Are You Ready for the Real Threats Targeting You?
Why Combining Adversary Emulation with Red Team Simulations is the Next Step in Verified Resilience
As many organisations know all too well these days, it’s not a matter of if digital systems will be attacked, but when and by whom. Yet, even advanced red team exercises are often unable to answer a critical question for executive leaders: are we truly prepared for the specific threat actors most likely to target us?
While red teaming can expose critical system vulnerabilities by simulating cyberattacks, it has traditionally lacked a key ingredient–specificity. Red teams do not execute attacks exactly as an actual adversary would. So, while your organisation might discover all the creative ways your defences can be breached, you won’t understand how you’ll withstand the real tactics of APT 28, FIN7, or the nation-state group that’s actively targeting your sector.
This is why, over the last few years, Northwave has been working to add emulation to our red team techniques. Here’s how it works and why adversary emulation is quickly becoming a strategic necessity to stay ahead of advanced threats.
Adversary Emulation: The Extra Spice For Red Teaming
Today, organisations have several different options for testing their security defences (see the table at the end of this article for a quick description of the possibilities). Red teaming is becoming a standard approach to proactively identify vulnerabilities and strengthen defences before adversaries strike. Frameworks such as TIBER (threat intelligence based ethical red-teaming) and ART (advanced red teaming) have raised the bar for threat-actor centred scenarios. And yet, even when simulating a specific threat actor, red team operators use familiar tools and instincts. It's essentially a simulation of the threat actor, as seen through the eyes of a red team operator.
Adversary emulation adds the missing flavour–the extra spice–to red teaming by introducing high-fidelity, repeatable baselines of real-world TTPs (tactics, techniques and procedures) into the organisation’s network. In practice, this means we safely deploy representative malware chains so your controls are tested against the actual behaviours of the groups most likely to target you. As a result, organisations gain:
- A validated baseline confirming that detection rules, endpoint controls, and SIEM alerts trigger as intended, while revealing monitoring and detection gaps that real attackers could exploit.
- More strategic red teaming so operators can focus on complex, creative attack paths while commodity TTPs are validated automatically.
- Actionable, threat-specific findings rather than generic vulnerability lists.
Threat actors are becoming less predictable, particularly nation-state groups whose tactics differ markedly from cybercrime gangs. Generic testing may catch common ransomware patterns, but it can miss the subtleties that let an APT persist.
Our adversary emulation strategy is based on insights by Northwave’s cyber threat intelligence and research teams. We continually analyse the entire threat landscape and individual threats (by sector, systems, etc.) to provide our customers with the best coverage against their unique threats. Combining CTI-driven emulation with human red teaming provides both authenticity and ingenuity for a clearer view of risk and a faster route to intervention.
|
Threat Actor Simulation |
Threat Actor Emulation |
|
|
Goal |
Act like a real attacker to test how far they can get. |
Recreate the exact behaviour of a known APT, using representative malware chains, to validate defences. |
|
Approach |
Human-led operations using attacker logic and improvisation. |
Automated or semi-automated replay of real-world TTPs and malware chains. |
|
Scope |
Comprehensive: covers the full kill chain from initial access to impact. |
Narrow: focused on specific TTPs or detection rules. |
|
Toolset |
Uses familiar offensive tools and techniques. |
Uses threat-specific malware and command sequences. |
|
Use Case |
Identify systemic weaknesses and test human response. |
Validate detections and pinpoint technical blind spots. |
|
Ideal For |
Organisations building or refining resilience. |
Mature SOCs and blue teams fine-tuning detection and response. |
Why Emulation Matters: A Real-World Example
A recent client case offers a clear example of the benefits of adversary emulation. The client had a strong cyber defence system with both generic as well as targeted measures. A threat intelligence analysis by our CTI team recommended an APT 28 simulation. In doing so, our red team uncovered several weaknesses and ultimately achieved compromise. Of course, this provided useful insights for the security team.
But when we added adversary emulation by deploying a full APT 28 malware chain the picture changed dramatically. Within hours, at a fraction of the red team cost, the emulation uncovered additional areas where the customer had very little coverage or had their rules too loosely configured. Issues that would have left the organisation exposed to this very threat actor and were undetected during the red team exercise.
The outcome: a richer, more relevant set of findings feeding directly into a purple team session, giving the client both strategic reassurance and a tactical roadmap.
From Simulation to Assurance
Northwave’s 2025 Global Threat Landscape report found that highly skilled actors are increasingly targeting small and medium-sized businesses, aiming for disruption, espionage, or sabotage. Cybercriminal groups are borrowing tactics from nation-state APTs and this blurred line poses a greater risk to business continuity and public safety in Europe.
That’s why it’s more important than ever to go beyond checklists and simulations to adopt testing that is as unpredictable, adaptable, and authentic as the threats they face. By combining adversary emulations with red team simulations, organisations benefit from:
- Risk alignment: You see how your organisation fares against the threats most likely to target you, not just a theoretical adversary.
- Efficient investment: Emulation delivers high-impact insights quickly, at lower cost than extended red team campaigns.
- Regulatory readiness: As frameworks like NIS2 and sectoral regulators demand proof of resilience, adversary emulation provides credible evidence of tailored testing.
- Stronger resilience cycle: Findings feed directly into purple teaming and defence hardening, ensuring lessons are implemented rather than shelved.
Take the next step towards true resilience. Get in touch with our experts to learn how Northwave’s advanced red teaming and adversary emulation validate your defences against the threats that matter most.
|
Type of Test |
Purpose |
Approach |
Key Characteristics |
|
Vulnerability Scan |
Identify potential vulnerabilities across the system |
Automated tools scan for known issues (e.g., open ports, outdated software, misconfigurations) |
Broad coverage, not deep; does not attempt to exploit vulnerabilities |
|
Penetration Test |
Assess risk by exploiting vulnerabilities |
Manual and creative exploitation of weaknesses to reach critical assets |
Goal is to reach "crown jewels"; beware of mislabeled tests that are just automated scans |
|
Red Team Exercise |
Simulate a real-world attack to test detection and response capabilities |
Mimics tactics, techniques, and procedures (TTPs) of a specific threat actor |
Focus on stealth and realism; includes planning and execution like an actual adversary |
|
Adversary Emulation |
Test defences against actual malware and threat actor attack methods |
Uses actual malware and methods previously used by known threat actors |
Evaluates technical defenses against known threats |
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.