Red Teaming Fundamentals: Mindset, Methodology, and Engagement Types
Objective: Understand what a red team engagement actually is, how it differs from vulnerability assessment and penetration testing, the adversarial mindset and methodologies that structure it, the typology of engagement formats, and how every offensive action maps back to MITRE ATT&CK to produce measurable defender value.
1. What Red Teaming Actually Is
Red teaming is objective-driven adversary simulation that tests an organization’s detection and response capability — not an exhaustive enumeration of every vulnerability. A penetration test prioritizes coverage of the attack surface; a red team engagement prioritizes realism and a targeted goal: reaching high-value assets such as executive workstations, code repositories, or financial systems while remaining undetected.
| Term | Precise Meaning |
|---|---|
| Vulnerability Assessment | Automated/semi-automated enumeration of known weaknesses; no exploitation |
| Penetration Test | Scoped, time-boxed exploitation to confirm impact; goal is coverage |
| Red Team Engagement | Objective-driven, adversary-realistic campaign testing detection & response |
| Adversary Emulation | Red team constrained to a specific threat actor’s documented TTPs, mapped to ATT&CK |
| Purple Team Exercise | Collaborative, transparent session where red and blue tune specific techniques together |
The defining trait: red team engagements deliberately do not seek full coverage. They genuinely test whether the organization can block or detect an attack chain, which is why they are the longest-running of all assessment types — stealth and patience are part of the deliverable.
2. The Adversarial Mindset
A red operator thinks objective-first, not checklist-first. Compliance testing asks “is this control present?” Adversarial thinking asks “what is the cheapest path to the crown jewels that the SOC will not see?”
Three mental anchors define the mindset:
- Objective-first — every action serves a defined goal (data, access, impact). Noise that does not advance the objective is risk.
- Stealth-conscious — assume the environment is instrumented. Prefer living-off-the-land over noisy tooling; pace operations to blend with baseline activity.
- Iterative — reconnaissance, hypothesis, action, observation, adapt. A blocked path is intelligence, not a dead end.
The premise underpinning modern engagements is assume breach: perimeter compromise is treated as inevitable, so the real measurement is how fast the defender detects and contains post-compromise activity.
3. Industry Methodologies
Red teaming inherits structure from established testing methodologies, then layers ATT&CK on top for adversary realism.
| Methodology | Focus |
|---|---|
| PTES | Seven-phase end-to-end execution model |
| OSSTMM | Operational security measurement and metrics |
| NIST SP 800-115 | Technical guide to information security testing |
PTES (Penetration Testing Execution Standard) provides the canonical seven phases:
- Pre-engagement Interactions — scope, objectives, rules of engagement, timelines, legal/compliance
- Intelligence Gathering — reconnaissance, OSINT, passive and active scanning
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Reporting
These methodologies describe how to test; ATT&CK describes how adversaries behave. A red team uses PTES/NIST for process discipline and ATT&CK as the operating language to choose and document technique-level actions.
4. Engagement Types Deep Dive
Engagement format is chosen by organizational maturity and the question being answered.
| Engagement Type | Definition |
|---|---|
| Full Scope (Black Box) | Simulates a real attacker against the entire environment; no insider knowledge granted |
| Assumed Breach | Starts inside the network to measure post-compromise detection and containment speed |
| Objective-Based | Targets a specific outcome or asset without a full organizational assessment |
| Threat-Informed | Mirrors the TTPs of adversaries most likely to target the industry (adversary emulation) |
| Purple Team | Collaborative, shared-visibility execution with a debrief after each TTP |
In an Assumed Breach, the client grants the foothold — executing a payload, issuing a single-use VPN or VDI session, or staging a “stolen laptop” scenario — so the team skips Initial Access and focuses on post-exploitation.
Knowledge levels cut across all formats:
| Level | Information Provided |
|---|---|
| Black box | None; no insider/privileged information |
| Grey box | Limited (e.g., network diagrams, low-priv credentials, no source) |
| White box | Full system and security-control information (typical for Assumed Breach) |
Low-maturity orgs benefit most from purple or objective-based work; mature orgs with a functioning SOC gain the most from full-scope, unannounced engagements.
5. MITRE ATT&CK as the Red Team Operating Language
MITRE ATT&CK is a globally recognized knowledge base of adversary tactics and techniques built from real-world observations. It gives red and blue a common language: tactics are the adversary’s objectives, techniques are how they achieve them, and procedures are the specific implementations.
The Enterprise Matrix spans Windows, macOS, Linux, and cloud, organized into 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
ATT&CK Navigator lets teams annotate technique coverage as a JSON layer — color and score per technique — to track what was attempted, alerted, or blocked.
{
"name": "Engagement-2024 Coverage",
"domain": "enterprise-attack",
"techniques": [
{ "techniqueID": "T1566.001", "score": 100, "color": "#e60d0d", "comment": "Initial access - undetected" },
{ "techniqueID": "T1059.001", "score": 50, "color": "#fce93a", "comment": "Executed - alerted, not blocked" },
{ "techniqueID": "T1003.001", "score": 0, "color": "#31a354", "comment": "Blocked by Credential Guard" }
]
}Although ATT&CK was created to support adversary emulation, it is equally valuable to blue teams for detection, hunting, and response — which is precisely why red teams document in ATT&CK terms.
6. The Engagement Lifecycle
The Red Team Guide condenses execution into three macro-phases: gain access, establish persistence, and perform operational impact. Expanded against ATT&CK tactics, the flow is:
Pre-Engagement ──► Recon ──► Initial Access ──► Execution ──► Persistence
(RoE/SoW) (TA0043) (TA0001) (TA0002) (TA0003)
│
▼
Debrief/Report ◄── Exfiltration ◄── Collection ◄── Lateral Move ◄── Priv Esc
(ATT&CK map) (TA0010) (TA0009) (TA0008) (TA0004)Each phase produces a deliverable: pre-engagement yields the signed scope and RoE; recon yields a target profile; exploitation yields proof-of-access artifacts; reporting yields the ATT&CK-mapped findings and detection-gap backlog.
7. Rules of Engagement and Pre-Engagement
No packet is sent without written authorization. The Rules of Engagement (RoE) and Statement of Work define the legal and operational guardrails. A minimal RoE skeleton:
RULES OF ENGAGEMENT — <Client> / <Vendor>
1. Scope (in-bounds): IP ranges, domains, cloud tenants, physical sites
2. Out-of-Scope: Systems/data explicitly forbidden (e.g., prod payroll)
3. Authorized Actions: Exploitation? Lateral movement? Data exfil simulation?
4. Notification State: Announced | Unannounced (does SOC know?)
5. Deconfliction: 24/7 emergency contact, get-out-of-jail signal phrase
6. Data Handling: Treatment of sensitive data encountered mid-op
7. Engagement Window: Start/end dates, permitted hours
8. Legal Authorization: Signatures, SoW reference, indemnificationThe deconfliction channel and notification state are non-negotiable: they prevent a real incident response from spinning up against an authorized test and define whether the blue team is being tested blind.
8. Reconnaissance — Passive Versus Active
ATT&CK separates passive collection from active probing. T1596 (Search Open Technical Databases) sends no traffic to the target — it queries third-party indexes. T1595 (Active Scanning) probes victim infrastructure directly and is noisier and higher-risk.
import shodan, whois # read-only OSINT libraries
api = shodan.Shodan("<authorized-engagement-key>")
# Passive WHOIS lookup — registrar/registration metadata only
record = whois.whois("scoped-target.example")
print(record.registrar, record.creation_date)
# Query Shodan's EXISTING index — no packets sent to the target host
host = api.host("203.0.113.10")
for service in host["data"]:
print(service["port"], service["product"])Passive recon is favored early because it leaves no trace in the target’s telemetry. Active scanning is sequenced only when scope and stealth budget permit, since it surfaces in firewall and IDS logs.
9. Adversary Emulation and the Tooling Ecosystem
Threat-informed engagements use Adversary Emulation Plans — MITRE prototype documents built from public threat reports — so operators behave like a specific group (e.g., APT29, FIN7), sticking to that actor’s known TTPs with latitude in implementation.
| Tool | Role |
|---|---|
| MITRE CALDERA | Automated post-compromise emulation driven by an ATT&CK-based adversary model |
| Atomic Red Team | Library of small, focused tests mapping one-to-one to ATT&CK techniques |
| Cobalt Strike / Sliver / Havoc | C2 frameworks that simulate adversary command-and-control channels (conceptual) |
| ATT&CK Navigator | Visualizes technique coverage and compares threat profiles |
Atomic Red Team enables unit-style TTP testing. The pattern below runs a benign discovery technique on a lab VM to validate telemetry — it produces no harm:
# Lab VM only - benign discovery, no exploitation
Import-Module Invoke-AtomicRedTeam
# T1016 - System Network Configuration Discovery
Invoke-AtomicTest T1016 -ShowDetails
Invoke-AtomicTest T1016 -TestNumbers 1 # runs: ipconfig /all, route print10. Red, Blue, and Purple Team Dynamics
The mode of collaboration defines the exercise. In an unannounced red team, the blue team is blind — this measures real-world detection. In a purple team, red and blue share visibility and debrief after each TTP, maximizing tradecraft coverage and detection tuning.
| Mode | Information Sharing | Best For |
|---|---|---|
| Red (unannounced) | None until debrief | Measuring true SOC detection/response |
| Red (announced) | Blue knows test is occurring | Controlled validation, reduced IR risk |
| Purple | Full, real-time | Rapid detection engineering, low-maturity uplift |
Purple is the fastest route to closing gaps; unannounced red is the truest measure of readiness. Mature programs alternate between them.
11. Common Attacker Techniques
A red team chains techniques across tactics. A canonical illustrative chain for teaching — not a how-to — runs:
T1566.001 Spearphishing Attachment → T1059.001 PowerShell → T1003.001 LSASS Memory → T1021.002 SMB/Admin Shares → T1048.003 Exfiltration Over Non-C2 Protocol.
| Technique | Description |
|---|---|
| Phishing | Spearphishing attachment as initial access vector |
| Valid Accounts | Credential abuse; the assumed-breach entry point |
| PowerShell Execution | Most-observed Execution interpreter in intrusions |
| Process Injection | Stealth execution and defense evasion primitive |
| Credential Dumping | LSASS memory access for lateral movement material |
| Lateral Movement | SMB/admin shares to reach high-value hosts |
MITRE ATT&CK Mapping
| Technique | MITRE ID | Detection |
|---|---|---|
| Spearphishing Attachment | T1566.001 | Mail gateway, attachment sandboxing |
| Valid Accounts | T1078 | Anomalous logon, Security EID 4624 |
| PowerShell | T1059.001 | Script Block Logging EID 4104, AMSI |
| Process Injection | T1055 | Sysmon EID 7/EID 8 |
| LSASS Memory | T1003.001 | Sysmon EID 10 GrantedAccess |
| SMB/Admin Shares | T1021.002 | EID 5145, logon type 3 |
| Web Protocol C2 | T1071.001 | Sysmon EID 3, proxy logs |
| Exfil Over C2 | T1041 | Sysmon EID 3, egress volume |
12. Defensive Strategies and Detection
A red team’s value is realized only when the blue team instruments the environment to measure it. Deploy Sysmon with a tuned config and enable the relevant audit policies.
| Event ID | What It Captures |
|---|---|
Event ID 1 | Process Create — execution lineage |
Event ID 3 | Network Connection — beaconing / C2 callouts |
Event ID 7 | Image Loaded — DLL load (injection detection) |
Event ID 11 | File Create — drops to disk |
Event ID 22 | DNS Query — DNS-based C2 / tunneling |
Enable Audit Process Creation (feeds Sysmon EID 1 and Security EID 4688 with command-line logging), Audit Logon Events for credential-based lateral movement, Audit Object Access for exfiltration/persistence, and Audit Privilege Use for escalation. Key ETW providers include Microsoft-Windows-Kernel-Process, Microsoft-Windows-DNS-Client, AMSI, and Microsoft-Windows-PowerShell.
A foundational Sigma sketch for surfacing reconnaissance commands in process-creation telemetry:
title: Red Team Awareness - Host & Domain Discovery Commands
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
CommandLine|contains:
- 'ipconfig /all'
- 'route print'
- 'net group "Domain Admins"'
condition: selection
level: lowAfter the engagement, generate a coverage report and feed it into ATT&CK Navigator to drive a prioritized detection backlog:
TACTICS = {
"T1596": "Reconnaissance", "T1566.001": "Initial Access",
"T1059.001": "Execution", "T1003.001": "Credential Access",
"T1021.002": "Lateral Movement", "T1041": "Exfiltration",
}
detected = {"T1059.001", "T1003.001"} # techniques the SOC alerted on
for tid, tactic in TACTICS.items():
status = "HIT" if tid in detected else "GAP"
print(f"[{status}] {tactic:20} {tid}")Adopt an assume-breach posture: segment networks so lateral movement is detectable and costly, enable PowerShell Script Block Logging via GPO, and turn on command-line auditing. Map successful detections and missed techniques back to the ATT&CK matrix to build the remediation backlog.
13. Tools for Red Team Operations
| Tool | Description | Link |
|---|---|---|
| MITRE CALDERA | Automated ATT&CK-based adversary emulation | caldera.mitre.org |
| Atomic Red Team | Unit tests per ATT&CK technique | atomicredteam.io |
| ATT&CK Navigator | Coverage visualization and planning | attack.mitre.org |
| Sysmon | Deep process/network/file telemetry | sysinternals.com |
| Sigma | Vendor-agnostic detection rule format | sigmahq.io |
| Volatility | Memory forensics for post-engagement analysis | volatilityfoundation.org |
Summary
- Red teaming is objective-driven adversary simulation that measures detection and response — not exhaustive vulnerability enumeration.
- The adversarial mindset is objective-first, stealth-conscious, and iterative, anchored on an assume-breach premise.
- Engagement type (full scope, assumed breach, objective-based, threat-informed, purple) is chosen by organizational maturity and the question being asked.
- MITRE ATT&CK’s 14 tactics provide the common language that lets red document operations and blue translate findings into detections.
- Every offensive TTP is paired with Sysmon/audit telemetry and an ATT&CK-mapped debrief that produces a prioritized detection-gap backlog.
Related Tutorials
- Building a Red Team Lab: Infrastructure, VMs, and C2 Setup
- Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
- OPSEC Principles for Red Teamers: Staying Undetected
- Phishing Campaign Design: Pretexting, Lures, and Target Profiling
- Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
References
- Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
- Adversary Emulation Plans | MITRE ATT&CK®
- Azure Security Control: Penetration Tests and Red Team Exercises | Microsoft Learn
- Microsoft AI Red Team: Building the Future of Safer AI | Microsoft Security Blog
- Getting Started with ATT&CK: Adversary Emulation and Red Teaming | MITRE ATT&CK® (Medium)
- Planning Red Teaming for Large Language Models and Their Applications | Microsoft Learn