Cyber Security Operations Centre

We can configure the CSOC to meet your team’s exercise goals. Our room set-up options include:

• An operations floor for analysts
• Dedicated attacker lab for red‑team exercises
• Secure war room for briefings
• IoT simulation zone for device testing
• Control/observation room for instructors and observers

An example of how specific rooms can operation, includes:

• Security operations centre operations room: Analyst workstations, ELK/Wazuh dashboards, case management
• Red team lab: Isolated attacker networks, offensive tooling and logging capture
• Blue team lab: Defensive tooling, live monitoring consoles and hands-on remediation workstations
• Purple team / Lessons learned room: Collaborative space for tuning detections and validating alerts
• IoT smart-city simulation zone: Six scenario nodes (city cam, train takeover, city lights, track switch, extreme weather, dump protocol)
• Control and observation room: Video/streaming links, instructor AV, secure brief/debrief area

We provide access to the following enterprise/open-source platforms during exercises:

• Splunk
• Wazuh
• ELK (Elasticsearch / Logstash / Kibana)
• Nessus
• Shuffle (SOAR/workflow automation)
• T-Rex (traffic replay/generation)
• Cydarm (case management & documentation)
• OpenCTI (threat intelligence platform)

These tools are pre-integrated into our exercise workflows, so your team can focus on detection and response during your time with us, instead of setup. 

We design and deliver scenario scripts or let your team run their own. Scenarios may include:

Network / Host

• Reconnaissance and initial access (OSINT, web application fingerprinting, supply chain)
• Phishing / Credential theft (BEC, social media phishing, credential harvesting)
• Internal network access (Rogue access points, privilege escalation)

Purple / Detection

• IoT takeover: Compromise a smart device (default creds) and attempt to alter configuration; test detection via IoT telemetry and anomaly detection
• Spear-phish, ransomware: Target finance user, deploy ransomware behaviour in sandbox; test EDR detection and backup restore playbook
• Supply-chain compromise: Push a malicious firmware update to a sensor network in test environment and see if blue team detects anomalous traffic
• Table-top exercises

Blue / Response workflows
Blue team activities focus on the following three monitoring tasks:

1. Monitoring sample historical logs to uncover attacker activity
2. Monitoring real-time logs from servers
3. Monitoring network traffic for anonymous login, sensitive file access and unusual log activity

We recommend your security analysts attend for blue team or purple sessions. We can supply experienced operators for red/purple sessions, if required. Prior to joining us, we ask hirers to confirm their roles. Example responsibilities:

Red team

• Execute attack scenarios, generate malicious traffic and provide exact timestamps for the events they generate

Purple team

• Design test cases, verify detection coverage, tune detection rules, validate alerts and coordinate communication between red and blue teams

Blue team

• Receive and triage alerts; investigate in ELK and Wazuh, take containment/remediation actions, document findings and actions in Cydarm, and close the case and corresponding ELK alerts

Note: We can supply experienced red, blue or purple operators if you want a turnkey exercise (additional cost applies). 

No, all exercises are performed in isolated, purpose-built lab networks to ensure your production environment remains unaffected.