Red Team Operations
Red teaming is goal-oriented adversary simulation designed to test an organization's detection and response capabilities. Unlike penetration testing, which aims to find as many vulnerabilities as possible, red teaming focuses on achieving specific objectives while remaining undetected—mimicking real-world threat actors.
Authorization Critical
Red Team vs Penetration Test
Understanding the distinction is crucial. Red teams are not "advanced pentesters"—they are specialized adversary emulation teams with different goals, methods, and reporting structures.
| Aspect | Penetration Test | Red Team |
|---|---|---|
| Goal | Find and validate vulnerabilities | Achieve approved objectives and measure control response |
| Duration | 1-3 weeks | 1-6 months |
| Detection | Detection expected/secondary | Measure prevention, detection, and response quality |
| Scope | Defined IP ranges/applications | Entire organization (physical, social, digital) |
| Reporting | Detailed technical report | Executive summary + debrief |
Red Team Kill Chain
Pre-Engagement
- • Define objectives (e.g., access CEO email)
- • Establish ROE and scope
- • OSINT and threat profiling
- • Infrastructure setup (domains, C2)
Execution
- • Initial access (phishing, physical)
- • Establish C2 beacon
- • Lateral movement and privilege escalation
- • Achieve objective while evading detection
Post-Engagement
- • Debrief with blue team
- • Detection timeline analysis
- • Executive report with recommendations
- • Purple team exercises to improve defenses
MITRE ATT&CK for Red Teams
The MITRE ATT&CK framework provides a common taxonomy for adversary tactics and techniques. Red teams use it to:
🎯 Design Realistic Scenarios
Map engagements to real APT groups (e.g., emulate APT29 techniques)
📊 Measure Coverage
Track which techniques the blue team can detect
📝 Standardize Reporting
Use technique IDs (T1055, T1003) for clear communication
🟣 Enable Purple Teaming
Collaborate with defenders using common vocabulary
Essential Red Team Skills
- • OPSEC: Noise control, deconfliction, and evidence hygiene
- • Social Engineering: Consented simulations and user-reporting measurement
- • Control Validation: Benign callbacks, test markers, and telemetry review
- • Detection Engineering: Measuring EDR, identity, mail, and network visibility
- • Infrastructure: Approved exercise assets, logging, and teardown
- • Threat Intelligence: Emulating real adversary TTPs
- • Scripting: Python, PowerShell, C#, Nim for tool development
- • Communication: Translating technical findings for executives
Guide Contents
Red Team Fundamentals
Objectives, methodology, and how red teams differ from pentests.
Adversary Simulation
Emulating real-world threat actors using MITRE ATT&CK framework.
Covert Operations
Stealth techniques, OPSEC, and avoiding detection during engagements.
Purple Teaming
Collaborative exercises between red and blue teams to improve defenses.
Threat Intelligence Integration
Leveraging CTI to design realistic attack scenarios.
Long-Duration Engagements
Managing persistent access, operational security over months.
Initial Access Operations
Authorized access simulations, safety controls, and detection outcomes.
Red Team Infrastructure
Approved exercise infrastructure, logging, evidence, and teardown.
Rules of Engagement
Scope definition, authorization, and legal considerations.