SCYTHE’s Ethical Hacking Maturity Model


SCYTHE’s Ethical Hacking Maturity Model enables leading organizations to assess and strengthen their security posture through ethical hacking. There are a number of assessment types an ethical hacker can perform against an organization and this document goes through the process. Enterprises can use SCYTHE’s Ethical Hacking Maturity Model to evolve to the more advanced assessments and operationalize Adversary Emulations via Red Team Engagements and Purple Team Exercises.

SCYTHE’s Ethical Hacking Maturity Model

Vulnerability Scanning

Scanning an organization for vulnerabilities with an automated scanner is the simplest of ethical hacking assessments an organization should perform. The goal is to inventory and identify known vulnerabilities on target systems and applications. This step requires minimal effort as long as the proper tools are in place. 

Vulnerability Assessment

After a  vulnerability scan is completed, an ethical hacker can validate the vulnerabilities manually to remove false positives and calculate an accurate risk rating. Vulnerabilities are assigned a Common Vulnerabilities and Exposure (CVE) ID and scored with the Common Vulnerability Scoring System (full disclosure: our CTO, Jorge Orchilles, was a working group voting member for the current version CVSSv3.1).

Penetration Testing

Penetration Testing goes a step further and exploits the vulnerabilities identified. This is the main differentiator from vulnerability assessment where vulnerabilities are only being verified. Penetration Testing involves exploiting vulnerabilities under controlled circumstances; in a professional, safe manner according to a carefully designed scope and Rules of Engagement. Penetration Testers often find vulnerabilities that are not known by the vendor or defenders and focus on bypassing preventive controls. An example of a penetration test is the work GRIMM did to identify vulnerabilities on DJI drones

Red Team Engagements

Red Team focuses on testing people, process, and technology. The main customers are the defenders that focus on detection and alerting controls. The Red Team emulates Tactics, Techniques, and Procedures (TTPs) of adversaries to test an organization holistically. As an enterprise red team tool and command and control (C2) framework, SCYTHE allows the Red Team to focus on emulating attack behaviors and custom TTPs instead of troubleshooting the tools themselves. SCYTHE is a Red Team force multiplier allowing consistent Red Team reveals and replays. 

“SCYTHE is a technology every enterprise red team should have so they can prepare the blue team for engagements with cutting-edge offensive teams. The average dwell time of undetected compromises is currently measured in months and SCYTHE enables the red team to give the blue team something realistic to hunt.”
Ron Gula, Gula Tech Ventures

Purple Team Exercises

Purple Team is a virtual team made up of the Red Team and the Blue Team.  A Purple Team Exercise is an open engagement where the attack activity is exposed and explained to the Blue Team as it occurs. Purple Team Exercises are "hands-on keyboard" exercises where Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization to identify and remediate gaps in the organization’s security posture. Red Teams use SCYTHE to create the payloads for the selected TTPs. They are able to consistently and effectively execute the same TTP as many times the Blue Team requires to tune their defenses in real-time. As the industry leader in purple teaming, SCYTHE published the Purple Team Exercise Framework (PTEF)

“SCYTHE has cut our MITRE ATT&CK testing from days to just moments.”
John Strand, Founder of Black Hills InfoSec

Adversary Emulations

Adversary emulation is a type of ethical hacking engagement where a Red Team imitates how an attacker operates, leveraging frameworks like MITRE ATT&CK to identify specific tactics, techniques, and procedures (TTPs) that a real threat actor might use against an organization. Rather than focusing on attacks less likely to occur, these engagements draw upon Cyber Threat Intelligence to identify adversaries with the intent, opportunity, and capability to attack. Adversary Emulations may be performed in a no-knowledge (Red Team Engagement) or full-knowledge (Purple Team Exercise). SCYTHE introduced #ThreatThursday where a new adversary is selected every week, Cyber Threat Intelligence is consumed, an adversary emulation plan is created and shared on the SCYTHE Community Threats Github, and detection for those adversary TTPs are discussed.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email, visit, or follow on Twitter @scythe_io.