Red team

Overview

A red team simulates real-world adversaries to test people, processes, and technology. Unlike narrow penetration tests, red team engagements often pursue defined objectives (e.g. domain compromise, data exfiltration simulation) with constraints agreed in a rules of engagement document.

Key concepts

• Scope & ROE — What systems, times, and techniques are allowed.
• Kill chain / ATT&CK — Model adversary behavior for coverage analysis.
• Stealth vs breadth — Noise trade-offs when avoiding blue detection.
• Reporting — Actionable remediation, not just vulnerability lists.
• Legal & ethics — Written authorization only; no out-of-scope testing.

Engagement phases

Sample: rules of engagement (outline)

1. Customer signatory and emergency contacts.
2. In-scope IP ranges, domains, apps; out-of-scope third parties.
3. Forbidden actions (e.g. destructive payloads, social engineering of HR).
4. Communication plan — When to pause if unintended impact occurs.

References

• MITRE ATT&CK
• OWASP — Web Security Testing Guide
• PTES — Penetration Testing Execution Standard