Building an EDR as a Red Teamer
A multi-part series on building an EDR through an offensive lens: telemetry choices and detection logic involved in building something effective.
Red Teamer · Adversary Simulator · Offensive Researcher
Keivan Tayebipour
Available for Selected Engagements
Former PwC Senior Penetration Tester. I run red teams the way real adversaries operate — with the rigour, documentation, and accountability that enterprise environments require.
Who Am I
Built inside real
enterprise environments
The enterprise world is where I grew sharp. Years spent inside complex organisations taught me that real security is not about isolated bugs or clever lab tricks — it is about how trust, identity, and flawed design decisions collapse under real pressure.
I have always chased the kind of attack thinking that actually works inside live enterprise environments, where the same weaknesses are abused every day by real adversaries. Not niche techniques that only survive in lab conditions.
That approach helps companies see beyond isolated findings and understand where their environment would be compromised under real adversarial pressure. The result is a clearer view of attack paths, stronger security priorities, and remediation effort directed where it meaningfully improves resilience.
Background
Ex-PwC Senior Penetration Tester. Red Teaming and TLPT delivery in regulated environments across Europe.
Approach
Big4 rigour. Attacker mindset. Findings scoped to operational risk, not theoretical severity.
Focus
Validating how small footholds become business-critical compromise in enterprise environments.
Education
B.Sc. Computer Engineering — University of Bologna.
What I Work On
The parts that become critical
once an attacker is inside
I focus on what matters after initial access — the escalation paths, identity trust chains, and operational chokepoints that turn a foothold into a business-critical compromise.
01
Penetration Test
Systematic identification of exploitation paths in patched, EDR-protected environments. Findings are scoped to business risk, not only CVSS scores — with clear remediation priorities.
02
Red Team Operations
Covert, full-scope adversary simulations designed to challenge detection and response capabilities — not just find vulnerabilities. Delivered with Big4-grade documentation and debrief.
03
Ransomware Simulation
Controlled simulation of ransomware tradecraft against critical assets to validate whether detection, containment, and recovery controls can stop real operational disruption — before it happens for real.
04
Backup Resilience
Adversarial review of backup infrastructure: segregation, deletion resistance, offline availability, and restoration playbooks — stress-tested before recovery becomes mission-critical.
05
Hybrid Identity & Azure
Targeted assessment of cloud-to-on-prem trust chains across Entra ID, Azure, and ADFS. Maps the escalation paths that bridge cloud identity into domain-level compromise.
Big4 Methodology
Rigorous documentation, evidence-backed findings, and enterprise-grade delivery shaped by years of Big4 engagements in regulated environments.
NDA & Privacy First
Confidentiality by default. Strict handling of credentials, systems, and sensitive data throughout the engagement and after.
Safe-by-Design
No disruptive testing without explicit scope. Critical vulnerabilities are escalated immediately, with short-term remediation steps to reduce exposure without delay.
Certifications
A stack that spans
the full offensive spectrum
Each certification was chosen to close a specific gap — not to collect badges. The result covers the full offensive spectrum: Active Directory, advanced post-exploitation, C2 operations, Azure and hybrid identity, adversary tradecraft, and evasion engineering.
View the Security Certification RoadmapOffensive Security
OffSec Experienced Penetration Tester
OSEP
Focuses on bypassing advanced security defences and evading AV detection in hardened environments. Widely recognised as a premier credential for testers capable of simulating sophisticated, stealthy adversaries.
Verify Credential ↗Offensive Security
OffSec Certified Professional
OSCP
The global benchmark for penetration testing, requiring a rigorous 24-hour hands-on exam to prove manual exploitation skills. Holds immense industry reputation for validating systematic thinking under pressure.
Verify Credential ↗Zero-Point Security · Also known as CRTO II
Certified Red Team Lead
CRTL
Operationally-heavy certification focused on adversary simulation within high-maturity environments. Validates the ability to execute C2 operations and achieve objectives while bypassing top-tier EDR solutions.
Verify Credential ↗HackTheBox · HTBCERT-D987DAE975
Certified Penetration Testing Specialist
CPTS
A comprehensive certification covering the entire penetration testing lifecycle with exceptional technical depth. Rapidly gained a reputation for being one of the most thorough practical exams available.
Verify Credential ↗Zero-Point Security
Certified Red Team Operator
CRTO
Covers modern Red Team tradecraft including C2 frameworks, Active Directory exploitation, and adversary simulation. Validates persistence and lateral movement skills in enterprise network environments.
Verify Credential ↗Altered Security
Certified Azure Red Team Professional
CARTP
Covers how modern enterprises actually break at the cloud layer: Azure privilege chains, Entra ID trust abuse, hybrid sync weaknesses, and escalation paths that bridge cloud identity into domain compromise.
Verify Credential ↗Altered Security
Certified Red Team Professional
CRTP
Focused on Windows domain and Active Directory security in practice. Validates lateral movement and privilege escalation skills across internal enterprise network penetration test scenarios.
Verify Credential ↗INE / eLearnSecurity
Junior Penetration Tester
eJPT
Hands-on entry-level certification validating foundational knowledge of networking and offensive security methodology. The practical starting point of a certification path built entirely on doing, not reading.
Verify Credential ↗Blog & Research
Notes from private research
and hands-on experiments
Building Custom Ransomware Tradecraft for Controlled Adversary Simulations
A multi-part series on designing and building ransomware simulation tooling aligned with current tradecraft for safe, controlled engagements.
Get In Touch