Emulate a real adversary end-to-end, quietly.
Red Team Operators run multi-week assumed-breach engagements that test the full kill chain: initial access, C2, persistence, privilege escalation, lateral movement, and objective completion — while staying below the blue team's noise floor.
Tools in scope
FAANG internal
Heavy on OPSEC reasoning and writeups; expect questions about how you'd avoid the company's own detections.
Boutique offensive shop
Tool development sample asked for — show C# / Rust / Nim tradecraft.
// Sample question
You've landed on a workstation with no admin. Walk me through a careful path to Domain Admin without tripping a modern EDR.
Recon with low-noise tooling (BloodHound CE collector via SharpHound stealth mode, no LDAP storm). Look for ADCS misconfigs (ESC1/ESC8), Kerberoastable accounts with weak passwords, or constrained delegation paths. Use signed living-off-the-land binaries (Rubeus via reflective loader, AMSI patched in-memory), stage credentials in memory not disk, and never spawn cmd/powershell.exe parented under an Office process.
AI-graded, role-specific, feedback on every answer. Free to start.