Inside a Modern Red Team Engagement
A penetration test asks how many holes exist. A red team asks a sharper question: given a real objective and a thinking adversary, can your people, process, and technology actually stop them? Here is what that looks like from the inside.
Red teaming is goal-based adversary emulation. Instead of enumerating every vulnerability in a scope, a red team is handed an objective - "obtain domain admin," "exfiltrate the customer database," "prove you can move funds" - and told to achieve it the way a determined attacker would, while staying stealthy and testing whether the defenders notice.
What red teaming is
The point is not a longer bug list. It is an honest measure of your detection and response capability against realistic tradecraft. A red team deliberately blends people, process, and technology into the attack surface: a convincing phishing email, a misconfigured share, a forgotten service account, and a blind spot in the SOC can chain into a breach that no single vulnerability scan would ever surface.
A pentest tells you your locks are pickable. A red team tells you nobody was watching the door while it happened.
Red team vs penetration test
| Penetration Test | Red Team | |
|---|---|---|
| Driver | Coverage of a scope | A specific objective |
| Visibility | Defenders usually informed | Defenders usually blind (double-blind) |
| Stealth | Not a priority | Central - evasion is graded |
| Scope | Defined systems | Often full-scope: people, physical, cloud |
| Measures | Vulnerabilities | Time-to-detect, time-to-respond |
Objectives and rules of engagement
Every engagement starts with tightly written rules of engagement: the crown-jewel objectives, off-limits systems, legal authorization, de-confliction contacts, and a "get out of jail" letter for the operators. Emulation can be mapped to a specific real-world adversary (a ransomware crew, a nation-state group) so the tradecraft is representative rather than generic.
Authorization is everything. The only thing separating red teaming from a genuine intrusion is signed, scoped, lawful permission. No letter, no operation.
The attack lifecycle
Modern red teams follow the same kill chain a real intruder would:
- Reconnaissance. OSINT on the org, employees, tech stack, and exposed assets - the raw material for a believable pretext.
- Initial access. Usually the human layer: spear-phishing, a malicious document, credential stuffing, or an exposed service.
- Foothold & C2. Establish resilient, low-noise command-and-control that survives reboots and blends into normal traffic.
- Privilege escalation. Move from a standard user to local admin, then toward domain or cloud admin.
- Lateral movement. Pivot host to host, harvesting credentials and mapping the internal terrain.
- Objective & exfiltration. Reach the crown jewels and demonstrate impact - a controlled proof, never real damage.
At every step the team asks a second question the attacker never would: did a control fire, did an alert trigger, and did anyone act on it?
TTPs and MITRE ATT&CK
Findings are mapped to MITRE ATT&CK - the industry catalogue of adversary Tactics, Techniques, and Procedures. Mapping matters because it turns a narrative ("we got in via a macro and dumped LSASS") into measurable coverage: which techniques your defences detected, which they missed, and exactly where to invest. It gives the blue team a to-do list expressed in the same language attackers use.
Purple teaming: the payoff
The real value is realised when red and blue sit together afterward. In a purple team exercise the operators replay each technique while defenders watch their tooling, tune detections, and confirm the gap is closed - live. You do not just learn that an attack succeeded; you leave with a hardened SIEM rule, a new EDR detection, and a measured drop in time-to-detect.
Key takeaways
- Red teaming measures detection and response, not just vulnerabilities.
- It is objective-driven, stealthy, and usually blind to the defenders.
- MITRE ATT&CK turns the story into a measurable coverage map.
- The purple-team debrief is where the money is made - replay, tune, verify.
SusPhisious runs continuous phishing simulations and security awareness training to measurably reduce employee risk across your organisation.