Frequently Asked Questions

Typical engagements run 4-8 weeks for full exercises, 2-4 weeks for assume-breach assessments. Regulatory exercises (TIBER/DORA) may require longer timelines depending on scope and coordination requirements.

Continuous purple teaming is an ongoing, collaborative security validation model where offensive testing and detection engineering run as a sustained program rather than a one-off exercise. Instead of a single point-in-time assessment, we continuously simulate real-world attack techniques, validate that your detections fire correctly, and refine detection rules as new threats emerge. This keeps your detection coverage aligned with the evolving threat landscape and APT tactics, turning purple teaming from a periodic project into a measurable, always-on capability.

Typical customers resource at least 20% of an internal full time equivalent or 1 day a week over the engagement timeframe (IT Security or IT Operations knowledgeable). Depending on the customers internal processes for onboarding external consultants and for governance and reporting reviews individual engagements may vary.

Penetration testing focuses on finding vulnerabilities in specific systems. Red teaming simulates complete attack scenarios to test your overall security posture, including detection, response, and decision-making capabilities.

Yes, within agreed scope and rules of engagement. We operate under strict legal agreements and coordinate with designated points of contact throughout the exercise.

Absolutely. Every red team exercise can include a purple team component where we develop detection rules alongside the engagement. This is our recommended approach for maximizing value.

We specialize in Active Directory, Microsoft Entra ID (Azure AD), and Okta. Our assessments cover misconfigurations, attack paths, privilege escalation vectors, and identity-based lateral movement.

Red teams simulate attacks with stealth to test overall security posture. Purple teams operate collaboratively to specifically improve detection and response capabilities.

Yes. We provide detailed reports that meet requirements for threat-led penetration testing, compliant with TIBER-EU and DORA, and other regulatory frameworks. Reports include executive summaries, technical findings, remediation guidance and continuous detection validation.

We simulate real-world attack scenarios including initial access, lateral movement, privilege escalation, data exfiltration, and persistence. Scenarios are based on current threat intelligence and MITRE ATT&CK framework.

We establish clear rules of engagement, coordinate with your IT team, and use non-destructive techniques. All testing is scheduled during approved windows with proper safeguards in place.

Comprehensive reports including executive summary, technical findings, attack narratives, evidence artifacts, and prioritized remediation recommendations. Purple team engagements also include detection rules and playbooks.

We specialize in the Microsoft security stack (Sentinel, Defender XDR) but also work with Splunk, Elastic, CrowdStrike, and other platforms. Sigma rules provide cross-platform compatibility.

We validate every detection against real attack execution. If the rule doesn't fire reliably against the technique it's designed to detect, we don't deliver it.

Via Git repository, yours or ours. All rules are version-controlled with full documentation including MITRE ATT&CK mapping.

Detection Confirmation and Validation (DVC) focuses specifically on validating and improving your detection rules through controlled simulation. Purple team exercises are broader collaborative engagements that include DCV alongside offensive testing and knowledge transfer.

Defensive engineering benefits organizations at various maturity levels. For less mature teams, we focus on foundational detections. For advanced teams, we target sophisticated techniques and advanced analytics.

Each rule includes MITRE ATT&CK mapping, technical description, false positive guidance, tuning recommendations, investigation playbooks, and validation evidence showing the rule triggering against real attacks.

We execute real attack techniques in controlled environments and verify that detection rules fire correctly. We test for both true positives and false positive scenarios.

Absolutely. We audit existing rule sets, identify gaps, reduce false positives, and improve coverage. We provide detailed analysis of rule performance and recommendations for improvement.

Our detection development is informed by current threat intelligence, Advanced Persistent Threat (APTs) group tactics, techniques, and procedures (TTPs), our own internal vulnerability research as well as our own red team findings. Rules target real-world-informed attack campaigns.

Yes. We provide training sessions for your SOC analysts covering rule logic, investigation procedures, and response recommendations. Training materials are included with deliverables.

7Hunter is Crimson7's advanced threat hunting platform that combines automated hunting queries, behavioral analytics, and expert-curated threat intelligence to identify sophisticated threats.

7Hunter focuses on proactive threat hunting and hypothesis-driven investigation, while EDR focuses on endpoint detection and response. 7Hunter operates across your entire security stack, not just endpoints.

Network traffic, endpoint logs, cloud infrastructure events, email security data, identity events, vulnerability scans, and threat intelligence feeds. 7Hunter normalizes data across multiple sources.

Both. 7Hunter includes the platform plus managed threat hunting services from our expert analysts. You can also use the platform independently with training.

Our threat intelligence combines commercial feeds, open source intelligence, dark web monitoring, and insights from our red team engagements. It's specifically curated for hunting scenarios.

7Hunter typically identifies threats within hours rather than days or months. Continuous analysis and behavioral modeling enable rapid detection of subtle indicators.

MITRE ATT&CK-mapped queries, APT group behavioral patterns, living-off-the-land technique detection, supply chain compromise indicators, and custom queries based on current threat landscape.

Yes. 7Hunter integrates with major SIEM platforms including Sentinel, Splunk, Elastic, and QRadar. It can also operate as a standalone hunting platform.

Comprehensive threat hunting methodology training, platform usage sessions, custom query development workshops, and ongoing education on emerging threats and techniques.

We track threat detection metrics, time-to-discovery, investigation efficiency, false positive rates, and coverage across MITRE ATT&CK framework. Regular reporting provides visibility into hunting program maturity.

7Hunter can be deployed on-premises, in your cloud environment, or as a hybrid solution. We work with your infrastructure requirements and compliance needs.

Yes. Detailed hunting reports include threat findings, intelligence insights, recommended actions, and trending analysis. Executive summaries are provided for leadership visibility.

HackerFlow is Crimson7's Detection & Response-as-Code (Dac & RaC) platform that automates security testing, detection development, and response orchestration through code-driven workflows.

HackerFlow focuses on security testing and detection engineering automation, while traditional SOAR platforms focus on incident response. HackerFlow treats detection and response as code, enabling version control, testing, and continuous validation and improvement.

HackerFlow supports Python, PowerShell, Bash, and custom integrations through APIs. Workflows are defined using a declarative YAML syntax with embedded code execution capabilities.

Yes. HackerFlow integrates with popular SIEM platforms, EDR solutions, threat intelligence feeds, ticketing systems, and communication tools through pre-built connectors and APIs.

Platform installation, workflow templates, integration setup, analyst training, documentation, and ongoing support. We provide starter workflows for common use cases.

HackerFlow includes built-in safety controls, testing environments, approval workflows, and rollback capabilities. All workflows undergo validation before production deployment.

Absolutely. HackerFlow's automation capabilities actually provide more value for smaller teams by reducing manual work and ensuring consistent execution of security processes.

Threat hunting queries, detection rule testing, incident triage, evidence collection, threat intelligence enrichment, vulnerability assessment, and response orchestration.

HackerFlow is licensed annually based on organization size and feature requirements. Includes platform access, updates, support, and a library of pre-built workflows.

24/7 technical support, workflow development assistance, quarterly optimization reviews, access to our workflow library, and priority feature requests.

Breach Attack Simulation (BAS) platforms automate previously known attack simulations. Purple Rain combines the latest in human intelligence, red teaming expertise with validated automation, using research-driven TTPs, to deliver a managed service of detection engineering solutions, not just a tool license and list of what is broken.

Minimal ongoing commitment. After initial setup, your involvement is primarily receiving and reviewing deliverables. We handle the heavy lifting.

Purple Rain is designed for organizations with dedicated security operations. For smaller teams, our project-based purple team exercises may be more appropriate.

We work with Microsoft Sentinel, Splunk, Elastic, CrowdStrike, and other major SIEM/XDR platforms. Our client portal provides real-time dashboards regardless of your detection platform.

Continuous attack simulation, detection rule development, monthly threat reports, quarterly optimization reviews, 24/7 monitoring dashboard access, and dedicated technical support.

We continuously update attack techniques based on emerging threats, new vulnerabilities, and APT group activities. New simulations are added monthly, with critical updates deployed immediately.

Yes. We integrate with your existing SIEM, XDR, EDR, and other security tools through APIs and standard connectors. Integration is part of the onboarding process.

Monthly executive dashboards, quarterly technical deep-dives, real-time alert summaries, and annual security posture assessments. All reports include trending analysis and improvement recommendations.

We track detection coverage across MITRE ATT&CK techniques, time-to-detection metrics, false positive rates, and detection rule performance. Metrics are available in real-time through our portal.

Purple Rain is offered as an annual subscription to ensure meaningful security improvement. This allows for proper baseline establishment, trend analysis, and sustained improvement.

For hardware assessments, yes, we typically work with sample devices in our lab. For ICS/OT assessments, we can work on-site or with representative test environments. Physical security testing is always performed on-site.

Never. We design all ICS/OT assessments with operational continuity as a hard requirement. We work with your OT team to define safe testing boundaries and use non-disruptive techniques.

We work across critical infrastructure sectors: energy, manufacturing, healthcare, transportation, and financial services. Our team has experience with industry-specific protocols and regulatory requirements.

We assess embedded systems, IoT devices, network equipment, medical devices, industrial control systems, automotive components, and custom hardware. Our lab includes specialized equipment for hardware analysis.

Yes. We perform comprehensive firmware analysis including reverse engineering, vulnerability identification, cryptographic implementation review, and bootloader security assessment.

We test Wi-Fi, Bluetooth, Zigbee, LoRaWAN, cellular (4G/5G), and proprietary wireless protocols. Our lab includes specialized RF equipment and software-defined radios.

We work with representative test environments, air-gapped lab setups, or controlled production environment testing with extensive safety measures. Safety and continuity are never compromised.

Our assessments align with the standard for OT cybersecurity IEC 62443, NERC CIP, NIST Cybersecurity Framework, ISO 27001, FDA cybersecurity guidance, and other industry-specific standards.

Yes. We provide cloud security assessments covering AWS, Azure, and GCP environments, including configuration reviews, identity management assessment, and cloud-native security controls evaluation.

Physical penetration testing, social engineering assessment, badge cloning, lock bypass testing, surveillance system evaluation, and facility security controls review.

For standard engagements, we can typically begin within 2-4 weeks. Urgent requirements can often be accommodated, let's discuss.

Yes. While we're based in Belgium, we work with organizations across Europe and internationally.

Discovery call, Scoping, Proposal, Engagement, Delivery. We'll walk through specifics during our initial conversation.