A red team engagement is an authorized, adversary-simulating exercise: attackers (the red team) attempt to achieve specific objectives against a defending organisation (the blue team), using the tactics, techniques, and procedures (TTPs) of real threat actors. It is not a penetration test. This module covers what red teaming actually is, the engagement types, scoping, rules of engagement, and what a good red team delivers beyond “we got in.”
Red team vs pentest β the real difference
| Pentest | Red team |
|---|---|
| Find and enumerate vulnerabilities | Achieve a specific objective |
| Broad coverage, shallow depth | Narrow objective, full depth |
| Blue team usually informed | Blue team usually NOT informed |
| Noisy OK | Stealth expected |
| Measures attack surface | Measures detection + response |
| 1-3 weeks | 4-12 weeks |
Engagement types
- Full-scope red team: external attacker achieving a crown-jewel objective (e.g., “exfiltrate the customer PII database”). Unannounced to blue team. Most realistic, most expensive
- Assumed breach: red team starts with initial foothold (planted implant, stolen credentials). Skips the initial access phase. Useful when you want to test post-compromise controls without the cost/uncertainty of earning initial access
- Purple team: red and blue work side-by-side. Red executes TTPs; blue observes and tunes detections in real time. Highest learning value per dollar; lowest realism
- Adversary emulation: red team mimics the specific TTPs of a named threat actor (APT29, Lazarus, FIN7). Tests whether controls would hold against that specific adversary’s playbook
- Physical + social red team: badge cloning, tailgating, pretexting at front desk. Usually combined with network red team for full-spectrum
Objectives β the anchor of a red team
A red team without a concrete objective degrades into a pentest. Objectives are specific, measurable, business-impact-focused:
- “Obtain administrative access to the production Salesforce tenant”
- “Retrieve 100 rows from the customer_pii table”
- “Achieve domain admin in the corporate Active Directory”
- “Gain ability to initiate a funds transfer above βΉ10 lakh”
- “Read email from the CEO’s mailbox”
Do not accept “get in and see what you can do.” Force the customer to articulate a worst-case outcome; that becomes the objective.
Rules of Engagement (RoE)
The RoE document is the contract. Cover all of:
- Authorized scope: IPs, domains, physical addresses, named systems, cloud accounts
- Out of scope: explicit exclusions (third-party SaaS you don’t own, affiliate networks, specific VIP accounts)
- Timing: engagement window (start/end), allowed hours, blackout periods (quarter-end, board meeting weeks)
- Techniques allowed/forbidden: DoS explicitly forbidden; social engineering allowed or not; physical access allowed or not
- Data handling: may the red team exfiltrate real PII? How is it stored? When destroyed?
- Escalation path: the one “trusted agent” contact on the customer side who knows the engagement exists; always-available phone number; what triggers early termination
- Reporting: out-briefing cadence during engagement, final report delivery date, executive summary meeting
The trusted agent
One named individual at the customer β usually the CISO or a security leader β knows the engagement is happening. Everyone else (including the blue team) does not. The trusted agent:
- Can abort the engagement if needed (real incident mid-test)
- Is reachable 24/7 for the duration
- Handles the inevitable: “the SOC detected something, do we investigate or stand down?”
Without a trusted agent, red teams either get shut down at the first detection (no value generated) or cause incidents that waste blue team time.
Scoping questions to ask before any engagement
- What is the desired objective? Articulate in one sentence
- What is in scope? Out of scope?
- How mature is the blue team? (Pace your engagement accordingly)
- Does the customer want stealth as a goal, or is detection acceptable as long as the objective is reached?
- What is the budget? (4-12 weeks of 2 operators is βΉ15-50 lakh in the Indian market)
- Are there any “if you hit X, stop” clauses? (e.g., sensitive systems that must not be touched even if reachable)
- Who is the trusted agent and their backup?
- How will detections be handled during the engagement?
The phases of a full-scope red team
- Planning: objectives, scope, RoE signed
- Reconnaissance: OSINT on the target, map attack surface
- Initial access: phishing, credential stuffing, external vulnerability
- Establish foothold: implant persistence, set up C2
- Privilege escalation: local and then domain-wide
- Lateral movement: pivot to reach objective systems
- Objective achievement: complete the defined goal; document proof
- Exfiltration (simulated): demonstrate you could move data; without real data leaving the environment
- Reporting: timeline, TTPs used, detection gaps, recommendations
- Debrief: executive out-brief + blue team tactical review
What a good red team report contains
- Executive summary: did you achieve the objective, in how long, with how much effort
- Timeline: when each phase started/ended, with detection moments marked
- Attack narrative: storyline prose, not just a list of findings
- TTP mapping to MITRE ATT&CK
- Detection analysis: what the blue team caught, what they missed, why
- Recommendations: prioritised, blue-team-actionable
- Appendices: IOCs generated, artifacts left behind (so blue can clean up)
Where this track goes
Module 2 covers initial access β the phase that starts every external red team. Phishing infrastructure, payload delivery, initial implant. Module 3 dives into C2 frameworks β Cobalt Strike, Sliver, Havoc. Module 4 covers lateral movement and persistence. Module 5 is the hardest work: evading mature EDR in 2026.