Adversary Simulation Team
Accelerates Red Team Operationsat a Global Fintech with Trickest

Executive Summary

At a Fortune 500 financial-software company in Silicon Valley, Trickest automated adversary simulation and attack-surface operations. Tactic development dropped from ~3 weeks to <1 day, and ownership shrank from five engineers to one, enabling ~5× more initiatives in parallel. Scheduled discovery/enrichment now runs on 100+ auto-scaling machines with two-way asset-inventory sync, surfacing the softest targets for red-team engagements. The program operates on a CTEM cadence - fast, adaptive, persistent, cutting manual recon and turning ideas into operator-ready workflows.

Background

A multinational fintech with an attack surface that includes over 500,000 subdomains, a small adversary simulation team that builds attack tactics, and a red team that needs those tactics as runnable tools. The organization has a trusted asset inventory in place, but the bottleneck was enriching it quickly and transforming the hundreds of thousands of raw discovery records into actionable insights.

Challenge

Day-to-day TTPs weren’t supported by the incumbent stack. Adding new enrichment paths or targeting typically took ~3 weeks, turning experimentation into a time sink—often with no results.

• Tooling Gaps: The existing stack, including the incumbent DAST, lacked several discovery-first techniques - most notably passive URL enumeration and thorough parameter discovery. Feeding new targets as the surface evolved was cumbersome, so entire classes of endpoints went unscanned and critical issues were missed.
• Enterprise Orchestration Burden: With 500k+ subdomains across many business units, each enrichment path became a real engineering project. Enterprise runs required orchestrating tens of compliant parallel machines with logging, retries, error capture, and tight integration with the canonical asset inventory - demanding custom work to operate reliably.
• Tactic validation and handoff friction: Proving a tactic worked required production-grade build and integration, then waiting to see if it produced results. Integration was the bottleneck; minor adjustments meant repeating the full cycle. This friction discouraged experimentation and burned significant engineering hours.

Solution

The team adopted Trickest as a research playground to prototype new tactics, a factory to harden them into reusable workflows, and a launchpad to execute them at scale.

Key Capabilities

• Scheduled large-scale scans powered by 100+ auto-scaling cloud machines
• An intuitive drag-and-drop workflow editor for rapid development
• Self-hosted agents for testing internal assets
• A shared library with 90+ workflow templates and 300+ composable tools and modules
• A CLI that hides complexity behind a command-line interface familiar to red team operators.

Impact

Before

• Tactic development took 3 weeks on average
• Required 5 engineers to collaborate on each tactic
• Weeks of work often wasted on failed deployments
• Parallel machines, retries, logging, and compliance made surface-wide runs fragile and slow
• Whole classes of targets left unscanned

→

With Trickest

• One engineer, end-to-end: A single engineer owns idea → prototype → validate → operationalize; throughput jumps ~5×
• < 1-day tactic cycle: Development drops from ~3 weeks to ~6 hours for validation and packaging
• Scale baked-in: Scheduled runs on ~100 auto-scaling machines with retries/logging deliver reliable enterprise coverage
• Two-way inventory sync: New assets auto-enriched; results flow back so operators see the softest targets first.
• Reusable building blocks: Validated tactics ship as packages and ready-to-run workflows (CLI/API) for live engagements

Results

6h

Development Time

From 3 weeks to 6 hours per tactic

1

Engineer

Ownership reduced from 5 engineers to a single engineer.

5×

Parallel Initiatives

5× more tactics tested in parallel

Conclusion

What began as a lightweight way to validate tactics is now an adversary-simulation operating system. Tactics move from idea to operator-ready workflows in hours (not weeks), with one engineer owning them end-to-end. Runs scale across the entire surface and can be executed directly by operators during live engagements.

The operating model changed: engineers experiment freely without burning weeks, operators receive packaged workflows without delay, and leadership sees clear gains in speed, coverage, and remediation value. The program now mirrors real adversaries - fast, adaptive, persistent - and is advancing toward full CTEM: continuously mapping, enriching, and testing even a massive surface to reveal soft targets. Next: broaden adoption across business units and deepen workflows for newly deployed assets.