Red Teaming & Career Development

This final lesson explores red teaming — the evolution beyond traditional pentesting — and provides a roadmap for building a career in offensive security. We cover adversary simulation, purple teaming, command-and-control (C2) frameworks, certifications, and practical advice for getting started.

---

Red Team vs Penetration Test

Aspect	Penetration Test	Red Team Engagement
Goal	Find as many vulnerabilities as possible	Test the organisation's detection & response capability
Duration	1–4 weeks	4–12+ weeks
Scope	Defined targets (IPs, apps)	Objective-based ("reach the CEO's inbox")
Stealth	Limited concern	Critical — avoid detection
Blue team awareness	Often informed	Typically unaware (except for leadership)
Techniques	Standard exploitation	Full adversary simulation (TTPs)
Output	Vulnerability report	Detection gap analysis + attack narrative

Penetration Test:
  "Here are all the vulnerabilities we found."

Red Team:
  "Here is how a real adversary could compromise your
   organisation, and here is where your defences failed
   to detect or stop us."

---

Adversary Simulation

Red teams model their operations after real-world threat actors, using the MITRE ATT&CK framework:

MITRE ATT&CK Framework

┌────────────────────────────────────────────────────────────────┐
│                     MITRE ATT&CK Matrix                        │
├──────────┬──────────┬──────────┬──────────┬──────────┬────────┤
│ Initial  │Execution │Persist-  │Privilege │Defence   │Credential│
│ Access   │          │ence      │Escalation│Evasion   │Access   │
├──────────┼──────────┼──────────┼──────────┼──────────┼────────┤
│ Phishing │PowerShell│Registry  │Token     │Obfuscated│OS Cred │
│ Drive-by │WMI       │Scheduled │Manip.    │Files     │Dumping │
│ Supply   │Command   │Task      │Exploit   │Masquer-  │Brute   │
│ Chain    │Line      │Services  │Public    │ading     │Force   │
│          │          │          │Facing App│          │        │
└──────────┴──────────┴──────────┴──────────┴──────────┴────────┘
        │           │           │           │           │
        ▼           ▼           ▼           ▼           ▼
   ┌──────────┬──────────┬──────────┬──────────┬──────────┐
   │Discovery │Lateral   │Collection│Exfiltr-  │Impact    │
   │          │Movement  │          │ation     │          │
   └──────────┴──────────┴──────────┴──────────┴──────────┘

Threat Intelligence-Led Testing

Red teams should simulate specific threat actors relevant to the target organisation:

Organisation Type	Likely Threat Actors	Key TTPs
Financial sector	APT groups, cybercriminals	Phishing, credential theft, SWIFT
Healthcare	Ransomware groups	Phishing, lateral movement, encryption
Defence/Gov	Nation-state actors	Supply chain, zero-days, persistence
Technology	Competitors, hacktivists	Source code theft, IP exfiltration

---

Purple Teaming

Purple teaming is the collaborative integration of red team (offensive) and blue team (defensive) activities:

Traditional:
   Red Team ──attacks──▶ Blue Team (detects)
   (adversarial, limited communication)

Purple Team:
   Red Team ◀──collaborates──▶ Blue Team
   (shared goals, real-time feedback)

Purple Team Exercise Flow

1. Red team performs a specific technique (e.g. Kerberoasting)
2. Blue team checks: Did our SIEM/EDR detect it?
3. If detected: validate alert quality, response procedures
4. If NOT detected: create detection rules together
5. Red team retests to confirm new detection works
6. Document and move to next technique

Benefits

Benefit	Description
Immediate feedback	Detections are validated in real time
Detection engineering	New rules are created and tested during exercise
Improved collaboration	Breaks down adversarial silos
Measurable improvement	Before/after detection coverage metrics
Knowledge transfer	Both teams learn from each other

---

Command and Control (C2) Frameworks

C2 frameworks provide infrastructure for managing compromised hosts during red team engagements:

Framework	Language	License	Key Features
Cobalt Strike	Java	Commercial	Industry standard, malleable C2
Sliver	Go	Open source	Modern, multi-platform, implant-based
Havoc	C/C++	Open source	Cobalt Strike alternative
Mythic	Python/Go	Open source	Modular, extensible agent framework
Brute Ratel	C/C++	Commercial	EDR evasion focused

C2 Architecture (Simplified)

┌───────────┐     ┌──────────────┐     ┌──────────────┐
│ Operator  │────▶│ C2 Teamserver│────▶│ Redirector   │
│ (Red Team)│     │              │     │ (hides C2)   │
└───────────┘     └──────────────┘     └──────┬───────┘
                                              │
                              ┌────────────────┼──────────┐
                              │                │          │
                              ▼                ▼          ▼
                        ┌──────────┐    ┌──────────┐  ┌──────────┐
                        │ Implant  │    │ Implant  │  │ Implant  │
                        │ (Host A) │    │ (Host B) │  │ (Host C) │
                        └──────────┘    └──────────┘  └──────────┘

Note: C2 frameworks are powerful tools for authorised red team operations. Misuse is illegal and unethical.

---

Offensive Security Certifications

Certification Roadmap

Entry Level:
  ├─ CompTIA Security+       — foundational security knowledge
  ├─ CEH (EC-Council)        — broad ethical hacking concepts
  └─ eJPT (INE/eLearnSec)   — practical entry-level pentest