Headlines about major cyber attacks carried out by criminal groups or nation-state actors have long become part of everyday news. Economic espionage, industrial espionage, ransomware, and other cyber threats are estimated to cost the German economy alone more than €200 billion every year (Source: German Federal Criminal Police Office (BKA)).

As an IT security and penetration testing provider, CERTAINITY has gained extensive insight into the internal and external IT infrastructures of organizations across all industries and company sizes. One conclusion consistently stands out: most organizations focus heavily on minimizing the number of systems and services exposed to the Internet, securely configuring (“hardening”) them, and protecting them with security technologies such as firewalls.

The underlying concern is obvious: once an attacker manages to get a foot in the door, the resulting damage can be devastating. Internal IT environments provide attackers with almost unlimited opportunities to expand their access and compromise critical systems. Preventing external attackers from reaching the internal network is therefore a primary objective.

However, traditional penetration tests cover only a relatively small subset of possible external attack vectors. This article explains why an Initial Compromise Assessment—sometimes referred to as “Red Teaming Light”—often delivers significantly greater value.

Initial Compromise, Red Teaming, Assumed Breach, and Penetration Testing – What’s the Difference?

Below is a brief overview of the individual approaches:

  1. Penetration Testing: The application of ethical hacking techniques to identify vulnerabilities within a clearly defined scope. This scope may include specific applications, individual servers, or entire internal or external IT infrastructures.

  2. Red Teaming: A team of ethical hackers assumes the role of a realistic external threat actor (Red Team) and attempts to achieve predefined objectives while facing the organization’s defenders (Blue Team) and their technical and organizational security controls. Typical objectives include stealing specific data, compromising critical systems or networks, or even obtaining physical access to designated facilities.

  3. Assumed Breach: The Assumed Breach (or Insider Scenario) is a simplified variation of a Red Team Assessment. Instead of gaining initial access from the outside, the exercise assumes that an attacker has already compromised an internal asset—for example, an employee’s laptop—and focuses on how far the attacker can expand their privileges and move throughout the network.

Kill Chain Coverage Overview Figure 1: Coverage across the Cyber Kill Chain

In summary, penetration tests offer the advantage of being more cost-effective and allowing for a thorough assessment of a well-defined target. Red Team Assessments, on the other hand, take a holistic approach. Rather than focusing on individual systems, they evaluate the effectiveness of an organization’s overall security posture under realistic attack conditions. While considerably more resource-intensive, they provide significantly deeper insights into how well security measures perform against genuine adversarial behaviour.

Through years of security testing experience, CERTAINITY’s consultants have repeatedly observed that once attackers gain an initial foothold inside an organization’s network, expanding their access often becomes remarkably easy. The key question therefore is:

Can an external attacker gain access to the internal network in the first place—and if so, how?

To answer exactly this question, CERTAINITY offers another variation of Red Teaming: the Initial Compromise Assessment.

Unlike an Assumed Breach Assessment, the Red Team must obtain its initial access independently by compromising an externally accessible system or another viable attack vector. Instead of asking “What could happen if an attacker were already inside?”, the assessment answers the much more practical question: “How can a motivated attacker actually get inside?”

The result is a realistic assessment of the attack paths that enable external adversaries to penetrate an organization’s internal network.

The Importance of Initial Compromise Assessments in Modern Security

An Initial Compromise Assessment focuses on overcoming an organization’s first line of defence. This makes the assessment valuable not only for organizations with a mature cybersecurity posture but also for companies that are just beginning to evaluate their resilience against realistic attacks.

Besides its comparatively attractive cost, the low entry barrier is one of the main reasons organizations choose this type of assessment. Unlike traditional penetration tests or Assumed Breach assessments, no preparatory work is required from the customer. The real value, however, lies in the holistic evaluation of an organization’s security posture under realistic conditions and in answering one essential question:

Can a motivated attacker actually get inside?

Initial Compromise – How Is It Achieved?

Successfully gaining access to IT infrastructure, buildings, or business processes requires thorough preparation. During the reconnaissance phase, the Red Team performs an extensive Open Source Intelligence (OSINT) assessment. The target organization is investigated using publicly and semi-publicly available information from the clear web, deep web, and dark web. In addition, physical office locations are surveyed, individuals associated with the organization are identified, and externally accessible applications, services, and systems are examined for potential weaknesses.

Based on the information gathered during reconnaissance, the team develops multiple attack scenarios. Although each attack differs in execution, they all pursue the same objective: achieving an initial compromise.

To accomplish this, technical, physical, and social attack techniques are combined. Typical examples of successful initial compromise include:

  1. Compromising user accounts for externally accessible services through spear-phishing.
  2. Installing a Remote Access Trojan (RAT) on an employee’s laptop by convincing the user to open a malicious email attachment.
  3. Gaining unauthorized physical access to a server room by bypassing physical access controls.
  4. Entering restricted areas through social engineering and deception of employees.
  5. Compromising an Internet-facing system with access to the internal network through Remote Code Execution (RCE).
  6. Executing malware on an internal workstation using a modified USB device (BadUSB attack).

Benefits for Organizations

A successful initial compromise does not conclude the assessment. Instead, the Red Team continues exploring additional attack paths and opportunities to achieve its objectives.

Every attack attempt—whether successful, detected, or blocked—is thoroughly documented. This provides organizations with valuable insight into how professional threat actors operate and clearly identifies where existing security controls perform well and where improvements are still required.

Thanks to its holistic approach, an Initial Compromise Assessment evaluates the organization’s overall security architecture under realistic attack conditions by testing, challenging, and validating its technical, physical, and organizational defences:

  1. Technical security controls such as firewalls, intrusion detection and prevention systems (IDS/IPS), endpoint protection, EDR solutions, secure infrastructure configurations, and similar technologies.
  2. Organizational security measures such as patch management processes, identity and privilege management concepts, and the implementation and enforcement of security policies.
  3. Security and monitoring technologies including surveillance cameras, motion detectors, access control systems, and alarm systems.
  4. Physical security controls such as fences, gates, doors, windows, and ventilation shafts.
  5. Employee security awareness and training.

As a result, the customer receives a comprehensive report describing all identified security weaknesses, recommended remediation measures, and evidence demonstrating the practical exploitability of each vulnerability. Unsuccessful attack attempts are documented as well.

Organizations use these findings to develop remediation plans, eliminate vulnerabilities, support risk management activities, prioritize security investments, and provide management with a solid basis for strategic security decisions.

Limitations of Initial Compromise Assessments

CERTAINITY strictly complies with all applicable legal requirements and conducts every assessment within the agreed scope of engagement.

Where a Red Team and Blue Team play “cops and robbers,” there is always a White Team overseeing the exercise. A small group of representatives from the customer organization is involved in both the planning and execution of the assessment from the outset. This ensures that, despite the autonomous operation of the Red Team, the exercise remains transparent and under full organizational control.

Attack scenarios are coordinated with the White Team in advance so that critical situations can be resolved immediately and unnecessary consequences—such as police intervention—can be avoided.

When applying social engineering techniques, CERTAINITY also strictly adheres to its Code of Ethics. The physical and psychological well-being of both unsuspecting employees and our own team members always takes absolute priority.

Conclusion

The benefits of an Initial Compromise Assessment are numerous. It provides a realistic evaluation of an organization’s security posture and uncovers weaknesses that traditional security assessments may overlook. At the same time, it promotes a deeper understanding of both the tactical and strategic dimensions of cybersecurity while strengthening an organization’s ability to detect, respond to, and recover from attacks.

Ultimately, Initial Compromise Assessments provide value for organizations of every size. At a time when cybersecurity has become a fundamental business requirement, organizations must take a proactive approach by continuously evaluating, testing, and improving their security posture.