Red Team Operations
Red teaming is goal-oriented adversary simulation designed to test an organization's detection and response capabilities. Unlike penetration testing, which aims to find as many vulnerabilities as possible, red teaming focuses on achieving specific objectives while remaining undetected—mimicking real-world threat actors.
Authorization Critical
Red Team vs Penetration Test
Understanding the distinction is crucial. Red teams are not "advanced pentesters"—they are specialized adversary emulation teams with different goals, methods, and reporting structures.
| Aspect | Penetration Test | Red Team |
|---|---|---|
| Goal | Find as many vulns as possible | Achieve specific objective (steal data, access crown jewels) |
| Duration | 1-3 weeks | 1-6 months |
| Detection | Detection expected/irrelevant | Avoid detection at all costs |
| Scope | Defined IP ranges/applications | Entire organization (physical, social, digital) |
| Reporting | Detailed technical report | Executive summary + debrief |
Red Team Kill Chain
Pre-Engagement
- • Define objectives (e.g., access CEO email)
- • Establish ROE and scope
- • OSINT and threat profiling
- • Infrastructure setup (domains, C2)
Execution
- • Initial access (phishing, physical)
- • Establish C2 beacon
- • Lateral movement and privilege escalation
- • Achieve objective while evading detection
Post-Engagement
- • Debrief with blue team
- • Detection timeline analysis
- • Executive report with recommendations
- • Purple team exercises to improve defenses
MITRE ATT&CK for Red Teams
The MITRE ATT&CK framework provides a common taxonomy for adversary tactics and techniques. Red teams use it to:
🎯 Design Realistic Scenarios
Map engagements to real APT groups (e.g., emulate APT29 techniques)
📊 Measure Coverage
Track which techniques the blue team can detect
📝 Standardize Reporting
Use technique IDs (T1055, T1003) for clear communication
🟣 Enable Purple Teaming
Collaborate with defenders using common vocabulary
Essential Red Team Skills
- • OPSEC: Avoiding detection and attribution
- • Social Engineering: Phishing, vishing, physical access
- • C2 Development: Custom implants and communication channels
- • Evasion: Bypassing EDR, AV, and behavioral detection
- • Infrastructure: Domain fronting, redirectors, HTTPS C2
- • Threat Intelligence: Emulating real adversary TTPs
- • Scripting: Python, PowerShell, C#, Nim for tool development
- • Communication: Translating technical findings for executives
Guide Contents
Red Team Fundamentals
Objectives, methodology, and how red teams differ from pentests.
Adversary Simulation
Emulating real-world threat actors using MITRE ATT&CK framework.
Covert Operations
Stealth techniques, OPSEC, and avoiding detection during engagements.
Purple Teaming
Collaborative exercises between red and blue teams to improve defenses.
Threat Intelligence Integration
Leveraging CTI to design realistic attack scenarios.
Long-Duration Engagements
Managing persistent access, operational security over months.
Initial Access Operations
Phishing campaigns, physical entry, supply chain compromise.
Red Team Infrastructure
Building resilient C2 infrastructure with domain fronting and redirectors.
Rules of Engagement
Scope definition, authorization, and legal considerations.