# Crimson7 Website: https://www.crimson7.io ## Home - [Crimson7 | Offensive Security & Continuous Threat Validation](https://www.crimson7.io/): Elite offensive security services that expose and close the gaps before real attackers find them. ## Services - [Services](https://www.crimson7.io/services): Adversary-led security services: Red Team, Purple Team, Purple Rain, and Detection Engineering. - [Offensive Engineering](https://www.crimson7.io/services/offensive-engineering): Red team exercises, adversary simulation, purple team operations, identity security, and endpoint security assessments. - [Defensive Engineering](https://www.crimson7.io/services/defensive-engineering): Detection engineering services: validation, development, optimization, and threat hunting rules. Delivered as code. - [Managed Security](https://www.crimson7.io/services/managed-security): Purple Rain managed purple team, managed threat hunting, and continuous detection validation services. - [Specialty Services](https://www.crimson7.io/services/specialty): Hardware security, firmware and IoT assessment, industrial control systems, and physical security testing. ## Products - [HackerFlow — Offensive Security Workflow Automation](https://www.crimson7.io/products/hackerflow): Streamline your red team operations from recon to reporting. HackerFlow automates the repetitive, so you can focus on the creative. - [7Hunter - Threat Hunting Query Management Platform](https://www.crimson7.io/products/7hunter): Centralize 4,280+ KQL queries, 75+ runbooks, and full MITRE ATT&CK mapping. Turn weeks of manual hunt setup into minutes. ## Company - [Our Work](https://www.crimson7.io/work): Real results from real engagements. See how we help organizations improve their security posture. - [About Us](https://www.crimson7.io/company/about): A team of offensive security experts who believe defense improves when you think like an attacker. - [Contact](https://www.crimson7.io/contact): Request a discovery call or get in touch with our security experts. ## Resources - [Resources](https://www.crimson7.io/resources): Blog posts, research, tools, and educational resources from our offensive security experts. - [Blog](https://www.crimson7.io/resources/blogs): Cybersecurity research, threat intelligence, and detection engineering insights from the Crimson7 team. - [Research Reports](https://www.crimson7.io/resources/research): KQL-based threat hunting runbooks with detection queries, MITRE ATT&CK mappings, and investigation guidance for Microsoft Sentinel. - [Downloads](https://www.crimson7.io/resources/downloads): Datasheets, playbooks, sample reports, and templates from Crimson7. Free resources for security professionals. ## Blog posts - [The Full Account: TeamPCP's Mini Shai-Hulud Supply Chain Campaign, Waves 1 & 2](https://www.crimson7.io/resources/blogs/teampcp-mini-shai-hulud-supply-chain-campaign): Complete forensic analysis of TeamPCP's supply chain attack: 2,650+ compromised GitHub repos, 16+ MB credential theft, and undetected Rust RAT deployment. - [Bluekit PhaaS: The White-Label Supply Chain the Newswire Missed](https://www.crimson7.io/resources/blogs/bluekit-phaas-white-label-supply-chain): Bluekit is not just another Phishing-as-a-Service platform. It is a multi-tenant white-label PhaaS engine, and buried inside a JavaScript bundle we pulled from its Tor hidden service is the configuration for a second brand, SnagX, a Chinese-market reseller charging 2.8x Bluekit's prices to a completely separate operator base. - [Hunting a PhaaS Operator: From Phishing Email to Lagos, Nigeria](https://www.crimson7.io/resources/blogs/hunting-phaas-operator-kali365): A phishing email landed in an employee's inbox. SPF passed. DKIM passed. DMARC passed. Spam score: 0.085/1.0. What started as a routine triage turned into a multi-day offensive hunt. - [Bybit Hack Considerations](https://www.crimson7.io/resources/blogs/bybit-hack-considerations): Analysis of the cryptocurrency exchange breach, highlighting supply chain security and browser-based attack vulnerabilities. - [APT38's New Game: Targeting Devs with Fake Coding Challenges](https://www.crimson7.io/resources/blogs/apt38-new-game): North Korean threat actors are leveraging GitHub to target software developers through fake job opportunities and technical interviews. - [Conversion from Sigma Community to KQL That Works](https://www.crimson7.io/resources/blogs/sigma-to-kql-conversion): Our functional Sigma-to-KQL conversion utility compatible with the Sigma Community repository. - [Managing Threat Hunting Content via APIs in Microsoft Sentinel](https://www.crimson7.io/resources/blogs/sentinel-threat-hunting-apis): API tools designed to streamline content management for threat hunting operations within Microsoft Sentinel. ## Events - [Crimson7 at Cybersec Europe Brussels 2026](https://www.crimson7.io/events/cybersec-europe-2026): Two operator-grade talks at Cybersec Europe Brussels, plus our team at booth 05.B067 across both days. HackerFlow on continuous Purple Team validation, 7Hunter on threat hunting at scale. Both presented by Joey Verleg, Head of Managed Services. - [teissAmsterdam 2026](https://www.crimson7.io/events/teiss-amsterdam-2026): Nick Maeckelberge from Crimson7 will be participating in a panel discussion at teissAmsterdam 2026 on using AI to operationalise cyber threat intelligence. The session covers transforming raw threat intelligence into actionable detection and response insights, automating detection pipelines, and validating defences using real-world adversary behaviour. ## FAQ - [Frequently Asked Questions](https://www.crimson7.io/faq): Answers about Crimson7's services, products, and engagement process - [What data sources does 7Hunter analyze?](https://www.crimson7.io/faq/7h-data-sources): Network traffic, endpoint logs, cloud infrastructure events, email security data, identity events, vulnerability scans, and threat intelligence feeds. 7Hunter normalizes data across multiple sources. - [What's the deployment model for 7Hunter?](https://www.crimson7.io/faq/7h-deployment): 7Hunter can be deployed on-premises, in your cloud environment, or as a hybrid solution. We work with your infrastructure requirements and compliance needs. - [How quickly can 7Hunter detect advanced threats?](https://www.crimson7.io/faq/7h-detection-speed): 7Hunter typically identifies threats within hours rather than days or months. Continuous analysis and behavioral modeling enable rapid detection of subtle indicators. - [How do you measure hunting effectiveness?](https://www.crimson7.io/faq/7h-measure-effectiveness): We track threat detection metrics, time-to-discovery, investigation efficiency, false positive rates, and coverage across MITRE ATT&CK framework. Regular reporting provides visibility into hunting program maturity. - [What kind of hunting queries does 7Hunter provide?](https://www.crimson7.io/faq/7h-query-types): MITRE ATT&CK-mapped queries, APT group behavioral patterns, living-off-the-land technique detection, supply chain compromise indicators, and custom queries based on current threat landscape. - [Do you provide hunting reports and analysis?](https://www.crimson7.io/faq/7h-reports): Yes. Detailed hunting reports include threat findings, intelligence insights, recommended actions, and trending analysis. Executive summaries are provided for leadership visibility. - [Do you provide threat hunting services or just the platform?](https://www.crimson7.io/faq/7h-services-or-platform): Both. 7Hunter includes the platform plus managed threat hunting services from our expert analysts. You can also use the platform independently with training. - [Can 7Hunter integrate with our SIEM?](https://www.crimson7.io/faq/7h-siem-integration): Yes. 7Hunter integrates with major SIEM platforms including Sentinel, Splunk, Elastic, and QRadar. It can also operate as a standalone hunting platform. - [What makes 7Hunter's threat intelligence unique?](https://www.crimson7.io/faq/7h-threat-intel): Our threat intelligence combines commercial feeds, open source intelligence, dark web monitoring, and insights from our red team engagements. It's specifically curated for hunting scenarios. - [What training is provided for 7Hunter?](https://www.crimson7.io/faq/7h-training): Comprehensive threat hunting methodology training, platform usage sessions, custom query development workshops, and ongoing education on emerging threats and techniques. - [How does 7Hunter differ from traditional EDR solutions?](https://www.crimson7.io/faq/7h-vs-edr): 7Hunter focuses on proactive threat hunting and hypothesis-driven investigation, while EDR focuses on endpoint detection and response. 7Hunter operates across your entire security stack, not just endpoints. - [What is 7Hunter?](https://www.crimson7.io/faq/7h-what-is): 7Hunter is Crimson7's advanced threat hunting platform that combines automated hunting queries, behavioral analytics, and expert-curated threat intelligence to identify sophisticated threats. - [What attack scenarios do you simulate?](https://www.crimson7.io/faq/attack-scenarios): We simulate real-world attack scenarios including initial access, lateral movement, privilege escalation, data exfiltration, and persistence. Scenarios are based on current threat intelligence and MITRE ATT&CK framework. - [What is continuous purple teaming?](https://www.crimson7.io/faq/continuous-purple-teaming): Continuous purple teaming is an ongoing, collaborative security validation model where offensive testing and detection engineering run as a sustained program rather than a one-off exercise. Instead of a single point-in-time assessment, we continuously simulate real-world attack techniques, validate that your detections fire correctly, and refine detection rules as new threats emerge. This keeps your detection coverage aligned with the evolving threat landscape and APT tactics, turning purple teaming from a periodic project into a measurable, always-on capability. - [What kind of customer resources are needed for a typical engagement?](https://www.crimson7.io/faq/customer-resources): Typical customers resource at least 20% of an internal full time equivalent or 1 day a week over the engagement timeframe (IT Security or IT Operations knowledgeable). Depending on the customers internal processes for onboarding external consultants and for governance and reporting reviews individual engagements may vary. - [How are detection rules delivered?](https://www.crimson7.io/faq/de-delivery): Via Git repository, yours or ours. All rules are version-controlled with full documentation including MITRE ATT&CK mapping. - [Can you help optimize existing detection rules?](https://www.crimson7.io/faq/de-optimize-rules): Absolutely. We audit existing rule sets, identify gaps, reduce false positives, and improve coverage. We provide detailed analysis of rule performance and recommendations for improvement. - [What detection platforms do you support?](https://www.crimson7.io/faq/de-platforms): We specialize in the Microsoft security stack (Sentinel, Defender XDR) but also work with Splunk, Elastic, CrowdStrike, and other platforms. Sigma rules provide cross-platform compatibility. - [What's included in detection rule documentation?](https://www.crimson7.io/faq/de-rule-documentation): Each rule includes MITRE ATT&CK mapping, technical description, false positive guidance, tuning recommendations, investigation playbooks, and validation evidence showing the rule triggering against real attacks. - [Do I need a mature SOC for defensive engineering?](https://www.crimson7.io/faq/de-soc-maturity): Defensive engineering benefits organizations at various maturity levels. For less mature teams, we focus on foundational detections. For advanced teams, we target sophisticated techniques and advanced analytics. - [Do you just write rules, or do you test them?](https://www.crimson7.io/faq/de-testing): We validate every detection against real attack execution. If the rule doesn't fire reliably against the technique it's designed to detect, we don't deliver it. - [What threat intelligence feeds into your detections?](https://www.crimson7.io/faq/de-threat-intel): Our detection development is informed by current threat intelligence, Advanced Persistent Threat (APTs) group tactics, techniques, and procedures (TTPs), our own internal vulnerability research as well as our own red team findings. Rules target real-world-informed attack campaigns. - [Do you provide training on the detection rules you develop?](https://www.crimson7.io/faq/de-training): Yes. We provide training sessions for your SOC analysts covering rule logic, investigation procedures, and response recommendations. Training materials are included with deliverables. - [How do you validate detection effectiveness?](https://www.crimson7.io/faq/de-validate-effectiveness): We execute real attack techniques in controlled environments and verify that detection rules fire correctly. We test for both true positives and false positive scenarios. - [What's the difference between Detection Confirmation and Validation compared to a purple team exercise?](https://www.crimson7.io/faq/detection-confirmation-validation): Detection Confirmation and Validation (DVC) focuses specifically on validating and improving your detection rules through controlled simulation. Purple team exercises are broader collaborative engagements that include DCV alongside offensive testing and knowledge transfer. - [What's the typical engagement process?](https://www.crimson7.io/faq/engagement-process): Discovery call, Scoping, Proposal, Engagement, Delivery. We'll walk through specifics during our initial conversation. - [How quickly can you start an engagement?](https://www.crimson7.io/faq/engagement-timeline): For standard engagements, we can typically begin within 2-4 weeks. Urgent requirements can often be accommodated, let's discuss. - [What's included in a HackerFlow deployment?](https://www.crimson7.io/faq/hf-deployment): Platform installation, workflow templates, integration setup, analyst training, documentation, and ongoing support. We provide starter workflows for common use cases. - [Can HackerFlow integrate with our existing security tools?](https://www.crimson7.io/faq/hf-integrate): Yes. HackerFlow integrates with popular SIEM platforms, EDR solutions, threat intelligence feeds, ticketing systems, and communication tools through pre-built connectors and APIs. - [What programming languages does HackerFlow support?](https://www.crimson7.io/faq/hf-languages): HackerFlow supports Python, PowerShell, Bash, and custom integrations through APIs. Workflows are defined using a declarative YAML syntax with embedded code execution capabilities. - [How does licensing work for HackerFlow?](https://www.crimson7.io/faq/hf-licensing): HackerFlow is licensed annually based on organization size and feature requirements. Includes platform access, updates, support, and a library of pre-built workflows. - [How do you ensure HackerFlow workflows don't disrupt production?](https://www.crimson7.io/faq/hf-production-safety): HackerFlow includes built-in safety controls, testing environments, approval workflows, and rollback capabilities. All workflows undergo validation before production deployment. - [What support is provided with HackerFlow?](https://www.crimson7.io/faq/hf-support): 24/7 technical support, workflow development assistance, quarterly optimization reviews, access to our workflow library, and priority feature requests. - [Is HackerFlow suitable for smaller security teams?](https://www.crimson7.io/faq/hf-team-size): Absolutely. HackerFlow's automation capabilities actually provide more value for smaller teams by reducing manual work and ensuring consistent execution of security processes. - [How does HackerFlow differ from traditional SOAR platforms?](https://www.crimson7.io/faq/hf-vs-soar): HackerFlow focuses on security testing and detection engineering automation, while traditional SOAR platforms focus on incident response. HackerFlow treats detection and response as code, enabling version control, testing, and continuous validation and improvement. - [What is HackerFlow?](https://www.crimson7.io/faq/hf-what-is): HackerFlow is Crimson7's Detection & Response-as-Code (Dac & RaC) platform that automates security testing, detection development, and response orchestration through code-driven workflows. - [What kind of workflows can HackerFlow automate?](https://www.crimson7.io/faq/hf-workflows): Threat hunting queries, detection rule testing, incident triage, evidence collection, threat intelligence enrichment, vulnerability assessment, and response orchestration. - [Do you work with organizations outside Europe?](https://www.crimson7.io/faq/international-work): Yes. While we're based in Belgium, we work with organizations across Europe and internationally. - [What platforms and tools do you integrate with?](https://www.crimson7.io/faq/ms-platforms): We work with Microsoft Sentinel, Splunk, Elastic, CrowdStrike, and other major SIEM/XDR platforms. Our client portal provides real-time dashboards regardless of your detection platform. - [Can you combine offensive testing with detection improvement?](https://www.crimson7.io/faq/oe-combine-detection): Absolutely. Every red team exercise can include a purple team component where we develop detection rules alongside the engagement. This is our recommended approach for maximizing value. - [What deliverables do we receive?](https://www.crimson7.io/faq/oe-deliverables): Comprehensive reports including executive summary, technical findings, attack narratives, evidence artifacts, and prioritized remediation recommendations. Purple team engagements also include detection rules and playbooks. - [What identity platforms do you assess?](https://www.crimson7.io/faq/oe-identity-platforms): We specialize in Active Directory, Microsoft Entra ID (Azure AD), and Okta. Our assessments cover misconfigurations, attack paths, privilege escalation vectors, and identity-based lateral movement. - [Can Purple Rain integrate with our existing security tools?](https://www.crimson7.io/faq/pr-integrate-tools): Yes. We integrate with your existing SIEM, XDR, EDR, and other security tools through APIs and standard connectors. Integration is part of the onboarding process. - [How do you measure detection effectiveness?](https://www.crimson7.io/faq/pr-measure-effectiveness): We track detection coverage across MITRE ATT&CK techniques, time-to-detection metrics, false positive rates, and detection rule performance. Metrics are available in real-time through our portal. - [What's the minimum commitment for Purple Rain?](https://www.crimson7.io/faq/pr-minimum-commitment): Purple Rain is offered as an annual subscription to ensure meaningful security improvement. This allows for proper baseline establishment, trend analysis, and sustained improvement. - [What kind of reporting do we receive?](https://www.crimson7.io/faq/pr-reporting): Monthly executive dashboards, quarterly technical deep-dives, real-time alert summaries, and annual security posture assessments. All reports include trending analysis and improvement recommendations. - [How often do you update attack simulations?](https://www.crimson7.io/faq/pr-simulation-cadence): We continuously update attack techniques based on emerging threats, new vulnerabilities, and APT group activities. New simulations are added monthly, with critical updates deployed immediately. - [Is Purple Rain appropriate for smaller organizations?](https://www.crimson7.io/faq/pr-small-orgs): Purple Rain is designed for organizations with dedicated security operations. For smaller teams, our project-based purple team exercises may be more appropriate. - [What's included in Purple Rain subscriptions?](https://www.crimson7.io/faq/pr-subscription): Continuous attack simulation, detection rule development, monthly threat reports, quarterly optimization reviews, 24/7 monitoring dashboard access, and dedicated technical support. - [How much time does Purple Rain require from our team?](https://www.crimson7.io/faq/pr-time-commitment): Minimal ongoing commitment. After initial setup, your involvement is primarily receiving and reviewing deliverables. We handle the heavy lifting. - [How is Purple Rain different from a Breach Attack Simulation platform?](https://www.crimson7.io/faq/pr-vs-bas): Breach Attack Simulation (BAS) platforms automate previously known attack simulations. Purple Rain combines the latest in human intelligence, red teaming expertise with validated automation, using research-driven TTPs, to deliver a managed service of detection engineering solutions, not just a tool license and list of what is broken. - [What's the difference between purple team and red team?](https://www.crimson7.io/faq/pt-vs-rt): Red teams simulate attacks with stealth to test overall security posture. Purple teams operate collaboratively to specifically improve detection and response capabilities. - [Do you provide reports that satisfy regulatory requirements?](https://www.crimson7.io/faq/regulatory-reports): Yes. We provide detailed reports that meet requirements for threat-led penetration testing, compliant with TIBER-EU and DORA, and other regulatory frameworks. Reports include executive summaries, technical findings, remediation guidance and continuous detection validation. - [Will you actually try to breach our systems?](https://www.crimson7.io/faq/rt-actual-breach): Yes, within agreed scope and rules of engagement. We operate under strict legal agreements and coordinate with designated points of contact throughout the exercise. - [How long does a red team exercise take?](https://www.crimson7.io/faq/rt-duration): Typical engagements run 4-8 weeks for full exercises, 2-4 weeks for assume-breach assessments. Regulatory exercises (TIBER/DORA) may require longer timelines depending on scope and coordination requirements. - [What's the difference between red team and penetration testing?](https://www.crimson7.io/faq/rt-vs-pentest): Penetration testing focuses on finding vulnerabilities in specific systems. Red teaming simulates complete attack scenarios to test your overall security posture, including detection, response, and decision-making capabilities. - [Can you assess cloud infrastructure security?](https://www.crimson7.io/faq/sp-cloud): Yes. We provide cloud security assessments covering AWS, Azure, and GCP environments, including configuration reviews, identity management assessment, and cloud-native security controls evaluation. - [What compliance standards do your assessments cover?](https://www.crimson7.io/faq/sp-compliance-standards): Our assessments align with the standard for OT cybersecurity IEC 62443, NERC CIP, NIST Cybersecurity Framework, ISO 27001, FDA cybersecurity guidance, and other industry-specific standards. - [Do you provide firmware analysis?](https://www.crimson7.io/faq/sp-firmware): Yes. We perform comprehensive firmware analysis including reverse engineering, vulnerability identification, cryptographic implementation review, and bootloader security assessment. - [What types of hardware do you assess?](https://www.crimson7.io/faq/sp-hardware-types): We assess embedded systems, IoT devices, network equipment, medical devices, industrial control systems, automotive components, and custom hardware. Our lab includes specialized equipment for hardware analysis. - [What industries do you serve for specialty assessments?](https://www.crimson7.io/faq/sp-industries): We work across critical infrastructure sectors: energy, manufacturing, healthcare, transportation, and financial services. Our team has experience with industry-specific protocols and regulatory requirements. - [Will ICS/OT testing disrupt our operations?](https://www.crimson7.io/faq/sp-ot-disruption): Never. We design all ICS/OT assessments with operational continuity as a hard requirement. We work with your OT team to define safe testing boundaries and use non-disruptive techniques. - [How do you handle sensitive OT environments?](https://www.crimson7.io/faq/sp-ot-environments): We work with representative test environments, air-gapped lab setups, or controlled production environment testing with extensive safety measures. Safety and continuity are never compromised. - [Do you need physical access to our hardware?](https://www.crimson7.io/faq/sp-physical-access): For hardware assessments, yes, we typically work with sample devices in our lab. For ICS/OT assessments, we can work on-site or with representative test environments. Physical security testing is always performed on-site. - [What's included in a physical security assessment?](https://www.crimson7.io/faq/sp-physical-assessment): Physical penetration testing, social engineering assessment, badge cloning, lock bypass testing, surveillance system evaluation, and facility security controls review. - [What wireless protocols do you test?](https://www.crimson7.io/faq/sp-wireless): We test Wi-Fi, Bluetooth, Zigbee, LoRaWAN, cellular (4G/5G), and proprietary wireless protocols. Our lab includes specialized RF equipment and software-defined radios. - [How do you ensure testing doesn't impact business operations?](https://www.crimson7.io/faq/testing-business-impact): We establish clear rules of engagement, coordinate with your IT team, and use non-destructive techniques. All testing is scheduled during approved windows with proper safeguards in place. ## Legal - [Legal](https://www.crimson7.io/legal): Privacy policy, cookie policy, and terms of service. ## Optional - [Sitemap XML](https://www.crimson7.io/sitemap.xml): Machine-readable URL list for crawlers