Adversarial Security Operations

We attack your systems
before adversaries do.

Elite red team operators simulating nation-state TTPs, zero-day exploitation, and advanced persistent threat campaigns to harden your organization's defenses.

Request Red Team Assessment View Methodology →
0xHexTeam-ops // active engagement
./recon --target corp.acme.io --mode passive Enumerating subdomains... ✓ 47 subdomains discovered ✓ 3 shadow IT assets flagged   ./vuln-scan --depth full --stealth on ⚠ CVE-2024-1182 — RCE unpatched (CVSS 9.8) ⚠ Exposed admin panel port 8443 ✗ LLMNR poisoning vector detected   ./lateral --pivot ad.corp.acme.io ✓ Domain Controller reached ✓ Kerberoastable accounts: 6 generating full report...
320+
Engagements Completed
98%
Initial Access Rate
14d
Avg. Dwell Time Simulated
0
Incidents Caused
What We Do

Adversarial Services Built for Enterprise

From targeted phishing simulations to full-scope assumed breach scenarios — our operators use the same tradecraft as nation-state actors.

🎯

External Red Team

Full-scope adversarial simulation from the internet. Perimeter testing, exploitation, and lateral movement through your production environment.

APT Simulation
🏗️

Internal Penetration Test

Assume-breach scenarios that test your internal controls, Active Directory posture, and SOC detection capabilities under real attack pressure.

Assume Breach
📱

Physical & Social Engineering

Vishing, phishing, and on-site physical intrusion testing. We test your people, processes, and badge access controls — not just technology.

Human Vector
⚙️

Cloud & DevSecOps

AWS, Azure, GCP adversarial assessments including IAM abuse, container escapes, CI/CD pipeline poisoning, and supply chain attacks.

Cloud Native
🔗

Purple Team Operations

Collaborative exercises where our red team attacks while your blue team detects. We help tune your SIEM, EDR, and detection playbooks live.

Detection Tuning
📋

Tabletop & TIBER-EU

Threat-intelligence-based red team exercises aligned with TIBER-EU, CBEST, and DORA frameworks for regulated financial institutions.

Regulatory
How We Operate

MITRE ATT&CK–Aligned Methodology

Every engagement follows a disciplined kill chain, documented and mapped to MITRE ATT&CK for maximum actionability in your remediation roadmap.

01

Scoping & Threat Model

Define crown jewels, rules of engagement, and attacker personas aligned to your actual threat landscape.

02

Reconnaissance

OSINT, passive and active recon. Attack surface mapping across people, technology, and supply chain.

03

Initial Access

Exploit external exposures, craft targeted phishing lures, and establish covert C2 infrastructure.

04

Post-Exploitation

Lateral movement, credential harvesting, privilege escalation, and persistence across the kill chain.

05

Reporting & Debrief

Executive narrative + technical findings + MITRE ATT&CK heat map + remediation roadmap with SLAs.

ACTIVE THREAT INDICATORS — LIVE FEED LIVE
CVE-2025-2847 — Citrix ADC RCE 9.8
Lazarus Group — spear-phish wave APT 9.3
NTLM Relay via IPv6 poisoning AD 8.1
Okta Org2Org token abuse IdP 7.9
GitHub Actions supply chain pivot CI/CD 6.5
Kubernetes node privilege escape Cloud 6.2
Threat Intelligence

We operate with current intelligence, not last year's CVE lists.

Our operators maintain active research into emerging TTPs, zero-days, and threat actor tradecraft. Every engagement benefits from intelligence we generate in our own research lab.

  • Proprietary C2 frameworks not flagged by commercial AV
  • Custom implants with EDR bypass capabilities
  • Threat actor persona emulation (UNC groups, APT29, etc.)
  • Live intelligence sharing via client portal during engagements
  • Post-engagement detection rule contributions to your SOC
Case Studies

Engagements That Moved the Needle

Anonymized excerpts from recent full-scope adversarial assessments across critical industries.

Financial Services — Tier-1 Bank

SWIFT network lateral movement via compromised vendor

Gained access through a third-party IT supplier with overprivileged AD trust. Reached SWIFT messaging infrastructure in 72 hours without triggering a single SIEM alert.

72h
Time to Crown Jewel
0
Alerts Triggered
4
Critical Findings
Healthcare — Hospital Network

Ransomware simulation across 14-site OT/IT boundary

Demonstrated ransomware propagation path from patient wifi to HVAC SCADA and radiology DICOM servers — a scenario the client believed was segmented.

14
Sites Reached
OT
Segment Crossed
8
Critical Findings
Defense Contractor — Cleared Facility

Insider threat simulation with OPSEC-constrained exfil

Emulated a malicious insider with cleared access. Exfiltrated 50GB of ITAR-controlled technical documents via steganographic channels over 21 days undetected.

21d
Dwell Time
50GB
Data Exfiltrated
0
DLP Triggers
Our Operators

Former Intelligence. Current Edge.

Every operator on our team has prior experience in government signals intelligence, offensive cyber operations, or elite CTF competition.

MV

Marcus Vale

Lead Operator & Founder
Ex-NSA TAO · OSED · OSCP
SC

Sora Chen

Cloud & Identity Specialist
Ex-Google Project Zero · CRTO
RA

Rafael Aziz

Physical & Social Engineering
Ex-GCHQ · CREST CRT · LPT
EK

Elena Kovač

Malware & C2 Research
DEF CON Black Badge · FLARE-ON
CREST Approved CHECK Certified TIBER-EU Qualified ISO 27001 SOC 2 Type II CBEST Listed PTES Compliant
Start an Engagement

Ready to find out what an
attacker would do?

Share your email and we'll schedule a confidential scoping call within 24 hours.

Request Assessment

All engagements operate under strict NDA. Signed MSA before scoping call.