Introducing Our New Penetration Testing Services: More Value, Enhanced Protection
- danielweis
- Aug 26, 2025
- 5 min read
At Nexon, we have been performing penetration testing, red teaming, and threat assessment for close to 20 years. During this time, we have seen the continual evolution of penetration testing as the threat landscape and security technologies have evolved, and today marks our next evolution of testing services and capabilities.
We often perform red and purple team engagements with clients, as the next evolution or let's call it “upgrade” from their standard penetration testing engagements. In a red-team engagement at a high level, we perform reconnaissance and profiling of an organisation, identify our attack vectors / potential avenues for attack, as a collective team craft multiple attacks to be executed in tandem across the team, for example, phishing through services, wifi, physical access and services attacks etc and execute concurrently.
In the preliminary phases of a red-team, after our reconnaissance is complete we work with our clients to define the attacks we are going to launch, (we obviously have clients who would like a zero knowledge approach, which is fine and we execute in this manner often), but the majority would like to know what avenues we will be leveraging and often we work with blue teams in a purple teaming approach, where the client will request that we emulate certain TTPs (Techniques, Tactics & Procedures), or they request we execute a standard red team and provide the correlated data at the end for blue team analysis, there is obviously many ways we can run purple-team engagements, which brings us to our new offering, Threat-Led Penetration Testing (or TLPT).
Threat-Led Penetration Testing (TLPT) (Sometimes called Threat-informed Penetration Test) is a sophisticated form of cyber security assessment that goes beyond traditional penetration testing. Instead of simply looking for common vulnerabilities, chaining and exploiting such vulnerabilities, it simulates the tactics, techniques, and procedures (TTPs) of specific, real-world cyber threat actors. This approach is intelligence-driven, meaning that a TLPT exercise is based on detailed information about the methods and motivations of a known adversary that is relevant to the target organisation's sector or geography. The primary goal is to test the organisation's detection, prevention, and response capabilities against a highly realistic and targeted attack scenario. By mimicking a specific threat actor, TLPT provides a more accurate and valuable assessment of an organisation's security posture, highlighting its resilience against the threats it is most likely to face.
TLPT engagements still encompass standard penetration testing and red-teaming components, such as social engineering, service and network exploitation, lateral movement and privilege escalation etc, but is more refined and encompasses a more realistic threat-assessment for the organisation being tested, so think of it like a highly targeted red-team assessment.
Earlier this year the TIBER-EU Framework (Threat Intelligence-Based Ethical Red Teaming for the European Union) and associated testing process was released in the EU. This process is a complimentary process to the new Digital Operational Resilience Act (DORA) which was released prior. Although focused on financial sector organisations, we have taken the TIBER-EU and methodology and modified it to suit all organisations in our new TLPT Methodology.
Our methodology works as follows:
1. Client Briefing
In this component we will meet with the client to understand the organisation, sector, risks, threats, past near misses etc.
2. Threat Intelligence
We then leverage threat intelligence to identify relevant threats facing the organisation and generate realistic attack scenarios leveraging the TTPs. For example;
Let's say the client who engaged us for TLPT is in the construction. Leveraging Threat Intelligence, we can see that recently a major Australian-based construction company fell victim to a ransomware attack, executed by one of the major Ransomware Groups (company name and company anonymised) (stealing 128GB of data). We can see that their threat actor profile (typical TTPs for this RaaS Group), looks like the below:
They typically leverage security flaws to escalate privileges, such as Fortinet CVE-2024-21762, CVE-2024-55591 or Veeam CVE-2023-27532, and leverage command and control servers.
In terms of Mitre TTP’s we would emulate:
Initial Access:
T1078 — Valid Accounts
T1190 — Exploit Public-Facing Application
Execution:
T1059 — Command and Scripting Interpreter (Powershell)
T1547.001 — Registry Run Keys / Startup Folder
Persistence (e.g New-ItemProperty -Path "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
Privilege Escalation:
T1562 — Impair Defenses
Credential Access:
T1003 — OS Credential Dumping
Lateral Movement (e.g smb, rdp, winRM, PSExec etc)
T1021 — Remote Services
Impact
Gain Access to Data, then;
3. Client mini-debrief
We will discuss with the client the proposed TTP’s and activities, to receive feedback and approvals, ahead of our prestaging.
4. Prestaging
In this phase we perform our prestaging and execution preparation for the TTP’s that we will be testing, this may encompass standing up of Command & Control (C2) Infrastructure, creation of payloads / malware, performing reconnaissance, etc.
5. Launch Red Teaming and Scneario-based assessment leveraging identified TTPs.
So our engagement would encompass Targeted Phishing against the organisation, leveraging payloads and Command & Control (C2) infrastructure and payloads, as well as attacks targeting perimeter systems.
We would then perform a breach simulation from an end user device, encompassing privilege escalation and lateral movement attacks (per the above) as well as deployed persistence in line with the threat actor's (Actual group redacted) TTPs.
Once credentials are in play, we will leverage standard LM components to move throughout the network and gain access to data.
We can also simulate the encryption of a subset of files if required.
6. Assessment & Analysis
We then work with the organisations SOC/internal teams to evaluate the organisation’s detection, response, and recovery capabilities based on our findings, insights, and observations and identify areas for improvement within the security infrastructure and processes.
5. Reporting & Client Debrief
We then generate our comprehensive reports detailing findings, exploited vulnerabilities, recommendations, and actionable insights. This includes prioritised remediation efforts, develop mitigation strategies, and providing recommendations to enhance cyber security defences based on our red team findings and recommendations.
We then debrief the client on our activities via a meeting / workshop.
This brings us to our next exciting news for our customers.
Added Value: Threat Profile Analysis for all Pentest customers
A large number of organisations engage us to profile their organisation against the darkweb (for chatter and mentions) as well as identify breached data and/or credentials (to identify potential threats facing their organisation), driven by Threat Intelligence.
We are now offering this complimentary service for all Nexon Penetration Testing customers as part of their engagement. In a Threat Profile Analysis, we will provide a report outlining:
Dark web Mentions
Underground Forum and marketplace Mentions
Exposure in Dark Web Data Dumps or Special Access Forums
Exposure on Ransomware Extortion Forums or Sites
Listed Malware references
Exposed / Breached Accounts / Credentials
Exposed / Breached Accounts / Data
Pastebin and Torrent References
Security Vendor and Breach Disclosures referencing the organisation.
Which clients can then act upon to further strengthen their defences and reduce their risk profile.
If you are ready to take your next journey with Australia’s best penetration testing team, please reach out to us! pentestenquiries@corp.nexon.com.au / https://pentest.nexon.com.au
Comments