Adversary Simulation

Where a penetration test asks "what can be exploited?" and a red team asks "can we achieve this objective?", adversary simulation asks "if APT29 (or FIN7, or any named threat actor) targeted us, how far would they get and would we notice?" It is goal-driven testing modelled on a specific opponent's known playbook — typically drawn from threat intelligence reports and the MITRE ATT&CK framework.

An adversary simulation begins with a threat profile: which actor, why are they relevant to this organisation, and what TTPs do they reliably use? Operators then build out the engagement to follow that profile rather than reaching for the easiest path to the objective. If the actor is known for spear-phishing followed by Cobalt Strike beacons and Kerberoasting, the simulation uses those techniques even when other approaches would succeed faster. The point is to test detection coverage against representative threats, not to demonstrate creativity.

Adversary simulation is closely tied to purple-team operations. Detection engineers, SOC analysts, and threat hunters work alongside the offensive team — sometimes in real time — to observe each technique, validate that telemetry was captured, confirm alerts fired with the right severity, and identify gaps. The result is concrete improvement: missing log sources are added, detection rules are written, and the simulation is re-run to verify the gap closed.

The maturity benefit over pure penetration testing is that adversary simulation produces a defensible, repeatable measurement of detection capability against threats that actually matter. Boards and auditors increasingly want evidence that the security programme is effective against named adversaries, not just that the perimeter is hard. Frameworks like MITRE ATT&CK Evaluations and ATT&CK Flow have made adversary simulation accessible to organisations beyond government and defence.