Not all attacks are created equally, and your defenses should not be either. That is why we go beyond basic testing to simulate real-world threats at Depth Security.

Through adversary emulation and adversary simulation, we create immersive, authentic scenarios designed to challenge your defenses on every level.

Here is how we bring adversary emulation and simulation to life by crafting high-impact, threat-informed scenarios for organizations across industries. From finance to healthcare, these engagements are designed to uncover critical security gaps before real attackers have the chance.

Let us take a look at how two fictional companies, Lurovia Holdings and Valorith Health Systems, fare when we put their defenses to the test.

Scenario 1: Emulating a Known Threat Actor (Adversary Emulation)
Mock Company: Lurovia Holdings Financial Group, a mid-sized financial services firm

Luvoria Holdings recently expanded into digital lending, making them a ripe target for financially motivated threat actors. Our team was brought in to emulate FIN7, a known cybercriminal group with a history of targeting finance with phishing and lateral movement techniques.

We followed FIN7’s documented playbook: crafted spear-phishing emails, exploited an unpatched endpoint, and moved laterally using stolen credentials, all without tipping off the blue team.

The outcome?

Luvoria Holdings discovered that lateral movement went undetected while their EDR tools flagged initial access. Their detection rules were solid, but incomplete.

Our recommendation:

Implement enhanced lateral movement detection rules and conduct regular purple team exercises to strengthen post-compromise visibility.

Scenario 2: Simulating a Broader Crisis (Adversary Simulation)
Mock Company: Valorith Health Systems, a regional healthcare provider

Valorith needed to test more than just its IT defenses. They wanted to know how the entire organization would respond to a ransomware attack during peak hospital hours.

We designed a comprehensive simulation: a vendor email compromise leads to ransomware spreading across clinical systems. As part of the scenario, we triggered simulated alerts, shut down mock patient scheduling portals, and initiated an executive-level incident call.

The outcome?

Valorith identified communication breakdowns between IT and clinical leadership, slow escalation procedures, and confusion about off-network backups.

Our recommendation:

Update and rehearse cross-functional incident response playbooks with clear escalation paths and ensure critical backup procedures are known across teams.

Pro tip: Colored team roles like Red, Blue, and Purple are primarily used in adversary emulation engagements. The Red Team emulates real-world attackers using tactics like phishing and lateral movement, while the Blue Team defends against those threats. Purple Teams bridge the gap, helping both sides collaborate to strengthen detection and response.

Unlike basic penetration tests, our adversary emulation and simulation engagements are designed to reflect the real-world cyber incidents’ complexity, pressure, and unpredictability. We go beyond just scanning for vulnerabilities. We act like real attackers, work like real adversaries, and expose the kind of layered weaknesses automated tools miss.

The result? Smarter defenses, faster detection, and better-prepared teams.

The mock scenarios above illustrate how adversary emulation and simulation play out in real-world contexts, but behind each approach is a distinct methodology and purpose.

To better understand how they complement one another in building layered security resilience, here is a quick breakdown of their core characteristics.

Adversary Emulation

• Goal: Recreate known threat actor behavior (i.e, FIN7) 
• Scope: Focused (tactics, techniques, procedures of one actor) 
• Use Case: Validate detection and response to a specific threat actor 
• Who’s Involved: Red Team (attackers), Blue Team (defenders), and often Purple Team 
• Outcome: Focus Detection gaps, defense tuning, TTP coverage 

Adversary Simulation

• Goal: Test the full organization’s response to a broader, realistic attack
• Scope: Broad (multi-stage incidents, involving people, process, and tech)
• Use Case: Evaluate overall incident handling and coordination
• Who’s Involved: IT, Security, Execs, Clinical/Business Ops, Comms, etc
• Outcome: Resilience, communication, escalation paths, and recovery readiness