executing-red-team-exercise

# Executing Red Team Exercise ## When to Use - Assessing an organization's ability to detect, respond to, and contain a realistic adversary operation - Testing the effectiveness of the security operations center (SOC), incident response team, and threat hunting capabilities - Validating security investments by simulating attacks that chain multiple vulnerabilities and techniques - Evaluating the organization's security posture against specific threat actors (nation-state, ransomware groups, insider threats) - Meeting regulatory requirements for adversary simulation (TIBER-EU, CBEST, AASE, iCAST) **Do not use** without executive-level authorization and a detailed Rules of Engagement document, against systems where disruption could affect safety or critical operations, or as a replacement for basic vulnerability management (fix known vulnerabilities first). ## Prerequisites - Executive-level written authorization with clearly defined objectives, scope, and off-limits systems - Red team command and control (C2) infrastructure: primary and backup C2 channels with domain fronting or redirectors - Operator workstations with OPSEC-hardened toolsets (Cobalt Strike, Sliver, Brute Ratel, or Mythic) - Threat intelligence on adversary groups relevant to the target organization for adversary emulation planning - Trusted agent (white cell) within the target organization who manages the exercise boundaries without alerting defenders - MITRE ATT&CK matrix for mapping planned and execute...