Attack Simulations

Simulated attacks under realistic conditions are just as much a part of any holistic cyber security strategy as the systematic testing of limited scopes for vulnerabilities as part of penetration tests. Chained, highly professional attacks by malicious actors such as Advanced Persistance Threats (APT) cause enormous damage, as do coordinated Distributed Denial of Service (DDoS) attacks.

Whether an organization’s security measures are effective in an emergency can only be determined by carrying out an attack simulation. The CERTAINITY Red Team specializes in carrying out complete red teaming assessments or targeted individual services.

Red Teaming

In a complete Red Teaming Assessment, the Red Team starts without prior knowledge. The Blue Team of the client organization also has no knowledge of how the assessment will be conducted. The team will carry out extensive reconnaissance measures and use the knowledge gained to prepare and carry out complex, chained attacks. The team will attempt to circumvent existing security and monitoring measures and the Blue Team in order to achieve the defined objectives of the assessment. Depending on the situation, restrictions and requirements, social engineering attacks and physical intrusion attempts are used in addition to technical cyber attacks.

Auftraggebende Organisationen erhalten durch diese Angriffssimulation einen umfangreichen Stresstest der Sicherheitsarchitektur und eine aussagekräftige Risikobewertung welche auf realistischen Umständen basiert.

CERTAINITY conducts Red Teaming Assessments based on the MITRE ATT&CK® Framework. A complete assessment usually goes through the following phases:

  • Reconnaissance
  • Initial Access
  • Persistance
  • Lateral Movement
  • Privilege Escalation
  • Objectives

Initial Compromise Assessment

An Initial Compromise Assessment is the first part of a Red Teaming Assessment. The central question is whether an external, harmful actor can succeed in overcoming an organization’s protective security measures. In addition to extensive reconnaissance measures, the Red Team will carry out cyber attacks on external perimeters and also attempt to implement an initial compromise of an internal system with the help of social engineering and physical intrusion attempts.

Listed below are some of the phases involved in an Initial Compromise Assessment

  • Reconnaissance
    • OSINT-Analysis
    • Active Information Gathering Measures
    • Physical Reconnaissance
    • Mapping Attack Surface
  • Initial Compromise
    • Development of Resources, attack techniques and s
    • Social Engineering
    • Attacks on External Perimeters
    • Physical Intrusion
  • Mission Complete
    • Achievement of Objectives (e.g. initial compromise of a system, physical intrusion into a secure area, etc.)
    • Exfiltration
    • Documentation of Results, Risk Assessment
    • Final Presentation

Assumed Breach Assessment

The Assumed Breach Assessment forms the internal part of a complete Red Teaming Assessment. In this scenario, the Red Team is given initial access to the internal network (e.g. an employee notebook with a standard user). Based on the assumption that it is possible for a malicious actor to compromise a user or an internal system, the red team expands the initial access via lateral movement, expands the rights within the domain, bypasses internal security measures and operates undetected by the cyber defense unit (Blue Team).

An Assumed-Breach-Assessment usually goes through the following phases:

  • Persistance
  • Lateral Movement
  • Privilege Escalation
  • Objectives


OSINT (Open Source Intelligence) is a process of collecting and analyzing information from publicly available sources. During an OSINT analysis, CERTAINITY uses passive information gathering measures to obtain as much information as possible about a target organization. The information obtained is categorized and evaluated in terms of its security criticality. The result of the OSINT analysis is a comprehensive image of an organization’s external attack surface.

The following passive information gathering measures can be used in an OSINT analysis:

  • Technical reconnaissance on the Internet
  • Clear web analysis
  • Deep web analysis
  • Dark net analysis
  • Physical reconnaissance
  • Retrieval of publicly accessible information from authorities, offices, databases, etc.

The findings of an OSINT analysis can be used as the basis for further services such as external penetration tests. Attack simulations such as red-teaming or initial compromise assessments include the performance of an OSINT analysis to create the information basis required for further attacks.

Phishing Simulation

Currently, phishing attacks are statistically responsible for most serious cyber security incidents. Despite extensive security measures, criminals still manage to steal access data or infect employees’ end devices with malware.

Systematically testing employee awareness is a fundamental part of any cyber security strategy. CERTAINITY conducts individual phishing campaigns, analyzes and documents the results and thus creates an ideal basis for decision-making when budgeting and planning awareness training.

Cyclical phishing campaigns offer a cost-effective solution for the long-term measurement of employee awareness.

Social Engineering

People are the most critical vulnerability in any organization. Social engineering assessments measure and evaluate the resilience of your employees to versatile and tricky attacks on a psychological and social level.

CERTAINITY offers simple and comprehensive social engineering assessments remotely and/or on-site. The consultants follow a strict code of ethics and adhere strictly to agreements and legal regulations. Depending on requirements and needs, the following typical attack classes can be used, among others:

  • (spear) phishing / whaling / vishing / smishing
  • Pretexting
  • Baiting
  • Tailgating
  • Impersonation
  • Dumpster Diving
  • Shoulder Surfing
  • Social Media Engineering
  • USB Drop Attacks
  • Reverse Social Engineering
  • Honey Trapping
  • Psychological Manipulation

Physical Assessment

Through targeted and well-prepared physical intrusion into buildings and security areas, attackers can bypass a large number of typical (cyber) security measures with simple means and cause major damage. The systematic investigation of physical site security is therefore an elementary component of any holistic security strategy.

CERTAINITY offers physical security assessments in combination with red teaming services and social engineering assessments, but also as a stand-alone service. Depending on the requirements, the scope of the investigation and the chosen approach, the following physical attack vectors can be checked, among others:

  • Physical reconnaissance
  • Identification and exploitation of vulnerabilities in security barriers
  • Undetected access to the company premises
  • Bypassing surveillance technology
  • Deactivation of security technology
  • Identification of weak points in windows, doors and other access points
  • Physical intrusion into buildings and security areas
  • Undetected escape after successful physical intrusion

Distributed Denial of Service (DDoS)

Distributed denial of service attacks (DDoS) pose a serious threat to IT infrastructure and applications and can severely impair their operation. CERTAINTY has developed a standardized test methodology in cooperation with global partners and customers to measure the effectiveness of the implemented countermeasures and protective measures. The methodology is based on the internationally recognized DDoS Resiliency Score (DRS).

The result of the stress test is a proof of performance of deployed anti-DDoS services, which is suitable for reliably demonstrating the resilience of your own IT systems against DDoS attacks as part of audits, certifications and security checks. You also receive recommendations for increasing the level of protection.

A CERTAINITY DDoS simulation typically goes through the following phases:

  • Selection of suitable target systems
  • Creation of an attack plan based on DRS
  • Execution of a DDoS attack using simulated IoT bots and web browsers
  • Determination of security configuration parameters
  • Documentation of the results and issuing suggestions for improvement

Make an individual appointment to discuss your questions and objectives with the experts at CERTAINITY. We will be happy to advise you on the choice of individual parameters to find the optimal approach to achieve your goals.

Please contact us at: