Red Team Engagements

Understanding the Importance of Client Objectives¶

Engagements can be complex and bureaucratic, making clear objectives essential for success.

Why set objectives?
- They create a mutual understanding between the client and the red team.
- Serve as the foundation for documentation and planning.
- Help determine the focus and scope of the assessment.
- Ensure structured execution rather than an unplanned approach.
- Types of Engagements:
- General Internal/Network Penetration Test: Broad assessment using standard TTPs.
- Focused Adversary Emulation: Targets a specific APT group relevant to the industry.
- 5 Whys Analysis:
- Why do we define objectives first? To align expectations between client and red team.
- Why do expectations need alignment? So both parties know what will be tested and measured.
- Why is testing scope crucial? It prevents unauthorized actions that could disrupt business.
- Why prevent disruptions? To ensure security tests improve resilience without operational risks.
- Why is resilience important? A secure network minimizes the impact of real-world attacks.

Scope determines what is and isn't allowed during the engagement.

Client-defined limitations:
- No exfiltration of real data.
- Production servers may be off-limits.
- Specific IP ranges may be in or out of scope.
- Downtime is prohibited.
- Why should the client define the scope?
- They best understand their network and business impact.
- Protects critical infrastructure from unintended harm.
- Ensures compliance with legal and operational constraints.
- Challenges in Scope Definition:
- Scope may be too restrictive, limiting engagement effectiveness.
- Red team may need to negotiate exceptions to accurately assess risks.

RoE is a legally binding document that formalizes client objectives and scope.

Executive Summary: High-level overview of engagement and authorization.
Purpose: Explains why the RoE document exists.
Scope: Defines permissible actions and constraints.
Rules of Engagement & Support Agreement: Outlines responsibilities of both parties.
Ground Rules: Specifies limitations on interactions (e.g., no DDoS attacks).
Resolution of Issues: Establishes points of contact for conflict resolution.
Authorization & Approval: Requires signatures to finalize agreement.
Why is RoE necessary?
- Prevents misunderstandings between the client and red team.
- Ensures engagement is legally compliant.
- Defines red team boundaries, preventing excessive risk.

Using client objectives and RoE, red teams develop structured campaign plans.

Engagement Plan (High-level strategy)
- Concept of Operations (CONOPS)
- Resource & personnel requirements
- Timeline considerations
- Operations Plan (Detailed execution strategy)
- Roles and responsibilities
- Known information & reconnaissance data
- Stopping conditions
- Mission Plan (Tactical execution)
- Exact commands & tools to be used
- Execution timeline
- Specific operator responsibilities
- Remediation Plan (Post-engagement actions)
- Report summarizing findings
- Consultation on fixing vulnerabilities

A high-level document summarizing engagement plans for both business and technical audiences.

Client name & service provider
Timeframe of engagement
General objectives & attack phases
Common tools & techniques
Threat group to emulate (if applicable)
Why is CONOPS important?
- Helps non-technical stakeholders understand the engagement.
- Ensures alignment before deep technical planning.
- Acts as a reference point for refining tactical plans.
Engagement success depends on clear communication, structured documentation, and well-defined rules rather than just technical execution.
Pattern recognition: Engagement planning follows a structured hierarchy—Objectives → Scope → RoE → Campaign Plan → Execution → Remediation.
Risk reduction: Every document exists to minimize operational risk while maximizing security insight.
Thinking critically: A good red teamer doesn't just execute—they challenge assumptions, validate scope, and ensure meaningful results.