Red Team Infrastructure
Setup
Red-team infrastructure should be resilient enough for the exercise and observable enough to support deconfliction, evidence collection, and teardown. Build it like production: documented owners, logging, access control, change records, and a cleanup plan.
No Shadow Infrastructure
Do not deploy infrastructure outside the approved engagement plan. Record every domain, host, certificate, cloud account, redirector, test account, and callback endpoint in the RoE or an approved infrastructure annex.
Reference Architecture
text
Operator workstation
-> management plane with MFA, logging, and least privilege
-> approved control server or simulation collector
-> redirect / relay layer for resilience and measurement
-> client-visible telemetry, detections, and evidence exports
Required records:
- owner and approver
- purpose and associated playbook task
- cloud account / subscription / project
- DNS names and certificate inventory
- source IPs and expected destinations
- data retained and retention period
- teardown owner and dateOperator workstation
-> management plane with MFA, logging, and least privilege
-> approved control server or simulation collector
-> redirect / relay layer for resilience and measurement
-> client-visible telemetry, detections, and evidence exports
Required records:
- owner and approver
- purpose and associated playbook task
- cloud account / subscription / project
- DNS names and certificate inventory
- source IPs and expected destinations
- data retained and retention period
- teardown owner and dateBuild Checklist
Security Baseline
- MFA enforced for all operator access.
- Separate operator, automation, and read-only accounts.
- Centralized logs exported before teardown.
- Secrets stored in a vault, never in scripts or notes.
- Restrictive inbound rules and explicit egress destinations.
Operational Controls
- Named change window for every deployment.
- Canary test before client-facing activity.
- Rate limits and kill switch documented.
- Unique campaign IDs in logs and headers where appropriate.
- Teardown runbook rehearsed before operations begin.
Infrastructure Inventory Template
csv
asset_id,component,owner,purpose,approved_until,logging,teardown_status
RTI-001,dns-zone,red-team-lead,authorized simulation routing,2026-06-30,registrar audit log,scheduled
RTI-002,collector,ops-engineer,benign callback telemetry,2026-06-30,cloud audit + app logs,scheduled
RTI-003,mail-domain,exercise-lead,phishing simulation delivery,2026-06-15,mail provider logs,scheduled
RTI-004,operator-vm,operator-1,administration workstation,2026-06-30,EDR + cloud logs,scheduledasset_id,component,owner,purpose,approved_until,logging,teardown_status
RTI-001,dns-zone,red-team-lead,authorized simulation routing,2026-06-30,registrar audit log,scheduled
RTI-002,collector,ops-engineer,benign callback telemetry,2026-06-30,cloud audit + app logs,scheduled
RTI-003,mail-domain,exercise-lead,phishing simulation delivery,2026-06-15,mail provider logs,scheduled
RTI-004,operator-vm,operator-1,administration workstation,2026-06-30,EDR + cloud logs,scheduledDetection and Deconfliction Hooks
- Share approved source IPs and domain patterns with the deconfliction contact, not the full blue team unless the exercise requires it.
- Tag exercise activity with campaign IDs where it will not invalidate the test.
- Preserve raw logs from infrastructure, identity provider, DNS, mail platform, and cloud control plane.
- Define a phrase or ticket tag the client can use to verify whether suspicious activity belongs to the engagement.
- Capture timestamps in UTC and keep host clocks synchronized.
Teardown Runbook
- Export and hash infrastructure logs.
- Disable callbacks, landing pages, and test accounts.
- Remove DNS records, certificates, tokens, and cloud roles.
- Destroy temporary compute and storage after evidence retention is confirmed.
- Update the evidence manifest with artifact locations and deletion records.
- Review any unplanned detections or client escalations in the closeout meeting.
Playbook Builder Fit
Attach the infrastructure inventory, change log, and teardown evidence to the matching Playbook Builder tasks. Those artifacts are more valuable in the final report than a raw list of servers.