Cyber Defence& Counter-Intelligence
Adversary-grade assessment, rapid and discreet incident response, and counter-surveillance for governmental and Tier 1 operations. Delivered by vetted operators across digital, electronic, and industrial domains.
In partnership with
Capabilities
Six operator-led capability lines, integrated under a single command structure. Each is scoped, executed, and reported on its own terms — no shared boilerplate methodology.
Cyber Assessment & Penetration Testing
Exploit-driven validation of network, web-application, mobile, infrastructure, and cloud security posture. Manual operators chain findings into demonstrable attack paths — beyond automated scanning. Scoping is mission-aligned: the scope of work mirrors the threat model and operational risk tolerance, not a generic checklist.
- 01Scope and rules of engagement aligned with mission objectives, threat model, and operational risk tolerance
- 02External and internal reconnaissance — passive OSINT, active surface mapping, authenticated where applicable
- 03Web-application testing per OWASP Testing Guide / ASVS; network testing per OSSTMM and PTES; mobile per OWASP MASVS; cloud per CIS Benchmarks (AWS / Azure / GCP); identity per Active Directory / Azure AD / Okta hardening review
- 04Manual exploitation, vulnerability chaining, post-exploitation validation; lateral movement and privilege-escalation paths mapped to the asset model
- 05Wireless, segmentation, and physical-access testing where authorised
- 06Social-engineering vectors (phishing, pretexting, on-site) where in scope
- 07Re-test on remediation when requested; validation letter on close-out
- Full technical report with attack chains, proof-of-concept artefacts, and CVE / CWE mappings
- Risk-prioritised remediation guidance with effort estimates
- Executive summary in mission-risk language (board-ready)
- Optional re-test letter and a "before / after" attestation
- Briefing session for the in-house security team
Red Team Operations
Realistic adversary simulations against mature security programmes. Stealth, evasion, and validation of the blue team's ability to detect and respond — not a vulnerability scan. MITRE ATT&CK-aligned end-to-end. Programmes can be scoped against TIBER-EU / CBEST / CRT-style harness if the buyer is regulated financial.
- 01Plan, scope, and threat model — including ROE, agreed assumed-breach starting points, blue-team awareness level (full transparent / partial / black box), success criteria
- 02Reconnaissance and intelligence gathering — OSINT, dark-web pre-attack intel, supply-chain mapping, employee-targeted data harvesting
- 03Initial access — phishing, exposed services, supply-chain or physical / drop-vector entry points
- 04Privilege escalation, persistence, and lateral movement against agreed objectives
- 05Objective completion — data exfiltration simulation, critical-system access, controlled — with full operational logging for replay
- 06Optional purple-team phase — collaborative detection-engineering with the blue team
- 07Joint red/blue debrief — TTP walkthrough, detection-rule recommendations, control-improvement roadmap
- TTP-mapped technical report with full attack timeline
- ATT&CK heatmap of techniques used vs detected vs missed
- Video proof-of-concept for high-impact moments where applicable
- Detection-rule and control-improvement recommendations (Splunk / Sentinel / SIEM-agnostic)
- Joint red/blue debrief session
- Optional retainer for ongoing adversary-simulation programme
Industrial / SCADA / OT Security
Specialist security assessment for environments where downtime is not an option — energy, utilities, water, transport, manufacturing, defence supply chains, pharma. Operational technology cannot tolerate the test methodology used in IT environments.
- 01Passive observation and asset discovery before any active testing — span-port capture, controlled traffic analysis (no aggressive scanning of OT)
- 02Asset inventory across PLC, HMI, RTU, DCS, SCADA, historian, and engineering workstations
- 03Segmentation review against the Purdue Reference Model and IEC 62443 zone-and-conduit architecture
- 04IT/OT boundary review — DMZ controls, firewall rules, jump-host hygiene, USB / removable-media policies, vendor-access pathways
- 05Engineering-workstation hardening review (Windows / vendor-OEM)
- 06Controlled active testing only during agreed maintenance windows
- 07Methodology aligned to ICS-CERT, NIST 800-82, IEC 62443, and IEC 61850 (where power infrastructure is in scope)
- OT asset inventory with criticality mapping
- Segmentation map (current state vs. target state per IEC 62443 zones and conduits)
- Ranked exposure findings with downtime-impact assessment
- Hardening roadmap sequenced for maintenance windows
- Optional tabletop exercise for OT-specific incident response (cascading failure scenarios, ransomware-on-OT scenarios)
Threat Exposure Management
Continuous monitoring across surface, deep, and dark web for organisational data, credentials, brand abuse, and third-party exposure. Ongoing service, not a project. Continuous coverage across the threat landscape that surrounds the perimeter.
- 01Curated coverage across dark-web forums, Telegram channels (58,000+ tracked), ransomware leak sites, paste sites, illicit marketplaces, and stealer-log corpora
- 02Leaked-credential detection mapped to identity providers (Active Directory / Azure AD / Okta / Workspace) for immediate revocation
- 03Brand-impersonation and counterfeit-domain surveillance with takedown workflows for hosting providers and registrars
- 04Third-party and supply-chain exposure detection — partner / vendor breach data correlated to the customer's organisational graph
- 05Threat-actor profiling and historical search across forums and breach data
- 06AI-assisted multilingual translation of dark-web discussions into structured intelligence
- Real-time prioritised alerts (high-severity → named-analyst escalation)
- Monthly briefing report with threat-landscape narrative and KPI dashboard
- Takedown management for brand impersonation and counterfeit domains
- Integration into customer SIEM / SOAR / ticketing (Splunk, Sentinel, QRadar, ServiceNow) where required
- Quarterly threat-actor profile updates relevant to the customer's sector
- Named analyst as a single point of contact
Technical Surveillance Counter-Measures (TSCM)
Electronic and physical counter-surveillance sweeps for hidden audio, video, RF, and data-exfiltration devices. Boardroom, residence, vehicle, in-flight (private aviation), off-site facility, executive-travel hotel rooms. Evidence handling to chain-of-custody standards.
- 01Pre-sweep threat brief and venue access protocol — covert arrival where required
- 02RF spectrum analysis across HF / VHF / UHF / cellular (LTE / 5G NR / Sub-6 GHz / mmWave subset where relevant) / Wi-Fi 2.4–7 GHz / Bluetooth Classic + LE / Sub-GHz IoT / ISM bands
- 03Non-linear junction detection (NLJD) for dormant or off-state semiconductor devices hidden in fixtures, walls, furniture
- 04Thermal imaging for heat-signature-emitting devices behind surfaces
- 05Physical inspection of fixtures, lamps, vents, ceiling tiles, vehicle interiors and undercarriages, gifts and "found objects"
- 06Telephone, network, and power-line audit for compromised infrastructure (line-borne carrier signals, abnormal current draw)
- 07Spectrum baselines stored for differential / repeat sweeps
- 08Evidence handling to ISO/IEC 27037 chain-of-custody standards
- Sealed sweep report with finding classification (clean / inconclusive / device recovered)
- RF spectrum baseline file for repeat differential sweeps
- Physical evidence chain with serial numbers, device classification, and forensic hand-off package where a device is recovered
- Posture recommendations — venue hygiene rules, OPSEC for principals, repeat-sweep cadence
- Optional retainer for executive-travel pre-sweeps and standing residence sweeps
Incident Response & Digital Forensics
Rapid, discreet activation for live breaches. 24/7 retainer-eligible. Operator-grade discretion across reporting, communications, and on-the-ground coordination. Coordinated with Mission Support physical / close-protection teams when the incident has a kinetic dimension.
- 0124/7 activation hotline with named first-response analyst within agreed SLA
- 02Triage and threat-actor classification — threat group, tooling fingerprint, likely objectives
- 03Containment without unnecessary business disruption — segmentation, account isolation, controlled traffic blocks
- 04Forensic preservation across endpoint memory, disk, network, cloud workloads, identity provider audit logs, and SaaS audit trails per ISO/IEC 27037
- 05Root-cause analysis mapped to MITRE ATT&CK and the Diamond Model
- 06NIST 800-61-aligned playbook execution
- 07Communications support where retained (legal, regulatory disclosure, media holding statements)
- 08Post-incident threat hunt for residual access and parallel intrusions
- 09Hardening roadmap based on observed failure points
- Forensic report admissible to chain-of-custody standards
- IOC list and TTP-mapped attacker profile
- Timeline of intrusion with detection-and-response opportunities
- Containment-and-recovery decisions log (defensible to regulators / insurers / litigators)
- Post-mortem briefing and hardening roadmap
- Threat-hunt report covering the wider environment
Who We Serve
NATO-friendly clientele only. Engagements are scoped under non-disclosure and vetted on intake.
Frequently Asked Questions
What is TSCM (Technical Surveillance Counter-Measures)?
TSCM is the systematic detection and removal of hidden surveillance devices — audio bugs, video cameras, RF transmitters, and data-exfiltration hardware — from sensitive premises and vehicles. Mission Support sweeps use RF spectrum analysis across all relevant bands, non-linear junction detection (NLJD) for dormant devices, thermal imaging, and full physical inspection. Evidence handling follows ISO/IEC 27037 chain-of-custody standards.
What is a red team operation?
A red team operation is a controlled, full-scope adversary simulation against an organisation's people, systems, and physical access — testing whether defences hold under realistic conditions including phishing, physical entry, and supply-chain vectors, rather than validating controls against a checklist. Mission Support red team operations are MITRE ATT&CK-aligned and can be structured to TIBER-EU, CBEST, or CRT frameworks for regulated clients.
Does Mission Support support NIS2 compliance?
Yes. Mission Support supports organisations subject to NIS2, DORA, and the Cyber Resilience Act — including risk assessments, technical gap analysis, OT/industrial security reviews, and incident response planning. Scope is defined by the client's sector classification, applicable national transposition, and the specific control requirements of their competent authority.
Do you offer 24/7 incident response?
Yes. Mission Support provides 24/7 incident response on a retainer basis, with a named first-response analyst activated within an agreed SLA. The service covers triage and threat-actor classification, containment, forensic preservation to ISO/IEC 27037 standards, root-cause analysis mapped to MITRE ATT&CK and the Diamond Model, and optional coordination with Mission Support physical security teams where an incident has a kinetic dimension.
What types of organisations does Mission Support's cyber team serve?
Mission Support's cyber capability is scoped for organisations where operational security is mission-critical: governmental agencies, defence ministries, embassies and diplomatic missions, critical-infrastructure operators (energy, water, telecoms, finance), regulated multinationals, and defence-industrial supply chains. All engagements are conducted under non-disclosure; NATO-friendly clientele only.
CBRN Defence Training
Physical incidents don't stay physical. When a CBRN threat materialises alongside a cyber or electronic attack, the teams that matter are the ones who trained for both. Mission Support's four-level CBRN curriculum prepares your personnel for the threats that no firewall stops.
Request a Consultation
Scope an engagement with the Mission Support cyber defence team. Pricing on request.
Contact Mission Support