Red Teaming

Inside a Modern Red Team Engagement

A penetration test asks how many holes exist. A red team asks a sharper question: given a real objective and a thinking adversary, can your people, process, and technology actually stop them? Here is what that looks like from the inside.

UUnnbugify Security Team February 5, 2026 10 min read

Red teaming is goal-based adversary emulation. Instead of enumerating every vulnerability in a scope, a red team is handed an objective - "obtain domain admin," "exfiltrate the customer database," "prove you can move funds" - and told to achieve it the way a determined attacker would, while staying stealthy and testing whether the defenders notice.

What red teaming is

The point is not a longer bug list. It is an honest measure of your detection and response capability against realistic tradecraft. A red team deliberately blends people, process, and technology into the attack surface: a convincing phishing email, a misconfigured share, a forgotten service account, and a blind spot in the SOC can chain into a breach that no single vulnerability scan would ever surface.

A pentest tells you your locks are pickable. A red team tells you nobody was watching the door while it happened.

Red team vs penetration test

Penetration TestRed Team
DriverCoverage of a scopeA specific objective
VisibilityDefenders usually informedDefenders usually blind (double-blind)
StealthNot a priorityCentral - evasion is graded
ScopeDefined systemsOften full-scope: people, physical, cloud
MeasuresVulnerabilitiesTime-to-detect, time-to-respond

Objectives and rules of engagement

Every engagement starts with tightly written rules of engagement: the crown-jewel objectives, off-limits systems, legal authorization, de-confliction contacts, and a "get out of jail" letter for the operators. Emulation can be mapped to a specific real-world adversary (a ransomware crew, a nation-state group) so the tradecraft is representative rather than generic.

Authorization is everything. The only thing separating red teaming from a genuine intrusion is signed, scoped, lawful permission. No letter, no operation.

The attack lifecycle

Modern red teams follow the same kill chain a real intruder would:

  1. Reconnaissance. OSINT on the org, employees, tech stack, and exposed assets - the raw material for a believable pretext.
  2. Initial access. Usually the human layer: spear-phishing, a malicious document, credential stuffing, or an exposed service.
  3. Foothold & C2. Establish resilient, low-noise command-and-control that survives reboots and blends into normal traffic.
  4. Privilege escalation. Move from a standard user to local admin, then toward domain or cloud admin.
  5. Lateral movement. Pivot host to host, harvesting credentials and mapping the internal terrain.
  6. Objective & exfiltration. Reach the crown jewels and demonstrate impact - a controlled proof, never real damage.

At every step the team asks a second question the attacker never would: did a control fire, did an alert trigger, and did anyone act on it?

TTPs and MITRE ATT&CK

Findings are mapped to MITRE ATT&CK - the industry catalogue of adversary Tactics, Techniques, and Procedures. Mapping matters because it turns a narrative ("we got in via a macro and dumped LSASS") into measurable coverage: which techniques your defences detected, which they missed, and exactly where to invest. It gives the blue team a to-do list expressed in the same language attackers use.

Purple teaming: the payoff

The real value is realised when red and blue sit together afterward. In a purple team exercise the operators replay each technique while defenders watch their tooling, tune detections, and confirm the gap is closed - live. You do not just learn that an attack succeeded; you leave with a hardened SIEM rule, a new EDR detection, and a measured drop in time-to-detect.

Key takeaways

  • Red teaming measures detection and response, not just vulnerabilities.
  • It is objective-driven, stealthy, and usually blind to the defenders.
  • MITRE ATT&CK turns the story into a measurable coverage map.
  • The purple-team debrief is where the money is made - replay, tune, verify.
Concerned about phishing and human risk?

SusPhisious runs continuous phishing simulations and security awareness training to measurably reduce employee risk across your organisation.

Learn about SusPhisious
U
Unnbugify Security Team
Offensive Security Research, Unnbugify Technologies

The Unnbugify team delivers VAPT, red teaming, and continuous security testing for organisations worldwide. We publish field notes from real engagements to help defenders stay ahead of attackers.