🎭

Learning Track · 19 modules

Red Team Operations

Adversary simulation: initial access, C2, lateral movement, defeating modern EDR.

Why this track

Adversary simulation: initial access, C2, lateral movement, defeating modern EDR. This track walks you from fundamentals through advanced techniques across 19 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

14.8 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 1 Intermediate · 5 Advanced · 11 Expert · 2

Module sequence

Red Team Operations Fundamentals

Red team vs pentest, engagement types, objectives, rules of engagement, and what a good red team report looks like.

Beginner 60 min →

Initial Access — Phishing & Beyond

Phishing infrastructure, HTML smuggling, password spray, OAuth consent, and exposed-service exploitation.

Intermediate 90 min →

Command & Control Frameworks

Cobalt Strike, Sliver, Havoc, Mythic compared. Beacon anatomy, transports, malleable profiles, redirector architecture.

Advanced 120 min →

Lateral Movement & Persistence

Pass-the-hash/ticket, WMI/WinRM, scheduled tasks, WMI subscriptions, AD golden/silver tickets, cloud persistence.

Advanced 120 min →

Evading Modern EDR

AMSI bypass, ETW blinding, direct syscalls, unhooking, module stomping, and the attacker-defender arms race in 2026.

Expert 150 min →

Red Team — External Recon

Red team engagements start with weeks of recon before any technical action. Quality of recon determines success of later phases. Reconnaissance phases Organizational — leadership, departments, sites, M&A history Technical — domains, IP ranges, technology stack, SaaS used Personnel — names, roles, emails, social-media patterns Physical — office locations, vendor relationships Tools by phase Already […]

Intermediate 20 →

Red Team Payload Development

Defender perspective on red-team payload development. Modern AV/EDR catches commodity payloads; serious red teams build custom. Layers of evasion Loader — small program that decrypts/decompresses real payload Shellcode encoding — XOR, custom crypto, polymorphism API resolution at runtime — don’t import suspicious functions in IAT Sleep + jitter — long sleeps between actions to defeat […]

Advanced 20 →

Persistence Techniques

MITRE ATT&CK lists 30+ persistence techniques. The 10 most-used cover 80% of real-world cases. Top techniques Run keys — HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services — create new service or hijack existing Scheduled tasks — schtasks; survives reboot WMI event subscription — fires on conditions COM hijacking — replace InProcServer32 entries Office Test path — DLLs loaded by Office […]

Advanced 20 →

M10

Red Team in AD

The complete red-team AD chain. Modules 8-17 in AD track covered individual techniques; this is operator playbook. Path planning Initial access (phish, web exploit, valid creds) Local recon (BloodHound from compromised host) Identify shortest path to DA Choose technique per step (Kerberoast → DCSync, or RBCD → ticket forge) Execute with OPSEC (silent EDR-evasive techniques) […]

Advanced 25 →

M11

Red Team in Cloud

Cloud red teaming is different from AD. No NT hashes; tokens. No Kerberos; OAuth/STS. Different tools, different OPSEC. The cloud kill chain Initial credential acquisition (phishing dev for AWS keys, or compromise endpoint with cached cli credentials) Discovery — what services, what permissions Privilege escalation — IAM-misconfig paths (covered Cloud Module 8-9) Lateral movement — […]

Advanced 25 →

M12

Data Exfiltration Techniques

Data exfiltration is the goal of most non-ransomware attacks. Network defenders should know patterns. Common channels HTTPS to attacker domain — most common; blends with legit traffic HTTPS to cloud storage — Dropbox, Google Drive, AWS S3 (attacker bucket); user-agents look legitimate DNS tunneling — covered Module 9 Networking ICMP tunneling — niche but possible; […]

Advanced 20 →

M13

Red Team Reporting

The report is the deliverable. A great engagement with poor reporting fails to drive change. Three audiences Executives — what could happen; what was the impact; what investment justified Security team — TTPs used, detection gaps, recommended controls Engineering / IT — specific configurations to change, code to fix Structure Executive summary (1-2 pages) Engagement […]

Intermediate 15 →

M14

Red-to-Purple Handoff

One-shot red team engagement: report → file in drawer. Purple-team handoff: report → workshop → detections built. The latter is what produces lasting improvement. The handoff workshop Red team walks through engagement chronologically For each step: blue team confirms what (if any) signal fired Where signal fired but ignored — investigate why Where no signal […]

Intermediate 15 →

M15

Red Team Engagement Management

Red team is high-risk consulting. A bad engagement can crash production, leak data, breach contracts. Discipline matters. Rules of Engagement (ROE) Authorized targets and out-of-scope assets Authorized techniques and prohibited (e.g., DoS, social engineering of HR) Engagement window Stop conditions Deconfliction contacts (real production incidents vs red team) Get-out-of-jail letter Communication Trusted Agent (TA) on […]

Intermediate 15 →

M16

Adversary Emulation Plans — TTPs from Threat Intel to Engagement

Why emulate vs. just pentest Generic pentests find generic findings. Adversary emulation tests whether you can withstand the specific groups that target your industry / geography: APT29 / Cozy Bear for government / defence. FIN7 / FIN8 for retail / hospitality. APT41 for telecom and travel. Specific groups targeting Indian financial sector. The sources MITRE […]

Advanced 35 →

M17

Beyond Cobalt Strike — Sliver, Mythic, Brute Ratel, Havoc

The C2 landscape Framework Licence Notes Cobalt Strike Commercial (Fortra) Industry standard; highly detected Sliver Open-source (Bishop Fox) Go-based; mTLS / DNS / WireGuard transport Mythic Open-source Modular agent framework; multiple agents Brute Ratel Commercial Newer; modern evasion features Empire / Starkiller Open-source PowerShell-centric; widely detected Havoc Open-source Modern; community-active Why teams move beyond Cobalt […]

Advanced 35 →

M18

EDR Evasion in 2026

The EDR detection stack User-mode hooks: EDR hooks key API calls (CreateRemoteThread, NtMapViewOfSection, etc.) to inspect arguments. Kernel-mode callbacks: PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine notify EDR of process / thread events. ETW (Event Tracing for Windows): provides telemetry stream EDR consumes. AMSI: Antimalware Scan Interface; PowerShell / WSH content sent to AV for inspection. File-based scanning: classic signature […]

Expert 40 →

M19

Living-off-the-Land Binaries (LOLBins) Mastery

Why LOLBins matter Binary is signed by Microsoft — passes signature checks. Binary is present on every Windows host — no payload to drop. Binary’s normal use is legitimate — context-aware detection required. Operators chain LOLBins to perform attacker workflows entirely with native tools. The LOLBAS project LOLBAS (lolbas-project.github.io) is the community-maintained catalogue of LOLBins, […]

Advanced 30 →

M20

Initial Access — Modern Techniques in 2026

The initial-access categories Phishing: targeted email with malicious link or attachment. Valid accounts: stolen / purchased credentials; password spray. Exposed services: VPN, RDP, web-app vulnerabilities. Supply chain: compromise a vendor; reach the target. Drive-by compromise: malicious website; user visits and is compromised. Removable media: USB drops, infected media. Modern phishing — beyond Office macros Microsoft […]

Advanced 35 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map