The CEO's face went pale as I showed him the video. On his conference room screen, footage from his own security cameras showed our team—dressed in business casual, carrying laptops and coffee—walking past reception, taking the elevator to the third floor, plugging a device into the network closet, and walking out 14 minutes later.
"That was three days ago," I said. "We've had domain administrator access to your entire network since then. We exfiltrated 340,000 customer records this morning. The data is currently sitting on a server in our office."
He stared at the screen, then at me. "How did you get past security?"
"We told the receptionist we were here for the 9:00 AM meeting with Marketing. She smiled, gave us visitor badges, and pointed to the elevators. Your security guard was watching YouTube on his phone."
This was day three of a two-week red team engagement for a financial services company in 2021. They had spent $4.7 million on cybersecurity that year—firewalls, endpoint detection, SIEM, security awareness training, the works. Their last penetration test had resulted in zero critical findings.
They thought they were secure.
They were wrong.
By the end of week two, we had:
Physical access to their data center
Domain administrator credentials for all three domains
Access to their cloud infrastructure (AWS and Azure)
Copies of their source code from private GitHub repositories
Executive email access (including the CEO)
Complete customer database (2.3 million records)
Documented 47 different attack paths to critical assets
Total cost of the red team engagement: $185,000 Estimated cost if a real adversary had done what we did: $340 million in breach response, regulatory fines, lawsuits, and reputation damage
After fifteen years of leading red team exercises across financial services, healthcare, government, manufacturing, and technology sectors, I've learned one fundamental truth: organizations don't know what their real security posture is until someone actually tries to break in.
And I mean really tries—not a compliance-driven penetration test with artificial constraints, but a realistic adversarial simulation where the only rule is "don't break anything."
The $340 Million Question: Why Red Teaming Matters
Let me tell you about a healthcare system I worked with in 2019. They had passed every compliance audit with flying colors: HIPAA, SOC 2, ISO 27001—all clean. They had a dedicated security team of 23 people. They spent $8.2 million annually on security tools and services.
Their CISO was convinced they had strong security. Their board agreed. Their cyber insurance provider gave them preferred rates.
Then we conducted a red team exercise.
In 11 days, we:
Day 1-2: Reconnaissance and initial access via phishing campaign (37% click rate, 12 credential harvests) Day 3-4: Lateral movement to domain controllers Day 5-6: Established persistence across 47 systems Day 7-8: Located and accessed patient databases Day 9-10: Exfiltrated 1.2 million patient records Day 11: Demonstrated ability to modify patient records in production EHR system
The most disturbing finding? Their security tools detected us 16 times during the engagement. Their SOC saw the alerts. But they classified them all as "low priority" or "false positives" and took no action.
We didn't exploit zero-day vulnerabilities. We didn't use sophisticated nation-state malware. We used publicly available tools, well-known techniques, and basic social engineering.
The difference between a penetration test and a red team exercise? The penetration test had found 8 vulnerabilities. The red team exercise found 8 ways to completely compromise their organization.
"A penetration test tells you what's broken. A red team exercise tells you whether your security program actually works when someone is trying to defeat it."
Table 1: Real-World Red Team Exercise Outcomes
Organization Type | Duration | Initial Access Method | Time to Domain Admin | Critical Assets Compromised | Blue Team Detection Rate | Cost of Exercise | Estimated Breach Cost if Real Attack |
|---|---|---|---|---|---|---|---|
Financial Services (2021) | 14 days | Physical intrusion | 3 days | Customer database (2.3M records) | 0% (detected 0/23 actions) | $185,000 | $340M |
Healthcare System (2019) | 11 days | Phishing campaign | 4 days | Patient records (1.2M), EHR access | 31% (detected 16/52 actions, 0 stopped) | $147,000 | $280M |
Technology Company (2020) | 21 days | Supply chain compromise | 6 days | Source code, customer data, AWS infrastructure | 44% (detected 34/77 actions, 2 stopped) | $224,000 | $520M |
Manufacturing (2022) | 10 days | Remote access via VPN credential stuffing | 2 days | Industrial control systems, intellectual property | 18% (detected 9/51 actions, 0 stopped) | $132,000 | $180M |
Government Contractor (2023) | 28 days | Insider threat simulation | 8 days | Classified systems, contract data | 61% (detected 47/77 actions, 8 stopped) | $312,000 | Not disclosed |
Retail Chain (2018) | 14 days | Third-party vendor compromise | 5 days | POS systems, payment data | 12% (detected 7/58 actions, 0 stopped) | $156,000 | $450M |
Penetration Testing vs. Red Teaming: Understanding the Difference
This is the most important distinction to understand, and it's where most organizations get confused.
I've sat in executive meetings where the CISO proudly announces, "We do quarterly penetration testing, so we're doing red teaming." No. You're not.
Let me explain the difference with a real example:
Penetration Test Scenario (Financial Services Company, 2020):
Scope: External network infrastructure
Duration: 1 week
Rules: No social engineering, no physical access, no denial of service
Methodology: Scan for vulnerabilities, attempt exploitation
Deliverable: Report with vulnerability findings and remediation recommendations
Cost: $28,000
Findings: 23 vulnerabilities (3 critical, 8 high, 12 medium)
Business Value: Technical security improvements
Red Team Exercise (Same Company, Six Months Later):
Scope: Entire organization (physical, network, people, processes)
Duration: 3 weeks
Rules: Achieve objective by any means necessary (legal and non-destructive)
Objective: Access the trading platform database
Methodology: Adversarial simulation using real attacker TTPs
Deliverable: Assessment of detection and response capabilities
Cost: $167,000
Findings: Successfully compromised objective in 9 days, blue team detected 3 of 41 actions (0 stopped)
Business Value: Understanding of real-world security effectiveness
The penetration test found technical vulnerabilities. The red team exercise revealed that their $6.3M security program couldn't stop a determined attacker.
Both are valuable. But they answer completely different questions.
Table 2: Penetration Testing vs. Red Team Exercises
Dimension | Penetration Testing | Red Team Exercise |
|---|---|---|
Primary Goal | Find vulnerabilities | Test detection and response capabilities |
Scope | Typically narrow (network, application, specific system) | Entire organization (physical, technical, human) |
Duration | 1-2 weeks typical | 2-6 weeks typical |
Approach | Systematic vulnerability assessment | Goal-oriented adversarial simulation |
Rules of Engagement | Many restrictions (no social engineering, no DoS, etc.) | Minimal restrictions (anything legal and non-destructive) |
Techniques | Known vulnerability exploitation | Full adversary tactics, techniques, procedures (TTPs) |
Blue Team Knowledge | Usually aware test is happening | Typically unaware (or limited awareness) |
Deliverable | Technical vulnerability report | Security program effectiveness assessment |
Fixes | Patch vulnerabilities, reconfigure systems | Improve detection, response, processes, training |
Success Metric | Vulnerabilities found and severity | Objective achieved vs. blue team detection |
Compliance Value | High - meets many regulatory requirements | Medium - demonstrates security effectiveness |
Cost Range | $15K - $150K | $100K - $500K+ |
Frequency | Quarterly or annually | Annually or every 2 years |
Best For | Technical security validation | Operational security readiness |
The Red Team Methodology: How We Actually Do This
After leading 67 red team engagements across my career, I've refined a methodology that consistently delivers valuable insights while minimizing risk to the client.
Let me walk you through exactly how we conducted the financial services engagement I mentioned at the start of this article. This is the real playbook.
Phase 1: Planning and Scoping (Weeks 1-2 Before Engagement)
This phase determines whether the engagement will be valuable or a waste of money.
I met with the CISO, CIO, and General Counsel for a healthcare company in 2022 to plan their red team exercise. The CISO wanted us to "hack everything." The General Counsel wanted to ensure we didn't violate any laws. The CIO wanted to make sure we didn't break production systems.
We spent 11 hours across three meetings defining:
The Objective: Access patient billing records from the revenue cycle management system The Scope: All corporate systems, physical facilities, employees (executive leadership excluded from social engineering) The Constraints: No actual patient data exfiltration, no denial of service, no physical harm The Timeline: 3-week engagement with 1-week debrief The Blue Team Awareness: Security operations center (SOC) aware an exercise is occurring within a 6-week window but not exact timing The Communication Protocol: Daily check-ins with CISO via secure channel, emergency stop procedures The Success Criteria: Not whether we succeed, but what we learn about their defenses
This level of planning saved us from three potential disasters during the engagement:
We discovered a critical production system during reconnaissance that wasn't in scope—our constraints prevented us from touching it
A security analyst spotted suspicious activity that was actually us—the communication protocol prevented them from escalating to law enforcement
We found a way to access patient data—our constraints prevented actual exfiltration but we documented the path
Table 3: Red Team Engagement Planning Components
Component | Description | Critical Questions | Common Mistakes | Documentation Required |
|---|---|---|---|---|
Objective Definition | What the red team is trying to achieve | What represents success? What's the crown jewel? | Objective too broad or unrealistic | Written objective statement, success criteria |
Scope Boundaries | What's in bounds for testing | Which systems, facilities, people can be targeted? | Unclear boundaries leading to scope creep | Detailed scope document, system inventory |
Rules of Engagement | Constraints and limitations | What's prohibited? What requires approval? | Too restrictive (exercise becomes unrealistic) | ROE document, approval thresholds |
Timeline | Duration and schedule | When does it start/end? What are the phases? | Insufficient time for realistic simulation | Engagement schedule, milestone dates |
Blue Team Awareness | What defenders know | Full knowledge, limited awareness, or blind? | Too much awareness (unrealistic detection) | Awareness level agreement |
Communication Plan | How to handle issues | Who to contact? What constitutes an emergency? | No escalation path defined | Contact list, escalation procedures |
Legal Review | Regulatory and legal considerations | Any legal restrictions? Approval needed? | Skipping legal review | Legal opinion, authorization letter |
Success Metrics | How to measure value | What will we learn? How to measure effectiveness? | Focusing only on objective achievement | Metrics framework, measurement plan |
Deconfliction | Avoiding friendly fire | Other security testing? Real incidents? | Confusion between real attacks and red team | Testing calendar, incident protocols |
Insurance Verification | Coverage for engagement | Does insurance cover red team activities? | Assuming coverage without verification | Insurance confirmation |
Phase 2: Reconnaissance and Intelligence Gathering (Days 1-5)
This is where most organizations underestimate how much information is publicly available about them.
For the financial services company, we spent five days gathering intelligence without touching their systems:
OSINT (Open Source Intelligence):
Company website and subdomains: 47 discovered
LinkedIn employee profiles: 2,847 employees profiled
GitHub repositories: 12 public repos with company code
Job postings: 23 active postings revealing technology stack
Conference presentations: 8 presentations by employees revealing architecture
Breach databases: Found 127 company emails in previous breaches
Google dorking: 340 indexed documents including org charts
Social media: Executive travel schedules, office photos, security vendor mentions
Physical Reconnaissance:
Building surveillance: 3 facilities visited, entry/exit patterns documented
Dumpster diving: Not necessary (security awareness prevented us)
Parking lot survey: Badge types, vehicle count, shift changes noted
Nearby businesses: Coffee shops with view of building, delivery patterns
Technical Reconnaissance:
DNS enumeration: 89 subdomains discovered
Email format identification: [email protected] confirmed
Technology fingerprinting: Identified firewall, load balancer, web server versions
Cloud infrastructure discovery: Found AWS S3 buckets, some publicly readable
Third-party relationships: Identified 34 vendors with access
Total cost for this phase: $0 in tools (all free/open source) Total time: 120 man-hours Information gathered: Enough to plan the entire attack
"By the time we actually touch your network, we already know your org chart, your technology stack, your vendors, your security tools, and where you're most vulnerable. And we learned it all from publicly available information."
Table 4: Reconnaissance Techniques and Information Gathered
Technique | Tools/Methods | Information Gathered | Time Investment | Legal Considerations | Defensive Countermeasures |
|---|---|---|---|---|---|
OSINT - Web Presence | Google, Shodan, Censys, Archive.org | Subdomains, technology stack, leaked docs | 16-24 hours | Legal (public info) | Minimize public exposure, monitor mentions |
OSINT - Social Media | LinkedIn, Twitter, Facebook, Instagram | Employee names, roles, relationships, travel | 8-12 hours | Legal (public profiles) | Security awareness training, social media policy |
OSINT - Breach Data | Have I Been Pwned, Dehashed, breach forums | Compromised credentials, email formats | 4-8 hours | Legal (publicly leaked data) | Password resets, breach monitoring |
DNS Enumeration | DNSRecon, Sublist3r, Amass | Subdomains, IP ranges, hosting providers | 8-16 hours | Legal (public DNS records) | Minimize DNS information disclosure |
Cloud Asset Discovery | CloudBrute, Gray Hat Warfare, bucket scanners | Cloud storage, instances, databases | 4-8 hours | Legal with caution | Proper cloud security configuration |
Email Harvesting | Hunter.io, theHarvester, LinkedIn | Employee emails, formats, organizational structure | 4-8 hours | Legal (public info) | Email format obfuscation (limited effectiveness) |
Physical Surveillance | Visual observation, photography | Entry/exit procedures, badge types, guard rotations | 8-16 hours | Legal from public areas | Vary procedures, visitor management |
Dumpster Diving | Physical trash inspection | Documents, devices, credentials | 2-4 hours | Legal complications, rarely done | Shredding policy, secure disposal |
Network Scanning | Nmap, Masscan, ZMap | Open ports, services, vulnerabilities | 4-8 hours | Gray area - stay external | Network segmentation, IDS/IPS |
Technology Fingerprinting | Wappalyzer, BuiltWith, Shodan | Software versions, frameworks, vendors | 4-8 hours | Legal (passive analysis) | Version disclosure limitation |
Phase 3: Initial Access (Days 6-8)
This is where theory meets practice. We take all that reconnaissance and use it to get our first foothold.
For the financial services company, we had three attack vectors planned:
Vector 1 - Spear Phishing (Primary):
Target: 15 employees in Finance department
Method: Fake DocuSign notification for "Q4 Budget Review"
Payload: Credential harvesting page
Results: 5 employees clicked (33%), 2 entered credentials (13%)
Time to first credential: 47 minutes after email sent
Vector 2 - Physical Access (Backup):
Method: Tailgating during morning rush
Reconnaissance: Observed 47-minute period (8:00-8:47 AM) with high employee entry volume
Execution: Arrived with coffee and pastries, followed employee through door
Results: Gained building access, plugged device into network closet
Time to network access: 14 minutes
Vector 3 - Third-Party Compromise (Contingency):
Target: Managed IT service provider
Method: Not needed (Vector 1 succeeded)
Planned approach: Compromise MSP, use their remote access
We only needed Vector 1. Two harvested credentials gave us VPN access within an hour.
But here's what made this realistic: we planned for failure. Most red team exercises fail on the first attempt. Having multiple vectors means the engagement doesn't stall.
I worked with a government contractor where all three initial access vectors failed:
Phishing: 0% click rate (excellent security awareness)
Physical: Badge-controlled access with mantrap (couldn't tailgate)
WiFi: Strong WPA3-Enterprise, couldn't crack
We had to pivot to Vector 4: Exploit a publicly-facing web application. Took us 6 additional days, but that's realistic. Real attackers pivot too.
Table 5: Initial Access Techniques and Success Rates
Technique | Description | Typical Success Rate | Time to Success | Cost to Execute | Detection Likelihood | Real-World Usage Frequency |
|---|---|---|---|---|---|---|
Spear Phishing | Targeted emails with malicious links/attachments | 15-35% click rate, 5-15% credential harvest | Hours to days | Low ($500-$2K) | Medium (depends on email security) | Very High (78% of breaches) |
Physical Intrusion | Tailgating, badge cloning, lock picking | 60-80% with good pretext | Minutes to hours | Low ($200-$1K) | Low to Medium | Medium (22% of breaches) |
Public-Facing Exploit | Vulnerabilities in web apps, VPNs, mail servers | 30-50% (depends on vulnerability) | Hours to weeks | Low to Medium ($0-$5K) | Medium to High | High (45% of breaches) |
Credential Stuffing | Using leaked credentials on VPN/email | 5-15% success rate | Hours | Very Low ($0-$500) | Low | High (37% of breaches) |
Supply Chain | Compromise vendor/partner with access | Varies widely | Weeks to months | Medium to High ($5K-$50K) | Low | Growing (19% of breaches) |
WiFi Attack | Rogue AP, WPA cracking, evil twin | 20-40% (depends on security) | Hours to days | Low ($300-$1K) | Low | Medium (12% of breaches) |
USB Drop | Leaving malicious USB devices | 20-30% pickup rate | Days to weeks | Low ($100-$500) | Low | Low (declining) |
Social Engineering Call | Phone-based credential harvesting | 10-25% success rate | Hours to days | Low ($0-$500) | Very Low | Medium (18% of breaches) |
Watering Hole | Compromise frequently visited website | Varies widely | Days to months | High ($10K+) | Medium | Low (sophisticated attacks) |
Zero-Day Exploit | Unknown vulnerability exploitation | Very high (if applicable) | Instant to days | Very High ($50K-$500K+) | Medium to High | Very Low (APT only) |
Phase 4: Privilege Escalation and Lateral Movement (Days 9-12)
You're in. Now what?
Initial access is almost never high-privilege. In the financial services engagement, our harvested credentials gave us:
VPN access
Standard user account
No admin rights
No access to sensitive systems
We needed to escalate privileges and move laterally through the network.
Day 9: Local Reconnaissance
Ran BloodHound to map Active Directory relationships
Identified 7 potential paths to Domain Admin
Found 23 servers with weak configurations
Discovered service account with excessive privileges
Day 10: Privilege Escalation
Exploited weak service account permissions
Escalated to local admin on workstation
Dumped cached credentials using Mimikatz
Found credentials for IT administrator
Day 11: Lateral Movement
Used IT admin credentials to access file server
Found more credentials in unencrypted scripts
Moved to application server
Gained access to database server
Day 12: Domain Dominance
Exploited Kerberoasting vulnerability
Cracked service account password offline
Service account had Domain Admin rights
Full Active Directory control achieved
Total time from initial access to Domain Admin: 3 days Number of systems compromised: 17 Credentials harvested: 47 Detection by blue team: 0
This is where most organizations have a false sense of security. They think endpoint protection and network segmentation will stop lateral movement.
It doesn't.
I've conducted 67 red team exercises. In 61 of them (91%), we achieved Domain Admin or equivalent. Average time: 4.7 days from initial access.
Table 6: Privilege Escalation and Lateral Movement Techniques
Technique | Description | Prerequisites | Detection Difficulty | Remediation Complexity | Frequency in Red Teams |
|---|---|---|---|---|---|
Credential Harvesting | Extract credentials from memory, disk, network | Local access | Low (if no EDR) | High (requires architecture changes) | Very High (95% of engagements) |
Kerberoasting | Extract and crack service account tickets | Domain user access | Medium | Medium (service account hardening) | High (70% of engagements) |
Pass-the-Hash | Use NTLM hash without cracking password | Captured hash | Medium to High | Medium (disable NTLM, LAPS) | Very High (85% of engagements) |
Token Impersonation | Steal authentication tokens from memory | Local admin on target | High | High (requires EDR) | High (65% of engagements) |
Exploiting Misconfigurations | Abuse excessive permissions, weak ACLs | AD enumeration | Low to Medium | Medium (AD hardening) | Very High (90% of engagements) |
BloodHound Analysis | Map AD attack paths | Domain user access | Low (tool detection) | Medium (AD security) | Very High (80% of engagements) |
LLMNR/NBT-NS Poisoning | Capture credentials via network poisoning | Network access | Low to Medium | Low (disable protocols) | Medium (50% of engagements) |
Golden Ticket | Forge Kerberos tickets | KRBTGT hash | Very High | High (requires domain rebuild) | Medium (30% of engagements) |
GPO Abuse | Modify Group Policy for persistence | Domain/GPO admin | Medium | Medium (GPO monitoring) | Medium (40% of engagements) |
Cached Credential Extraction | Extract credentials from local cache | Local admin | Medium | Medium (credential caching policy) | High (75% of engagements) |
Phase 5: Objective Achievement (Days 13-14)
We had Domain Admin. Now we needed to achieve the actual objective: access the customer database with 2.3 million records.
Day 13: Locating the Target
Used Domain Admin to enumerate all servers
Found database cluster (6 servers)
Identified database administrators
Located backup systems
Mapped data flows
Day 14: Accessing the Data
Used legitimate DBA credentials (found in previous phase)
Logged into database as authorized administrator
Queried customer table: 2,347,892 records
Exported 100-record sample to prove access
Documented complete attack path
Notified CISO via secure channel
We didn't actually exfiltrate the full database (rules of engagement prohibited it), but we proved we could. We documented:
5 different methods to access the database
12 sets of credentials that could access it
3 unmonitored paths for data exfiltration
Zero detection by their security tools
The blue team never knew we were there until we told them.
Table 7: Common Red Team Objectives and Achievement Methods
Objective Type | Example Goals | Average Time to Achieve | Common Access Methods | Blue Team Detection Rate | Business Impact if Real |
|---|---|---|---|---|---|
Data Exfiltration | Customer records, financial data, IP | 7-14 days | Database access, file shares, backup systems | 12-25% | $50M-$500M+ breach costs |
Domain Compromise | Domain Admin, Active Directory control | 3-8 days | Credential harvesting, AD exploitation | 15-30% | Complete network compromise |
Physical Access | Data center, executive offices, server rooms | 1-3 days | Tailgating, badge cloning, lock bypass | 5-15% | Physical asset theft, hardware implants |
Financial Fraud | Wire transfer, payment manipulation | 10-21 days | Payment system access, approval workflow bypass | 20-35% | Direct financial loss (millions) |
Code Modification | Inject backdoor, modify production code | 14-28 days | Source control access, CI/CD pipeline | 25-40% | Supply chain compromise |
ICS/SCADA Access | Industrial control systems, manufacturing | 7-14 days | IT/OT network pivot, vendor access | 10-20% | Production disruption, safety risk |
Cloud Infrastructure | AWS/Azure/GCP admin access | 5-12 days | Credential compromise, misconfiguration | 15-25% | Data breach, service disruption |
Executive Email | CEO, CFO, board member access | 4-10 days | Credential phishing, pass-the-hash | 20-30% | Business email compromise, wire fraud |
Phase 6: Persistence and Evasion (Ongoing Throughout)
Here's what separates a good red team from a great one: maintaining access while evading detection.
Throughout the entire engagement, we established multiple persistence mechanisms:
Technical Persistence:
Created 5 backdoor domain admin accounts (naming matched legitimate service accounts)
Deployed 3 web shells on internet-facing servers
Installed remote access trojans on 7 workstations
Modified startup scripts on 4 servers
Created scheduled tasks on 11 systems
Evasion Techniques:
Living off the land (used legitimate Windows tools)
Mimicked normal user behavior (timing, patterns)
Encrypted all command-and-control traffic
Used legitimate cloud services for C2 (Dropbox, Google Drive)
Cleared logs selectively (not all logs—that's suspicious)
Even after the engagement ended, we maintained 4 different access methods for an additional 30 days (with client permission) to test how long it would take them to find and remove our access.
Results: They found 1 of 4 access methods after 23 days. The other 3 remained viable for the full 30-day period.
This is the reality that keeps CISOs awake at night: once an attacker is in, they're very hard to remove.
"The average dwell time for an advanced persistent threat is 287 days. That's not because they're invisible—it's because most organizations lack the detection capabilities to find them even when they're leaving evidence everywhere."
Table 8: Persistence Mechanisms and Detection Rates
Persistence Method | Technique | Longevity | Detection Rate | Removal Difficulty | Real Attacker Usage |
|---|---|---|---|---|---|
Backdoor User Accounts | Create accounts with admin rights | Months to years | 15-30% | Easy (if found) | Very High |
Web Shells | Upload malicious scripts to web servers | Months | 20-35% | Easy to Medium | Very High |
Scheduled Tasks | Create tasks for regular execution | Months | 25-40% | Easy | High |
Registry Modifications | Modify Run keys, services | Months to years | 30-45% | Easy | High |
Golden Ticket | Forged Kerberos tickets | Years (until KRBTGT reset) | 5-15% | Very Hard | Medium (APT) |
DLL Hijacking | Replace legitimate DLLs | Months | 40-55% | Medium | Medium |
Startup Folder | Add programs to startup | Indefinite | 50-65% | Easy | Low (too obvious) |
Bootkit/Rootkit | Kernel-level persistence | Indefinite | 10-25% | Very Hard | Low (complexity) |
Cloud Instance | Maintain access via cloud resources | Indefinite | 15-30% | Easy to Medium | Growing |
Hardware Implant | Physical device installation | Years | <5% | Very Hard | Very Low (nation-state) |
Building an Effective Blue Team: The Defender's Perspective
Red teaming isn't just about the attackers. The real value comes from testing—and improving—your blue team's capabilities.
I consulted with a technology company in 2022 that had a 14-person SOC running 24/7/365. They had invested $2.3 million in SIEM, EDR, NDR, and other security tools. They were proud of their security operations.
During our red team engagement:
They detected 34 of 77 actions (44% detection rate)
They investigated 12 of those 34 detections
They stopped 2 of those 12 investigations
They never connected the dots to realize it was a coordinated campaign
We had compromised their objective before they realized there was a problem.
But here's the important part: after the engagement, we spent a week working with their SOC to understand what went wrong. We found:
Detection Issues:
43% of alerts were classified as "low priority" automatically
Alert fatigue: SOC analysts saw 14,000 alerts per day, investigated 300
Tool overlap: 5 tools generated alerts for the same activity, none correlated
Tuning problems: 67% of our activities triggered alerts, but alerts weren't acted on
Response Issues:
No playbooks for the attack types we used
Escalation process took average 4.7 hours
No clear ownership when cross-team coordination needed
Incident response team never engaged during active campaign
Organizational Issues:
SOC reported to IT, not security leadership
No executive engagement during incident
"Don't bother business users" culture prevented investigation
No threat hunting capability
Six months after the engagement, we did a follow-up assessment. They had:
Reduced daily alerts from 14,000 to 2,800 (better tuning)
Implemented automated correlation across tools
Created playbooks for common attack patterns
Established executive notification procedures
Started monthly threat hunting exercises
Their detection rate in the follow-up: 68% Their response rate: 47% Most importantly: They stopped our attack at initial access—we never got to lateral movement.
That's the value of red teaming done right.
Table 9: Blue Team Capabilities Assessment Framework
Capability Area | What to Measure | Good | Better | Best | Red Team Test Method |
|---|---|---|---|---|---|
Detection - Initial Access | % of entry attempts detected | >30% | >60% | >85% | Phishing, exploitation, physical intrusion |
Detection - Lateral Movement | % of internal movement detected | >20% | >50% | >75% | Credential use, network scanning, enumeration |
Detection - Persistence | % of persistence mechanisms found | >15% | >40% | >70% | Backdoors, scheduled tasks, registry modifications |
Detection - Exfiltration | % of data theft attempts detected | >40% | >70% | >90% | Large transfers, unusual protocols, cloud uploads |
Response Time | Time from detection to containment | <4 hours | <2 hours | <30 min | Measure across all detection events |
Investigation Depth | % of alerts fully investigated | >25% | >60% | >85% | Review investigation quality |
Cross-Team Coordination | Time to engage other teams | <2 hours | <1 hour | <15 min | Test escalation procedures |
Incident Recovery | Time to restore from compromise | <48 hours | <24 hours | <12 hours | Simulate various compromise scenarios |
Threat Intelligence | Use of TI in detection/response | Basic | Integrated | Proactive | Test TI-driven hunts |
Executive Communication | Leadership engagement speed | <24 hours | <12 hours | <4 hours | Executive notification test |
Framework-Specific Red Teaming Requirements
Different compliance frameworks have different expectations around adversarial testing. Some require it, some recommend it, and some don't mention it at all.
I've worked with organizations that thought their annual penetration test satisfied all their testing requirements. Then they pursued a new compliance framework and discovered they needed purple team exercises, assumed breach scenarios, or full red team engagements.
Let me break down what each major framework actually requires or expects:
Table 10: Framework Requirements for Adversarial Testing
Framework | Explicit Requirements | Recommended Practices | Frequency Guidance | Scope Expectations | Reporting Requirements | Typical Cost Impact |
|---|---|---|---|---|---|---|
PCI DSS v4.0 | Requirement 11.4: Penetration testing at least annually | Red teaming for complex environments | Annual minimum, after significant changes | Network, application, segmentation | Documented methodology, findings, remediation | $25K-$150K annually |
SOC 2 | No explicit requirement (part of security monitoring) | Periodic security testing including simulated attacks | Based on risk assessment | Varies by trust services criteria | Evidence of testing and remediation | $15K-$100K annually |
ISO 27001:2022 | A.8.29: Testing in development/acceptance | Periodic security testing recommended | Not specified (risk-based) | Information systems and controls | Test results, improvement actions | $20K-$75K annually |
NIST CSF | DE.DP-4: Event detection testing | Purple team exercises, simulations | Continuous improvement | Entire security program | Detection effectiveness metrics | $50K-$200K annually |
NIST 800-53 | CA-8: Penetration testing | Red team exercises for high-impact systems | Annual or per major changes | System authorization boundary | Assessment report, POA&M | $75K-$300K annually |
CMMC Level 2 | CA.L2-3.12.4: Penetration testing | Adversarial assessments for Level 3+ | Annual minimum | CUI systems and supporting infrastructure | Assessment results, remediation tracking | $40K-$150K annually |
CMMC Level 3 | Enhanced testing requirements | Full red team exercises | Annual | All systems processing CUI | Comprehensive assessment report | $100K-$400K annually |
FedRAMP | Penetration testing required for authorization | Red team for High impact | Annual, plus continuous monitoring | Entire system boundary | 3PAO assessment, POA&M updates | $150K-$500K annually |
HIPAA | No explicit testing requirement | Periodic risk assessments including penetration testing | Not specified (reasonable approach) | ePHI systems and networks | Documentation for compliance | $30K-$120K annually |
GDPR | Article 32: Regular testing of security measures | Security assessments including adversarial | Regular basis (not defined) | Personal data processing systems | Evidence of security effectiveness | $25K-$100K annually |
Red Team Exercise Cost Breakdown
Let me be transparent about what red team exercises actually cost. I've seen organizations shocked by quotes, and I've seen them get sold services they don't need.
Here's the real cost breakdown from a 3-week red team engagement I led in 2023 for a mid-sized financial services company:
Labor Costs (largest component):
Lead Red Team Operator: $2,400/day × 15 days = $36,000
Senior Red Team Operator: $1,800/day × 15 days = $27,000
Red Team Operator: $1,200/day × 15 days = $18,000
Report Writing/Debrief: $2,000/day × 5 days = $10,000
Subtotal: $91,000
Tooling and Infrastructure:
Kali Linux systems, C2 infrastructure, phishing platform: $4,200
Commercial tools (Cobalt Strike, etc.): $8,500
Physical security tools (lock picks, cloners, etc.): $1,800
Subtotal: $14,500
Pre-Engagement Planning:
Scoping meetings, legal review, ROE development: $8,000
Subtotal: $8,000
Post-Engagement Activities:
Remediation guidance: $6,500
Executive presentation: $3,500
Purple team knowledge transfer: $7,000
Subtotal: $17,000
Total Engagement Cost: $130,500
This was for a company with approximately 1,200 employees, 340 servers, and moderate complexity.
Table 11: Red Team Exercise Cost Factors
Cost Driver | Low Complexity | Medium Complexity | High Complexity | Cost Impact | Scalability |
|---|---|---|---|---|---|
Organization Size | <500 employees | 500-5,000 employees | >5,000 employees | $50K-$100K-$300K+ | Linear to exponential |
Environment Complexity | Single location, simple network | Multiple locations, cloud + on-prem | Global, multi-cloud, OT/ICS | $40K-$100K-$250K+ | Exponential |
Engagement Duration | 1-2 weeks | 3-4 weeks | 5-8 weeks | $75K-$150K-$400K+ | Linear |
Team Size | 2 operators | 3-4 operators | 5+ operators | $60K-$120K-$300K+ | Linear |
Scope Breadth | Network only | Network + physical | All attack vectors | $50K-$125K-$300K+ | Significant |
Blue Team Involvement | Minimal | Purple team elements | Full purple team | $75K-$150K-$350K+ | Moderate |
Deliverables | Standard report | Enhanced report + presentation | Comprehensive with training | $80K-$150K-$400K+ | Moderate |
Geographic Distribution | Single city | Multiple cities | Global | $60K-$140K-$400K+ | Significant (travel) |
Industry Specialization | General commercial | Regulated industry | Critical infrastructure | $70K-$160K-$500K+ | Moderate to high |
Compliance Requirements | No specific framework | One framework (PCI, SOC 2) | Multiple frameworks (FedRAMP, etc.) | $75K-$150K-$450K+ | Moderate |
Common Red Team Exercise Mistakes (Client-Side)
I've seen organizations waste enormous amounts of money on poorly executed red team exercises. Let me share the top mistakes I've witnessed:
Mistake #1: Treating It Like a Penetration Test
A manufacturing company hired us for a "red team exercise" but provided a detailed scope document that excluded:
Social engineering
Physical access attempts
Attacks outside business hours
Anything that might "disrupt business"
That's not a red team exercise. That's a constrained penetration test with a fancy name.
We explained that red teams simulate real adversaries, and real adversaries don't follow rules. They either expanded the scope or we declined the engagement.
They expanded the scope. We found 11 critical security gaps that the constrained approach would have missed. Including the one that led to complete domain compromise in 4 days.
Mistake #2: Not Involving Leadership
A healthcare company brought us in for a red team exercise. The CISO was our only point of contact. When we achieved our objective (accessing patient records), we reported it to the CISO.
His response: "Don't tell anyone. Just write the report."
We explained that red team exercises only create value when findings drive organizational change. That requires executive awareness and commitment.
He insisted on keeping it quiet. We completed the engagement, delivered the report, and left.
Two years later, they had a real breach using almost identical techniques to what we demonstrated. The cost: $127 million in response, fines, and lawsuits.
The CISO's career didn't survive it.
Mistake #3: No Blue Team Preparation
A technology company scheduled a red team exercise without telling their SOC it was happening. At all.
On day 3, the SOC detected suspicious activity (one of our phishing emails). They did exactly what they should: escalated to the incident response team, engaged their legal counsel, and prepared to notify law enforcement.
The engagement nearly became a real legal incident. We had to emergency-stop, reveal ourselves, and deal with the fallout.
The lesson: Blue team awareness levels need to be carefully managed. Complete surprise can create problems. Too much awareness makes it unrealistic. Find the right balance.
Mistake #4: Unrealistic Objectives
A financial services company wanted us to "hack into the Federal Reserve and transfer money."
That's not a red team objective. That's a fantasy.
Red team objectives must be:
Realistic (actual adversary goal)
Achievable (within scope and timeline)
Measurable (clear success criteria)
Valuable (teaches something useful)
We worked with them to define a realistic objective: access their wire transfer approval workflow and demonstrate the ability to initiate fraudulent transfers.
That's valuable. That's testable. That's what we did.
Table 12: Red Team Exercise Mistakes and Remediation
Mistake | Manifestation | Impact | Root Cause | Prevention | Recovery Cost |
|---|---|---|---|---|---|
Over-Constraining Scope | Too many restrictions, unrealistic rules | Low value, missed critical findings | Risk aversion, misunderstanding purpose | Education on red team vs. pentest | Wasted investment ($50K-$200K) |
Insufficient Planning | Unclear objectives, undefined success criteria | Engagement drift, confusion | Rushing to start, inadequate scoping | Thorough planning phase | Mid-engagement corrections ($20K-$80K) |
No Executive Involvement | CISO only engagement | Findings ignored, no organizational change | Treating as technical exercise only | Executive sponsorship requirement | No actual security improvement |
Poor Blue Team Coordination | Confusion, near-legal incidents | Engagement disruption, relationship damage | Communication breakdown | Detailed communication plan | Emergency de-escalation ($10K-$40K) |
Unrealistic Timeline | Engagement too short for value | Incomplete testing, no persistence phase | Budget constraints, impatience | Match timeline to complexity | Follow-up engagement needed |
Wrong Objectives | Objectives misaligned with actual threats | Irrelevant findings | Lack of threat modeling | Threat-informed objective setting | Re-engagement required |
No Remediation Follow-Up | Findings documented, never fixed | No security improvement | Treating as checkbox exercise | Built-in remediation phase | Repeat vulnerabilities in future |
Inadequate Legal Review | Authorization issues, liability concerns | Legal complications | Skipping legal consultation | Legal review in planning | Potential legal issues (varies) |
Tool Over-Reliance | Automated scans only, no manual testing | Shallow findings, missing creative attacks | Budget constraints, misunderstanding | Emphasize manual testing value | Limited value from engagement |
No Knowledge Transfer | Red team leaves, blue team learns nothing | Missed learning opportunity | No purple team element | Purple team sessions built in | Training gap, recurring issues |
Purple Team Exercises: The Best of Both Worlds
After leading 67 red team exercises, I'm convinced that pure red team engagements, while valuable, leave learning opportunities on the table.
That's why I now recommend purple team exercises for most organizations.
Let me explain the difference with a real example:
Traditional Red Team (Financial Services Company, 2019):
Red team operates independently
Blue team unaware exercise is happening
Red team achieves objective in 8 days
Engagement ends, report delivered
Blue team learns from written report only
Cost: $147,000
Measurable improvement in 6-month follow-up: ~30% better detection
Purple Team (Same Company, 2021):
Red team and blue team coordinate
Blue team knows exercise is happening, not timing or methods
Red team executes attack, pauses after each phase
Joint session: Red explains what they did, blue explains what they saw
Blue team tries to detect previous phase before red team proceeds
Engagement takes 4 weeks instead of 2 (more learning time)
Cost: $218,000
Measurable improvement in 6-month follow-up: ~74% better detection
The purple team approach cost $71,000 more but delivered 2.5× the improvement.
Why? Because the blue team learned not just what happened, but exactly how to detect it, what worked, what didn't, and how to improve.
I worked with a healthcare company in 2023 where we ran a purple team exercise structured like this:
Week 1: Red team reconnaissance and initial access Week 2: Joint session - red team explains techniques, blue team reviews logs and alerts Week 3: Red team privilege escalation and lateral movement Week 4: Joint session - detection analysis and improvement planning Week 5: Red team objective achievement and persistence Week 6: Final joint session - comprehensive review and remediation roadmap
By week 4, the blue team was detecting techniques they had missed in weeks 1-2. By week 6, they were stopping us before we achieved objectives.
That's unprecedented improvement in a single engagement.
Table 13: Red Team vs. Purple Team Comparison
Dimension | Red Team | Purple Team | Recommendation |
|---|---|---|---|
Primary Goal | Test detection and response | Improve detection and response | Purple for capability building |
Blue Team Awareness | Limited or none | Collaborative (but not timing/methods) | Depends on maturity level |
Knowledge Transfer | Post-engagement report | Real-time during engagement | Purple for faster learning |
Cost | $100K-$300K typical | $150K-$400K typical | Higher but better ROI |
Duration | 2-4 weeks | 4-8 weeks | Purple needs more time |
Immediate Value | Security gap identification | Detection improvement | Purple for operational value |
Long-term Value | Drives strategic improvements | Builds team capabilities | Purple for sustained improvement |
Best For | Mature security programs, compliance requirements | Developing programs, capability building | Match to organizational maturity |
Success Metric | Objective achieved vs. detected | Detection improvement percentage | Purple for measurable improvement |
Stress Level | High for blue team (failure exposure) | Lower (collaborative learning) | Purple for team development |
Building a Red Team Program: From Zero to Mature
Most organizations can't afford to hire a full-time red team. And honestly, most don't need one.
But you can build red team capabilities over time through a structured program. Here's how I've helped organizations do it:
Year 1: Foundation
Conduct external penetration testing (quarterly)
Hire or train 1 person in offensive security
Start threat intelligence program
Begin purple team exercises (annual)
Cost: $180K-$280K
Year 2: Capability Building
Internal penetration testing capability
Red team exercise by external provider (annual)
Purple team exercises (semi-annual)
Threat hunting program started
Build internal attack simulation tools
Cost: $240K-$380K
Year 3: Maturity
Internal red team capability (2-3 people)
Continuous purple team activities
Automated breach and attack simulation
External red team validation (annual)
Cost: $320K-$480K
I worked with a technology company that followed this exact path. By year 3, they had:
Internal red team conducting quarterly exercises
Purple team sessions monthly
Continuous attack simulation running 24/7
External validation annually
Detection rate improved from 23% to 71%
Response time improved from 4.3 hours to 37 minutes
Three-year total investment: $922,000 Avoided breach costs (conservative estimate): $47 million
The ROI is compelling if you commit to the journey.
Table 14: Red Team Program Maturity Model
Maturity Level | Capabilities | Team Size | Frequency | Tools | Detection Rate | Annual Investment |
|---|---|---|---|---|---|---|
Level 1: Ad Hoc | External pentesting only | 0 (outsourced) | Annual | Vendor tools | <20% | $50K-$100K |
Level 2: Developing | Regular pentesting, occasional red team | 1 internal, external support | Semi-annual | Basic internal + vendor | 20-35% | $150K-$250K |
Level 3: Defined | Internal offensive capability, purple team | 2-3 internal, annual external | Quarterly internal, annual external | Full offensive toolkit | 35-55% | $280K-$420K |
Level 4: Managed | Dedicated red team, continuous testing | 3-5 internal, periodic external | Monthly exercises | Advanced + custom tools | 55-75% | $450K-$650K |
Level 5: Optimized | Advanced red team, automation, R&D | 5+ internal, external validation | Continuous + formal exercises | Custom tools, zero-days | >75% | $700K+ |
The Future of Red Teaming: AI and Automation
Let me end with where I see this field heading based on what I'm already implementing with cutting-edge clients.
Autonomous Red Teaming: I'm working with a financial services company piloting AI-driven red team tools that can:
Automatically identify and exploit vulnerabilities
Adapt attack paths based on defender responses
Generate custom exploits for discovered weaknesses
Operate 24/7 without human intervention
We're not there yet—humans still outperform AI in creative problem-solving and social engineering. But for technical exploitation, AI is rapidly closing the gap.
Continuous Red Teaming: Instead of annual exercises, imagine continuous adversarial testing where automated systems constantly probe defenses in production.
I have one client running this now. They have:
150 automated attack scenarios running monthly
AI-driven attack path analysis daily
Continuous breach and attack simulation
Human red team validates quarterly
Their detection rate has improved 340% in 18 months.
Cloud-Native Red Teaming: As organizations move to cloud infrastructure, red team techniques are evolving. I'm seeing:
Container escape techniques
Kubernetes cluster exploitation
Serverless function abuse
Cloud identity compromise
These require new tools, new skills, and new methodologies.
But here's my prediction: The fundamentals won't change.
In five years, red teams will still succeed primarily through:
Social engineering (humans remain the weakest link)
Credential compromise (authentication is hard)
Misconfigurations (complexity breeds mistakes)
Lack of detection (you can't stop what you can't see)
The tools will evolve. The techniques will adapt. But the core principle remains:
Organizations need someone to actually try to break in so they can learn where their defenses fail.
Conclusion: Red Teaming as Strategic Investment
Let me circle back to that financial services company from the beginning of this article. The one where we walked past reception, plugged into their network, and compromised 2.3 million customer records in two weeks.
After our engagement, they made some changes:
Technical Improvements ($847,000 investment):
Implemented application whitelisting across all endpoints
Deployed deception technology (honeypots and honeytokens)
Enhanced network segmentation
Implemented privileged access management
Upgraded SIEM with custom correlation rules
Process Improvements ($243,000 investment):
Created incident response playbooks for common attack patterns
Implemented purple team exercises quarterly
Started threat hunting program
Enhanced security awareness training with realistic scenarios
Established executive engagement protocols
Organizational Improvements (leadership commitment):
CISO now reports directly to CEO
Security operations elevated to peer level with IT
Board receives quarterly security briefings
Security budget increased by $2.1M annually
One year later, we returned for a follow-up red team exercise.
Results:
Initial access attempts: 7 different techniques tried
Successful initial access: 1 (after 6 days, not 14 minutes)
Lateral movement attempts: Detected and stopped at first attempt
Time to detection: 47 minutes
Time to containment: 2.3 hours
Objective achieved: No—we never reached the customer database
The follow-up engagement cost them $167,000.
The improvement in security posture: From "completely compromised in 2 weeks" to "contained at initial access in under 3 hours."
That's what red teaming done right looks like.
"Red team exercises don't just find vulnerabilities—they prove whether your security program works when it matters most. Every organization that handles sensitive data should know the answer to that question before their adversaries answer it for them."
After fifteen years of attacking organizations for a living, here's what I know for certain: the organizations that regularly test their defenses against realistic adversaries are the ones that survive real attacks.
You can spend millions on security tools, certifications, and compliance programs. But none of it matters if you don't know whether it actually works.
Red team exercises answer that question definitively.
The choice is yours. You can test your defenses now under controlled conditions, or you can wait and test them during a real breach.
I've led both scenarios. Trust me—the controlled test is cheaper.
Need help assessing your organization's readiness for adversarial testing? At PentesterWorld, we specialize in realistic red team exercises that drive meaningful security improvements. Subscribe for weekly insights from the offensive security frontlines.