thinking-red-team
Red Team Thinking
Overview
Red teaming is adversarial security review: deliberately attacking a system you control to find vulnerabilities before an attacker does. This skill is scoped to security/code vulnerability detection — it is NOT for plan stress-testing or decision challenge (use thinking-pre-mortem or thinking-steel-manning for those).
The anti-fabrication gate is the most important rule: every reported finding MUST include a concrete, reproducible attack path — entry point → exact steps → realized impact. If you cannot describe how the attack actually executes against this code/config, it is not a finding. Drop it. A short report of real, demonstrable vulnerabilities beats a long list of speculation.
Core Principle: Attack yourself before others do. But only report what you can actually break.
When to Use
- Security review of code, authentication, authorization, APIs, or infrastructure you control
- Pre-launch security hardening of a system that handles auth, data, or money
- Evaluating whether a specific vulnerability class (injection, XSS, auth bypass, etc.) is present in your code
Decision flow: