Senior Consultant, Red Team, Offensive Security in London

In a world of disruption and increasingly complex business challenges, our professionals bring truth into focus with the Kroll Lens. Our sharp analytical skills, paired with the latest technology, allow us to give our clients clarity—not just answers—in all areas of business. We embrace diverse backgrounds and global perspectives, and we cultivate diversity by respecting, including, and valuing one another. As part of One team, One Kroll, you’ll contribute to a supportive and collaborative work environment that empowers you to excel.

Our Offensive Security professionals are on a mission to make the world a safer place, one company at a time. We help our clients discover, understand, and remediate security risks across their networks, systems, applications, cloud environments, and identity platforms. Our clients trust us to use advanced offensive security tools, creativity, imagination, and expert knowledge to identify realistic attack paths and improve cyber resilience.

This role will be based in the UK, with a hybrid working model requiring two days per week in one of our UK offices: London, Leeds, or Birmingham.

What you’ll do

• Support the delivery of complex red team, purple team, assumed-breach, and adversary emulation engagements.
• Work with clients to understand their environments, help define realistic attack objectives, develop attack paths, and execute authorised offensive security activity within agreed rules of engagement.
• Operate across a range of attack surfaces, including enterprise networks, Active Directory, Microsoft Entra ID, Microsoft 365, cloud platforms, endpoints, externally exposed services, and, where authorised, social engineering scenarios.
• Help clients understand the business impact of identified attack paths and provide clear, actionable recommendations to improve prevention, detection, and response.

In summary, you will:

• Deliver red team, purple team, assumed-breach, and adversary emulation engagements for clients across multiple sectors.
• Support engagement planning, including threat-informed scenarios, attack objectives, rules of engagement, operational security considerations, and success criteria.
• Execute hands-on offensive activity across enterprise environments, including Active Directory exploitation, credential access, privilege escalation, lateral movement, and objective-based testing.
• Assess and exploit attack paths across Microsoft Entra ID, Microsoft 365, hybrid identity environments, AWS, Azure, GCP, and other cloud platforms, where in scope.
• Build, adapt, and operate red team infrastructure, command-and-control tooling, payloads, and scripts during authorised client engagements.
• Apply detection-aware tradecraft and understand how EDR, SIEM, identity protection, conditional access, email security, and network monitoring can affect red team operations.
• Support purple team engagements by executing agreed TTPs, working with client security teams, validating detection logic, and helping clients improve response capability.
• Conduct authorised social engineering activity, including reconnaissance, phishing, vishing, pretext development, and controlled initial access scenarios.
• Conduct research and development to improve Kroll’s red team tooling, tradecraft, methodology, and reporting.
• Produce clear, evidence-based reporting that explains attack paths, business impact, detection and response observations, and prioritised remediation actions.
• Present technical findings to security teams and communicate business risk to senior stakeholders.
• Mentor junior consultants, support technical delivery, and contribute to peer review and quality assurance.
• Work collaboratively with Kroll’s wider Cyber Risk teams, including incident response, threat intelligence, cloud security, and detection engineering.

What you’ll need to succeed

• 5+ years in offensive cybersecurity, including experience delivering red team, purple team, adversary emulation, or assumed-breach engagements.
• Existing SC clearance, or the ability and willingness to obtain SC clearance.
• A relevant CREST red team certification aligned to CBEST-style delivery, such as CREST Certified Red Team Specialist, formerly CCSAS, or the ability to obtain this within the probation period.
• Strong experience with Windows enterprise environments, Active Directory exploitation, privilege escalation, and lateral movement.
• Experienced and comfortable with performing social engineering techniques in support of red team operations, including email and voice phishing.
• Experience operating command-and-control frameworks such as Mythic, Cobalt Strike, or similar tooling in authorised client engagements.
• Experience developing, modifying, or extending offensive security tooling, scripts, or payloads.
• Working knowledge of at least one of C, C#, Python, PowerShell, and/or JavaScript, to support offensive security objectives.
• Practical understanding of evasion techniques, endpoint security controls, operational security, and detection-aware tradecraft.
• Strong understanding of networking and web protocols, including TCP/IP, DNS, HTTP, HTTPS, and authentication flows.
• Experience conducting reconnaissance, attack path development, and objective-based testing.
• Excellent written and verbal communication skills, with the ability to explain complex technical issues clearly to technical and non-technical audiences.
• The ability to manage risk during live client engagements and operate within agreed rules of engagement.
• Work remote, but have the ability to come into the office at either London, Leeds, or Birmingham, on occasion for team building or administration.

Nice to have

• CREST Certified Red Team Specialist, OSEP, OSCE3, CRTO, CRTL, GPEN, GXPN, or equivalent experience.
• Experience delivering CBEST, STAR-FS, TIBER, DORA-aligned, TLPT, or regulated financial-sector red team engagements.
• Strong working knowledge of Microsoft Entra ID, Microsoft 365, and hybrid identity attack paths.
• Working knowledge of cloud platforms such as AWS, Azure, or GCP, including identity, privilege escalation, misconfiguration abuse, and cloud-native attack paths.
• Experience with exploit development, reverse engineering, malware analysis, or assembly-level debugging.
• Experience with macOS or Linux endpoint tradecraft.
• Experience with Kubernetes, Docker, CI/CD platforms, DevOps environments, or containerised workloads.
• Experience with physical security.
• Experience with employing modern AI tooling to support offensive engagements.
• Threat intelligence, detection engineering, or incident response experience.
• Experience writing blogs, presenting at industry events, publishing research, or contributing to offensive security tooling.
• Experience leading small teams or technical workstreams during complex offensive security engagements.

Kroll is committed to creating an inclusive work environment. We are proud to be an equal opportunity employer and will consider all qualified applicants regardless of gender, gender identity, race, religion, colour, nationality, ethnic origin, sexual orientation, marital status, veteran status, age, or disability.