Red Teaming Methodology

Get a Quote in 24 hours

Learn more about our methodology and the steps used in our red team operations.

RedTeam Security's Red Teaming Methodology

Each and every Red Team Operation is conducted using globally accepted and industry-standard frameworks which help make up our Red Teaming methodology. At a minimum, the underlying framework is based on the NATO CCDCOE, OWASP, PTES, US Army Red Teaming Handbook v7, but goes beyond the initial frameworks themselves.

While a red team engagement is an offensive attack simulation typically conducted by a third-party organization, it is sometimes juxtaposed with a defensive team (the blue team) responsible for defending against red teamers and actual threat actors alike.  Sometimes, when both teams are working on an engagement together, it may be called purple teaming.

The first step in a Red Team operation is to establish the rules of engagement with the client to lay out the target and types of physical, social engineering, and cyber attacks that are allowed to be carried out.  This process will identify all goals for the security team to achieve.  Whether that is to obtain physical access to the server room or to gain access to HR’s sensitive data.  Once the goals are established, then the Red Team will begin the engagement.

Reconnaissance/Information Gathering

The first phase in a red team operation is focused on collecting as much information as possible about the target. Reconnaissance, aka Information Gathering, is one of the most critical steps. This is done through the use of public tools, such as Maltego, LinkedIn, Google, Twitter, Facebook, Google Earth, etc. As a result, it is usually possible to learn a great deal about the target’s people, technology, surroundings, and environment. This step also involves building or acquiring specific tools for the red team test.

Active Reconnaissance/Covert Observation

An important phase in a red team operation focuses on collecting information about IT infrastructure, facilities, and employees. Open Source Intelligence Gathering can be quite telling about a target, its people, its facilities, its response capabilities, and its technical makeup, such as physical/logical security controls, foot traffic, terrain, infiltration and exfiltration points, etc. Through thorough analysis, it begins to paint a picture of the target and its primary operations, and the threats that exist.

Attack Planning and Pretexting

Effective attack planning and pretexting involve preparation of the operation specific to the target taking into full account intel gathered from the reconnaissance stages. This commonly includes: threat modeling, creating an initial plan of attack, identification of pretexts, outlining potential alternative plans, crafting custom malicious file payloads, prepping RFID cloners and badges, configuring hardware trojans, acquiring social engineering costumes, creating falsified personas/companies, determining whether command and control will be in scope, and much more.


Exploitation is exactly what it sounds like. At this point, the red team will actively work to achieve the designated goal to “break-in” or compromise servers/apps/networks, bypass physical controls (i.e., gates, fences, locks, radar, motion detection, cameras), and exploit target staff through social engineering by face-to-face, email phishing, phone vishing, or SMS. RedTeam will analyze cybersecurity vulnerabilities and backdoors, plant hardware trojans for remote network persistence, etc.

Once access is established, RedTeam Security’s ethical hackers will work to gain persistence, either cyber persistence or physical persistence, although cyber persistence is generally slightly more common. This is done through things like privilege escalation on compromised servers, shells, malicious file payload installation, usage of physical key impressions, and lock-picked doors.

The exploitation stage provides the foundation for the Post Exploitation phase.  

Post Exploitation

During this phase of a Red Team Operation, the team aims to complete the mission and realize the agreed-upon objectives set by the client and RedTeam Security. Actions on objective happen through lateral movement throughout the cyber environment as well as the physical facilities. Pivoting from compromised systems and from breached physical security controls all along capturing video, audio and photographic evidence supporting each finding discovered.

Ultimately, the team aims to achieve the agreed-upon goal which could be to exfiltrate data, information, or physical assets you deem critically sensitive.


Once the red team assessment is completed, RedTeam security consultants will begin compiling the information gathered from all the phases of the engagement to provide a comprehensive report for you and your stakeholders that includes the information learned from OSINT/Reconnaissance, the initial plan developed in the Attack Planning and Pretexting phase, methods used and steps taken for Exploitation and Post Exploitation. The report will outline where the team was successful and where they were unsuccessful and will provide recommendations to improve the company’s security posture.

Free Cybersecurity Consultation With RedTeam Security

RedTeam Security has been providing premier information security services since 2008. Our team members are highly skilled, and each tester brings strong knowledge, experience, and wisdom to every project we do. A dedication to providing our customers with the best security defense possible is a primary driver in our business philosophy. Our rigorous methodology is designed to ensure your security not only meets industry standards but exceeds. Are you ready to bring your security to the next level? Schedule your free virtual meeting with a RedTeam Security expert today at 612-234-7848.

Why work with RedTeam

Services Datasheet

Learn more about RedTeam Security’s advanced Application, Network and Physical Penetration Testing, Social Engineering and Red Teaming services.

Services Datasheet