plan. Each finding ships with the offensive technique it exercises, the actors observed to use it in the wild, and a D3FEND countermeasure your blue team can deploy. The methodology page walks the matrix, the kill chain, the attack-path graph, and the seven artifacts that ship with every engagement.

read_the_methodology → attack_matrix

14 / 14

ATT&CK tactics covered.

Reconnaissance through Impact. Every engagement, every campaign.

7 / 7

D3FEND counters mapped.

Model, Harden, Detect, Isolate, Deceive, Evict, Restore. Each finding maps to one.

< 8 h

Average time to DA.

From assume-breach start, in tested environments, across last 50 internal engagements.

Findings without a fix.

Every finding ships with a D3FEND-mapped recommendation and a working detection rule.

§03 ACCESS · INSTRUMENTATION · IN-HOUSE DEV

What we bring.

// Current commercial license inventory, deep open-source toolchain fluency, and in-house tooling for the engagements that ask for it. Agentic harnesses extend the bench when an environment is too large for human operators to reach end to end inside a campaign window. See the full toolkit →

KIT.04

Agentic adversary emulation

We develop AI agents that execute named TTP chains under operator supervision. The harness lets one operator pair sustain breadth across a large environment, with every action logged for audit and every decision reviewed before it runs.

Operator-supervised TTP chains as policy Audit log per action

KIT.01

Commercial frameworks

Licensed and current on Cobalt Strike, Brute Ratel, Mythic, Outflank, and the smaller specialty kits an engagement may call for. License inventory rides on our side of the engagement.

Cobalt Strike Brute Ratel Mythic Outflank

KIT.03

In-house implants

Operator-written loaders, beacons, and evasion routines for engagements where commercial kits are too widely fingerprinted. Built per campaign, burned at closeout.

Custom loaders BYOVD Signed binaries Memory-only

§04 ORIGINAL RESEARCH · PUBLISHED TOOLING

We write the tools we test with.

// The bench publishes. CVEs in the appliances that sit on your perimeter, techniques the rest of the industry adopts, and open-source tooling that ships in other operators' kits. When a campaign needs a capability that does not exist yet, we build it during the engagement and harden it after.

THE POSTURE

Research is the day job.

Operators carry protected research time between campaigns. That time produces the appliance 0-days we disclose responsibly, the AD and ADCS escalation primitives we fold into engagements, and the tools we open-source once a technique is widely understood. The work sharpens the bench, and the bench sharpens your engagement.

Responsible disclosure Protected research time Conference-grade

SELECTED · SANITIZED

Disclosures & tooling.

CVE-2025 Pre-auth RCE in an enterprise VPN appliance. Coordinated disclosure, patched, now an N-day we replay where in scope.
ADCS A certificate-template escalation primitive beyond the published ESC1–ESC15 set, presented at a major industry conference.
OSS A BloodHound collector extension and a Kerberos abuse module, both maintained in the open and shipping in other operators' kits.
CLOUD A cross-account IAM confused-deputy class disclosed to a major cloud provider, now reflected in their hardening guidance.
AI An indirect prompt-injection chain against a tool-using agent, disclosed to two foundation labs ahead of public write-up.

Specifics are sanitized for the open web. The full research portfolio, with CVE numbers and named talks, ships with the scoping packet under NDA.

Persistence is the technique.