Securing your business-critical assets and operations requires more than traditional protective measures; it requires seeing your organization the way an adversary does. This collection of offensive security use cases illustrates how organizations across critical sectors, like Government, Finance, and Healthcare, are doing exactly that. The industries differ, but there is a shared need to test defenses, understand where real-world attackers could break in, how far they could go, and what safeguards must evolve to stay ahead. 

Red Teaming Use Cases

These examples of Red Team engagements and penetration tests reveal how offensive testing teams can uncover gaps in your detection and response as well as potential attack paths. 

Use Case: Government Agency

A government agency responsible for critical public services commissions a Red Team engagement to assess its cybersecurity resilience. The exercise simulates an advanced persistent threat (APT) attack, testing the agency’s ability to detect, respond to, and mitigate cyber threats targeting sensitive government data, public infrastructure, and national security. 

Phase 1: Initial Access Operations

The Red Team begins by gathering intelligence on the government
agency’s employees, vendors, and internal systems.

  • Reconnaissance: Open-source intelligence (OSINT) reveals outdated public-facing web servers and a cloud-based
    document-sharing portal used for inter-agency communication.
  • Spear Phishing Attack: A well-crafted email impersonating a senior government official is sent to agency employees, containing a malicious attachment disguised as a policy update created using Outflank Security Tooling’s (OST’s) Office Intrusion Pack.
  • Web Drive-By Attack: The Red Team exploits an unpatched content management system (CMS) vulnerability on the agency’s public website, embedding a JavaScript-based exploit that executes when employees visit the site.

Phase 2: Lateral Movement & Privilege Escalation

Once inside the government agency’s network, the Red Team moves laterally to compromise additional systems:

  • Credential Harvesting: Using tools from Outflank Security Tooling’s Credential Pack, they extract hashed passwords from memory and perform Pass-theHash attacks to gain deeper access.
  • Privilege Escalation: By exploiting an outdated endpoint security solution, they escalate privileges to administrator levels, gaining
    control over sensitive systems.

 

 

 

 

 

 

 

Phase 3: Maintaining Persistence & Evasion

To maintain access without detection, the Red Team deploys stealth techniques:

  • Quiet Transmission: They use encrypted HTTPS and DNS tunneling to communicate with their Cobalt Strike command and-control (C2) server.
  • Asynchronous Communication: Malware beacons at random intervals to avoid detection by security monitoring tools.
  • Remote Access Trojans (RATs): Custom backdoors are placed in critical systems, ensuring persistent access for future operations.

 

 

 

 

 

 

Phase 4: Simulated Attack Scenarios

The Red Team executes targeted attack simulations against
government assets:

  • Data Exfiltration: They extract classified documents, policy
    drafts, and sensitive citizen data to test the agency’s ability to detect data breaches.
  • Critical Infrastructure Disruption: They simulate an attack on the agency’s SCADA (Supervisory Control and Data Acquisition) systems, demonstrating how adversaries could disrupt water supply or traffic control operations.
  • Disinformation & Insider Threat Simulation: They fabricate fake internal memos and manipulate communication channels to test resilience against misinformation campaigns.

 

Phase 5: Red Team Engagement & Blue Team Training

The engagement involves continuous collaboration between Red and Blue Teams:

  • Incident Response Drill: The agency’s security team practices containment, mitigation, and recovery strategies.
  • Shared Sessions: The Blue Team is allowed to observe and analyze Red Team tactics in real time.
  • Extensive Logging: Every attack vector is documented for forensic analysis.
  • Purple Team Exercises: The Blue Team improves its detection capabilities based on Red Team findings.

 

 

 

 

In 2024, 70% of cyberattacks involved critical infrastructure

Outcome & Lessons Learned 

  • Identified Weaknesses: The exercise exposes vulnerabilities in third-party services, endpoint security, and insider threat detection. 
  • Security Improvements: The agency implements zero-trust architecture, network segmentation, and continuous security monitoring. 
  • Enhanced Cyber Resilience: The agency adopts a proactive security strategy, conducting regular Red Team engagements to safeguard national security assets. 
Red Team: Government Use Case

Use Case: Financial Institution

A large financial institution conducts an assumed breach exercise to test its cybersecurity resilience. The Red Team is tasked with simulating an advanced persistent threat (APT) attack, while the Blue Team monitors, detects, and mitigates threats in real-time. 

Phase 1: Initial Access Operations

The Red Team conducts reconnaissance on the Financial Institution’s employees using open-source intelligence (OSINT). They identify a senior financial analyst, “John Doe,” who frequently engages in industry webinars.

  • Spear Phishing Attack: A well-crafted email mimicking an industry event invitation is sent to John. The email contains a malicious Microsoft Compiled HTML Help (CHM) generated with the
  •  In Phase Builder.
  • Payload Execution: Once John clicks the link, a malicious payload executes, establishing an initial foothold through an encrypted reverse shell.

Phase 2: Lateral Movement & Credential Harvesting

With initial access to John’s workstation, the Red Team moves laterally within the financial institution’s network:

  • Credential Harvesting: They dump credentials from the memory using OST’s Credential Pack and extract NTLM hashes from the workstation.
  • Privilege Escalation: By exploiting a misconfigured service with SYSTEM privileges, they escalate privileges to domain administrator.

 

 

 

 

Phase 3: Maintaining Persistence

  • Quiet Transmission: They configure C2 communication over HTTPS and DNS tunneling through Cobalt Strike, allowing them to bypass traditional network monitoring tools.
  • Asynchronous Communication: A Beaconing mechanism is used to send periodic encrypted packets to evade detection.

 

 

 

 

 

Phase 4: Actions on Targets

With initial access to John’s workstation, the Red Team performs previously agreed actions within the financial institution’s network:

  • Money Transfer: Using Hidden Desktop, the Red team is able to launch the internal banking application from a compromised asset and proves that it is possible transfer money to an external account.

 

 

 

 

 

Phase 5: Red Team Engagement & Purple Teaming

The exercise involves real-time collaboration with the Financial Institution’s security teams:

  • Shared Sessions: The Red Team allows the Blue Team to observe certain attack techniques in real-time.
  • Extensive Logging: All Red Team activities are logged for forensic analysis.
  • Purple Team Exercises: The Red and Blue Teams analyze detections, fine-tune security tools, and improve response procedures.
  • Blue Team Training: Defensive teams are trained to detect and mitigate similar real-world threats

data breach

The number of cybersecurity attacks on financial institutions in the US has been rising, experiencing a 430% increase between 2020 and 2023 alone

Outcome & Lessons Learned 

  • Identified Gaps: The exercise reveals weaknesses in the Financial Institution’s email filtering, endpoint detection, and privilege management. 
  • Security Enhancements: Multi-factor authentication (MFA), stricter browser security policies, and improved lateral movement detection are implemented. 
  • Continuous Improvement: The organization adopts a proactive security strategy, conducting regular assumed breach exercises to stay ahead of emerging threats. 
Red Team: Financial Use Case

Use Case: Hospital Network

A regional hospital network conducts a Red Team engagement to evaluate its cybersecurity defenses. The exercise aims to simulate a sophisticated cyberattack targeting patient data, medical devices, and critical infrastructure, testing the hospital’s ability to detect, respond to, and recover from an intrusion. 

Phase 1: Initial Access Operations

The Red Team begins by gathering intelligence on the hospital network’s employees, vendors, and third-party service providers.

  • Reconnaissance: They identify a vulnerable third-party billing vendor with weak cybersecurity controls.
  • Spear Phishing Attack: Using social engineering, the Red Team sends a phishing email to a vendor employee, impersonating the hospital network’s IT department. The email contains a malicious link that deploys a payload generated using OST’s PE Payload Generator when clicked.
  • Web Drive-By Attack: The Red Team also compromises a medical industry website frequently visited by hospital staff, injecting a browser exploit to gain initial access.

Phase 2: Lateral Movement & Privilege Escalation

Once inside the hospital network network, the Red Team moves laterally and escalates privileges:

  • Credential Harvesting: Using Credential Pack, they extract cached credentials from compromised workstations.
  • Lateral Movement: They pivot across the network, accessing electronic health record (EHR) systems and connected medical devices using Lateral Pack.
  • Privilege Escalation: Exploiting a misconfigured domain controller, they elevate privileges to a domain admin level using Impacket, allowing unrestricted access.

 

 

Phase 3: Maintaining Persistence & Evasion

To remain undetected, the Red Team establishes multiple persistence mechanisms:

  • Quiet Transmission: They use DNS over https tunneling and encrypted HTTPS communication through Cobalt Strike to exfiltrate data without triggering alerts.
  • Asynchronous Communication: A covert Beaconing technique allows them to maintain control over compromised systems while avoiding detection.

 

 

 

 

 

Phase 4: Targeted Attack Scenarios

The Red Team simulates real-world cyber threats targeting healthcare infrastructure:

  • Medical Device Exploitation: They compromise an IoT-connected MRI scanner, demonstrating how attackers could manipulate scan results or disrupt patient care.
  • Ransomware Deployment: Using Ransomware Simulator, they encrypt non-essential patient records to test the hospital’s incident response plan.
  • Data Exfiltration: They exfiltrate sensitive patient data, including medical histories and insurance records, highlighting potential HIPAA violations.

 

Phase 5: Red Team Engagement & Blue Team Training

This exercise involves collaboration between offensive and defensive teams:

  • Shared Sessions: The Red Team provides real-time insights into attack methodologies.
  • Extensive Logging: Every action is documented for forensic analysis and post-engagement review.
  • Purple Team Exercises: The Blue Team improves detection capabilities based on Red Team findings.
  • Incident Response Drill: The hospital’s cybersecurity team practices containment, eradication, and recovery strategies.

 

61% of cloud compromise incidents resulted in disrupted patient care, 52% led to longer hospital stays & 36% were linked to increased mortality

Outcome & Lessons Learned

  • Identified Weaknesses: Gaps in third-party security, endpoint detection, and network segmentation were exposed. 
  • Security Improvements The hospital network implements multi-factor authentication (MFA), network segmentation, and enhanced monitoring for medical devices. 
  • Enhanced Preparedness: The hospital now conducts regular Red Team engagements to maintain a proactive security strategy. 
Red Team: Hospital Use Case

Get a Personalized Cobalt Strike Demo

See how red teams use its flexible adversary‑simulation capabilities—like Beacon, Malleable C2, and the Arsenal Kit—to mirror real‑world attacker behaviors. This live walkthrough gives you the chance to explore features relevant to your environment and ask questions in real time.

Request Live Demo

Pen Testing Use Cases

While Red Team engagements take a broad approach, emulating real adversaries to test an organization’s detection, response and resilience, penetration tests focus on identifying and validating specific vulnerabilities in defined systems. Both testing types serve important roles and are often used together as part of an offensive security strategy.  

Use Case: Government Agency

A national government agency operates a secure web platform for delivering citizen services such as benefits applications, licensing, and tax filings. The agency wants to proactively identify weaknesses in its public-facing and internal systems before they can be exploited by hostile actors.

Phase 1: Planning and Reconnaissance

The pen testers gather critical information about the target organization, its employees, its network, and systems.

  • Passive Reconnaissance: They leverage Open Source Intelligence (OSINT), or publicly available data like public records, social media posts, the public-facing website, and online databases, to glean intelligence on the government agency’s key stakeholders and material assets.
  • Active Reconnaissance: Pen testers perform a perimeter assessment. This tests the agency’s public-facing web apps, customer/citizen portals, and exposed services for vulnerabilities in line with OWASP Top 10 and CWE/SANS Top 25.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Phase 2: Scanning

The public sector agency is probed with automated tools to identify vulnerabilities, open ports, and exploitable services.

  • Validate 20+ Scanners: Using Core Impact, pen testers can validate the results of more than 20 third-party scanners. These include Fortra VM, Nessus, and BurpSuite.
  • Prioritize Results: Following the scan, Core Impact prioritizes the results to give the government agency’s security team a severity-based list of where to begin remediations.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Phase 3: Gaining Access

The penetration testers use the information gained in reconnaissance and scanning to gain unauthorized access to the agency’s network and systems. The goal is to gain control over the target and demonstrate potential damage by an outside attacker.

  • Access Control Testing: They validate that only authorized roles can access sensitive citizen records (benefits forms, tax documents, business licenses), even under complex multi-role workflows. In this case, they discover a vulnerability in a public-facing website that can be exploited to allow unauthorized access to a database containing business license numbers and contact information.
  • Password Cracking: Pen testers leverage Core Impact to communicate securely with password-cracking service CloudCypher. The communication is encrypted with mutual authentication. Any Windows NTLM hashes discovered are passed back to Core Impact for further use in the agency’s penetration test.
  • Social Engineering: Using Core Impact, pen testers launch an automated phishing campaign impersonating a CISA threat sharing advisory, warning the agency to be wary of tax season scams. The campaign is sent to the head of the agency, key stakeholders, and the CISO.
  • Infrastructure Security Review: The pen testing team includes firewall, VPN, and email gateway testing (for additional resilience against phishing-based initial access) when attempting to gain entry to the target.

Phase 4: Maintaining Access

At this stage, the pen testers try to establish persistence into the agency’s systems to increase their chances of exfiltrating sensitive citizen data over time.

  • Privilege Escalation & Lateral Movement: They attempt to escalate privileges within the agency’s internal network and pivot into systems holding sensitive PII (tax filing databases, SSNs associated with Social Security benefits, etc.).
  • Data Exfiltration Simulation: Pen testers assess how easily sensitive datasets could be extracted from public-facing systems (SQL attacks), and whether data loss prevention (DLP) tools trigger alerts.

  • Establish Backdoors: The pen testing team has the option of partnering with Cobalt Strike Beacon to create backdoors to establish persistence and maintain access to the target.

Phase 5: Reporting

A report is delivered to the agency providing a detailed account of the vulnerabilities discovered during the penetration test. The agency receives a summary of key findings and actions taken at each phase, along with prioritized recommendations for remediation.

The pen testers recommend regular vulnerability scans and patch management across internal systems and the agency’s public-facing website, increased password security standards, and multi-factor authentication (MFA) as a second line of defense against credential abuse.

 

 

 

 

 

 

 

calendar data

Number of records compromised in federal breaches annually – 2.3M

Outcome & Lessons Learned

This government agency had several objectives in mind when deciding to perform a penetration test. They included: 

  • Demonstrating Regulatory Compliance: Standards like NIST 800-53 and FISMA both require pen testing as a mandatory security control for federal agencies. 
  • Improve Citizen Trust: Publicizing the fact that they perform regular, third-party penetration tests earns them the trust of the public and increases the number of citizens likely to interact with that agency’s services.  
  • Harden Defenses Against Both Nation-State and Cybercriminal Threats: Unpatched vulnerabilities are an open invitation to sophisticated nation-state actors who can do a lot with these easy entry points. 
Pen Testing: Government Use Case

Use Case: Financial Institution

A major retail bank relies on a cloud-hosted customer banking portal and an internally developed mobile app for millions of customers worldwide. The bank wants to ensure these systems are resistant to real-world cyberattacks that could compromise customer data, disrupt transactions, or damage trust. 

Phase 1: Planning and Reconnaissance

To begin, pen testers gather as much information as possible about the bank’s systems, employees, network, website, application, and architecture.

  • Passive Reconnaissance: They use Open Source Intelligence (OSINT) techniques to gather information for social engineering attacks (via social media, the bank’s website, public records, and online databases), as well as for technical inroads (IP addresses, domain names, and technologies used).
  • Active Reconnaissance: They perform a perimeter test, probing the public-facing mobile app, the customer banking portal, and any other exposed services for vulnerabilities in line with OWASP Top 10 and CWE/SANS Top 25.

 

 

 

 

 

 

 

 

 

 

Phase 2: Scanning

Next, pen testers subject the bank’s mobile app, customer portal, and other public-facing services to further investigation using automated tools that scan for exploitable weaknesses.

  • Validate Scans: Core Impact can validate vulnerabilities from over 20 scanners, integrating with Fortra VM, Burpsuite, Nessus, Qualys, Tenable, and more.
  • Prioritize Findings: After completing a scan of the environment, pen testers use Core Impact to provide a prioritized validation of the bank’s internal weaknesses.

 

 

 

 

 

 

 

 

 

 

 

 

 

Phase 3: Gaining Access

Pen testers attempt to gain control over the bank’s services using the information gained in the reconnaissance and scanning stages.

  • External Application Testing: They simulate attacker attempts to exploit customer-facing banking portals and APIs (e.g., injection, broken authentication, improper access controls).
  • API Security Review: Testers focus their efforts on FinTech integrations and open banking APIs (in line with PSD2 compliance).
  • Payment Workflow Tampering: Pen testers try to manipulate transaction parameters or bypass transaction confirmation steps.
  • Mobile App Reverse Engineering: Testers assess whether the mobile app’s code, APIs, and local storage leak sensitive data or expose keys.
  • Social Engineering: They leverage Core Impact to conduct an automated phishing campaign. Posing as the FDIC, pen testers create a simulated malicious phishing email that notifies banking executives about the soon-to-be-retired FFIEC Cybersecurity Assessment Tool (CAT). The link provided in the email contains malware that will download upon clicking.

Phase 4: Maintaining Access

Pen testers now look to leverage initial access, maintain persistence, and demonstrate avenues for additional damage within the bank’s digital infrastructure.

  • Privilege Escalation Attempts: They test for ways to move from a standard customer account to administrative or back-end access. With Core Impact, this step is automated.
  • Lateral Movement: Using elevated access, pen testers attempt to pivot into systems holding sensitive PII, such as databases containing account numbers, addresses, and login credentials.
  • Data Exfiltration Simulation: Using Core Impact, testers assess how easily sensitive datasets could be extracted and whether the data loss prevention (DLP) tools in place effectively trigger alerts.
  • Establish Persistence: Core Impact’s patented Core Agents help pen testers establish persistence within the bank’s internal systems. OS agents operate like malware, and persistent agents can be planted in the bank’s file system to provide a longer-lasting foothold.

Phase 5: Reporting

The bank receives a detailed report of the results of the penetration test, outlining the scope, methods used, vulnerabilities discovered, and prioritized security remediation recommendations.

Core Impact’s automated reporting feature supports a number of reporting formats, based on the type of pen test used, and helps prove compliance with standards such as HIPAA, GDPR, and PCI DSS.

 

 

 

 

 

 

 

 

 

 

 

 

 

cyber attacks

Proportion of financial institutions that experience a cyber attack annually – 66%

Outcome & Lessons Learned 

At the outset, the retail bank commissioned the penetration testing report with several objectives in mind. 

  • Identify Exploitable Vulnerabilities Before Threat Actors Do: By the time financially motivated attackers probe the bank’s website, app, or customer portal, it is already too late. Pen testing lets the financial institution experience this same level of awareness within a safe setting and with time to spare. 
  • Ensure Compliance With PCI DSS, FFIEC Guidance, and Internal Risk Controls: Increasingly, compliance mandates require penetration testing as a necessary security measure to test defenses and reduce risk within the financial sector.  

After receiving the pen testing report, the bank understands key areas of concern within the network, its end-users, and its mobile application that could jeopardize these objectives. 

Pen Testing: Financial Use Case

Use Case: Hospital Network

A major hospital system relies on a complex digital ecosystem—including a patient portal, Electronic Health Records (EHR), IoTconnected medical devices, and an internal clinical network—to support daily operations and patient care. With rising cyber threats targeting healthcare environments, the hospital needed a way to continuously assess weaknesses without disrupting clinical workflows.

Phase 1: Planning & Reconnaissance

Before executing any tests, the team defined a clear scope to avoid operational disruptions, particularly important in environments that support patient care. Key reconnaissance tasks included:

  • Mapping the hospital network and identifying interconnected systems such as EHR servers, medical imaging devices, IoT endpoints, and Wi-Fi access points.
  • Identifying open ports, active services, and operating systems used across clinical and administrative devices.

By leveraging Core Impact, the team was able to automate early reconnaissance steps and streamline their testing workflow.

Phase 2: Scanning

With the scope established, automated scanning began across multiple systems:

  • Network scanning to reveal outdated firmware, misconfigurations, and exposed services.
  • Web application scanning to identify injection vulnerabilities associated with patient portals or internal web-based tools.
  • IoT/medical device scanning to detect hardcoded credentials or unrestricted permissions.

Core Impact’s ability to integrate scanning results from top vulnerability management solutions provided the team with a consolidated view of vulnerabilities, helping them prioritize by risk and clinical impact.

Phase 3: Gaining Access (Exploitation)

Once vulnerabilities were identified, exploitation testing was performed to validate risk levels:

  • Running CVE-based exploits against outdated firmware on Wi-Fi access points, confirming the potential for remote code execution.
  • Testing for hardcoded credentials on medical imaging systems.
  • Attempting privilege escalation on compromised systems.
  • Simulating ransomware propagation, helping the hospital visualize how fast an attack could spread.

Core Impact’s certified exploitation capabilities proved critical for safely demonstrating real-world attack paths while maintaining hospital uptime.

Phase 4: Lateral Movement & Post-Exploitation

After initial access was achieved, the security team simulated internal attacker behavior:

  • Mapping reachable clinical systems from compromised devices.
  • Assessing whether PHI (Protected Health Information) was accessible due to misconfigured file permissions.
  • Evaluating segmentation controls between administrative and clinical networks.

Core Impact’s structured workflow enabled repeatable and safe post-exploitation testing across sensitive healthcare systems.

Phase 5: Reporting & Remediation

The automated penetration testing platform generated two levels of reports:

  • Technical reports for IT teams, containing details on exploited vulnerabilities and recommended fixes.
  • Executive summaries highlighting business impact, regulatory implications (HIPAA, NIST, ISO 27001), and prioritized action items.

Once remediation steps were completed, the team retest vulnerabilities and verify closure.

 

 

Average time between breach and discovery in the healthcare sector – 213 days

Outcome & Lessons Learned

At the outset, the hospital launched automated penetration testing to strengthen security and reduce risk across patientcare systems. 

  • Identify Critical Vulnerabilities Before Attackers Could: Testing uncovered several high impact weaknesses— including outdated WiFi firmware vulnerable to remote code execution, hardcoded credentials on medical imaging systems, and misconfigured file permissions exposing PHI— giving the hospital early visibility into threats that could jeopardize operations and data privacy. 
  • Support Compliance With HIPAA, NIST, and Internal Controls: Automated testing, enhanced through Core Impact, enabled continuous, scalable assessments, early detection of vulnerabilities across EHR, IoT, and network assets, and streamlined verification of remediation efforts to meet healthcare security standards. 
  • Clarify Key Areas of Concern Across Clinical and Network Systems: With clear findings and compliance ready reports, the hospital improved its cybersecurity posture and established a recurring testing schedule to ensure ongoing risk reduction and operational resilience.
Pen Testing: Hospital Use Case