Adversary Simulation Services

Put your incident response programs to the test

Even organizations with strong security controls and processes may not be able to detect and contain a breach quickly. The only way to truly understand and address gaps in defensive strategy is by simulating the latest attack techniques against your own security program.

With customized red teaming, purple teaming, threat intelligence-based testing, and managed testing options, X-Force Red adversary simulation services can meet you where you are in your security journey.

Train against the same advanced tactics, techniques, and procedures employed by attackers to test, measure, and improve your detection and response capabilities.

Aerial view of a racing team working at pit stop

Visit the research hub for the latest insights and analysis from X-Force Red hackers

Read the most common initial attacks in the 2025 Cost of a Data Breach Report

Schedule a discovery session with X-Force

Benefits

Test your tools

Discover gaps in security tooling by simulating real-world attacks designed for evasion. Tune your tools to improve their detection capabilities, leveraging techniques mapped to the MITRE ATT&CK Framework.

Test your teams

Adversary simulation exercises measure how well your incident response blue teams can detect and respond to an attack. Allow your teams to exercise their response playbooks, building the muscle memory they need to confidently respond to the real thing.

Test your programs

Offensive testing needs to be about more than finding one-off weaknesses. Breach is inevitable. Put your full detection and response capabilities to the test by simulating advanced attack methodologies focused on building resilience in your cybersecurity program.

Capabilities

Red teaming

Red team engagements are focused on simulating advanced threat actors using stealth, subverting established defensive controls, and identifying gaps in defensive strategy. These full chain exercises attempt to compromise your organization and achieve agreed upon objectives, resulting in a deep understanding of your organization’s true detection and response capabilities. After the engagement, our red team will prepare a comprehensive report and meet with your blue team to provide the full attack narrative, along with actionable insights and recommendations to close identified gaps and improve mean time to detection and response.

Purple teaming

With purple team engagements, our team creates and executes attack scenarios mapped to the MITRE ATT&CK Framework and your custom business objectives. Unlike red teaming, however, purple team engagements are conducted in close collaboration with your blue teams to validate manual and automated detections in the pursuit of those objectives, but not the subsequent response. Our team will work to evaluate your defensive controls, generating the data points needed to improve detection accuracy and coverage in your security stack.

Managed Red Team Service

Continuously identify and manage vulnerabilities, misconfigurations, and tooling & process gaps to stay ahead of your evolving attack surface and new cyber threats and with X-Force Red’s managed red team service. Whether you are starting an “in-house” red team capability for the first time or augmenting your existing one, this fully managed offering will establish a framework for continuous testing and a dedicated “hacker-on-call” to uplevel your offensive capabilities. Monthly testing sprints and reporting cycles give you full control to rescope objectives, retest previous findings after remediation, and measure the improvement of your security program over time.

Threat Intelligence-Based Testing

Leveraging threat intelligence to craft tailored attack scenarios, X-Force Red can mimic the advanced persistent threat actors and high-profile attacks targeting your organization. Uncover and fix gaps in your incident response programs while satisfying requirements for DORA TLPT, TIBER-EU, and other threat intelligence-based testing frameworks.

Read the Threat-Led Penetration Testing solution brief

Meet our experts

Chris Thompson

Chris is the Global Lead of Adversary Services at IBM X-Force. He drives vision and strategic initiatives to ensure the team can simulate the most sophisticated threat actors on the planet, while driving new capability development and offensive research leveraging automation and AI.

Patrick Fussell

As the Operations Lead, Patrick is responsible for the delivery of all X-Force Adversary Services engagements, bringing solid leadership experience to our team of senior operators, researchers, and offensive engineers.

Brett Hawkins

As Offensive Tradecraft Lead, Brett is responsible for ensuring the X-Force Adversary Services team can operate efficiently and effectively to a variety of sophistication levels and helps prioritize CNO tool development and research priorities.

Ruben Boonen

Ruben is responsible for low-level research and advanced CNE tool development for the X-Force Adversary Services team, driving key strategic initiatives and research.

Sanjiv Kawa

As a manager for X-Force Adversary Services, Sanjiv helps to ensure the team is operating to an opsec safe and efficient manner while pursuing advanced objectives. Sanjiv helps to drive offering strategy and delivery of managed red team services.

Shawn Jones

As Offensive Engineering Lead of X-Force Adversary Services, Shawn is responsible for guiding offensive engineering efforts by our large team of developers, driving forward our offensive tooling roadmap.

Professionals working with a sticky notes on a whiteboard

The latest X-Force Red research all in one place

Cube with multiple colors shadowing another cube

Cost of a Data Breach Report 2025

Report reveals 97% of organizations that experienced an AI-related security incident lacked proper access controls.

Threat Intelligence Index 2025

Understand how threat actors are waging attacks, and how to proactively protect your organization.

Cloud Threat Landscape 2024

Get key insights and practical strategies for securing your cloud with the latest threat intelligence

Latest blog articles

Back view of young black man looking towards a big digital screens glitching while displaying code lines.

Weaponizing DCOM for NTLM authentication coercions

Imagine achieving comparable results without the need for an "advanced" payload or accessing LSASS, simply by “living off the land” and leveraging underutilized Component Object Model (COM) objects.

Hands at work with interface around displaying a code in the screen.

IBM X-Force discovers new Sheriff Backdoor used to target Ukraine

IBM X-Force discovered a set of previously unknown malware (Sheriff backdoor) used in a cyber espionage attack against an entity within Ukraine’s defense sector in the first half of 2024.

Person in a hoodie using a laptop and smartphone in a dim room, with code displayed on a nearby screen.

Fileless lateral movement with trapped COM objects

Component Object Model (COM) has been a cornerstone of Microsoft Windows development since the early 1990s and is still very prevalent in modern Windows operating systems and applications.

Hand on a laptop touchpad with green command-line text on screen showing network data

Bypassing Windows Defender Application Control with Loki C2

Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.

X-Force Red Adversary Simulation Services

Latest blog articles