You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This final lesson explores red teaming — the evolution beyond traditional pentesting — and provides a roadmap for building a career in offensive security. We cover adversary simulation, purple teaming, command-and-control (C2) frameworks, certifications, and practical advice for getting started.
| Aspect | Penetration Test | Red Team Engagement |
|---|---|---|
| Goal | Find as many vulnerabilities as possible | Test the organisation's detection & response capability |
| Duration | 1–4 weeks | 4–12+ weeks |
| Scope | Defined targets (IPs, apps) | Objective-based ("reach the CEO's inbox") |
| Stealth | Limited concern | Critical — avoid detection |
| Blue team awareness | Often informed | Typically unaware (except for leadership) |
| Techniques | Standard exploitation | Full adversary simulation (TTPs) |
| Output | Vulnerability report | Detection gap analysis + attack narrative |
Penetration Test:
"Here are all the vulnerabilities we found."
Red Team:
"Here is how a real adversary could compromise your organisation, and here is where your defences failed to detect or stop us."
Red teams model their operations after real-world threat actors, using the MITRE ATT&CK framework:
MITRE ATT&CK Matrix (selected tactics & example techniques)
| Tactic | Example Techniques |
|---|---|
| Initial Access | Phishing, Drive-by, Supply Chain |
| Execution | PowerShell, WMI, Command Line |
| Persistence | Registry, Scheduled Task, Services |
| Privilege Escalation | Token Manipulation, Exploit Public-Facing App |
| Defence Evasion | Obfuscated Files, Masquerading |
| Credential Access | OS Credential Dumping, Brute Force |
| Discovery | — |
| Lateral Movement | — |
| Collection | — |
| Exfiltration | — |
| Impact | — |
Red teams should simulate specific threat actors relevant to the target organisation:
| Organisation Type | Likely Threat Actors | Key TTPs |
|---|---|---|
| Financial sector | APT groups, cybercriminals | Phishing, credential theft, SWIFT |
| Healthcare | Ransomware groups | Phishing, lateral movement, encryption |
| Defence/Gov | Nation-state actors | Supply chain, zero-days, persistence |
| Technology | Competitors, hacktivists | Source code theft, IP exfiltration |
Purple teaming is the collaborative integration of red team (offensive) and blue team (defensive) activities:
graph TD
subgraph Traditional["Traditional (adversarial, limited communication)"]
R1["Red Team"] -->|attacks| B1["Blue Team (detects)"]
end
subgraph Purple["Purple Team (shared goals, real-time feedback)"]
R2["Red Team"] <-->|collaborates| B2["Blue Team"]
end
| Benefit | Description |
|---|---|
| Immediate feedback | Detections are validated in real time |
| Detection engineering | New rules are created and tested during exercise |
| Improved collaboration | Breaks down adversarial silos |
| Measurable improvement | Before/after detection coverage metrics |
| Knowledge transfer | Both teams learn from each other |
C2 frameworks provide infrastructure for managing compromised hosts during red team engagements:
| Framework | Language | License | Key Features |
|---|---|---|---|
| Cobalt Strike | Java | Commercial | Industry standard, malleable C2 |
| Sliver | Go | Open source | Modern, multi-platform, implant-based |
| Havoc | C/C++ | Open source | Cobalt Strike alternative |
| Mythic | Python/Go | Open source | Modular, extensible agent framework |
| Brute Ratel | C/C++ | Commercial | EDR evasion focused |
graph TD
O["Operator (Red Team)"] --> C2["C2 Teamserver"]
C2 --> R["Redirector (hides C2)"]
R --> IA["Implant (Host A)"]
R --> IB["Implant (Host B)"]
R --> IC["Implant (Host C)"]
Note: C2 frameworks are powerful tools for authorised red team operations. Misuse is illegal and unethical.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.