Skip to content
Infilux AppSec Logo
Glossary · Red Teaming

What is Red Teaming?

Red Teaming is an objective-based adversary simulation that tests how well your detection-and-response capability holds up against a realistic, multi-month attack — not whether a single vulnerability exists. Red teams operate against agreed objectives (exfiltrate payroll, compromise the CFO's mailbox, plant code in production), using MITRE ATT&CK techniques across initial access, privilege escalation, lateral movement, and persistence. The deliverable is a story about how your blue team performed, not a list of CVEs.

Red Teaming is what penetration testing aspires to be when an organisation has matured past 'find me bugs.' The engagement is scoped by adversary objective — e.g. 'achieve domain admin and demonstrate access to the payroll database' — not by an asset list. Red teams pick whatever path is most realistic for the threat actor being simulated, including social engineering, physical access, supply-chain compromise, and lateral movement across cloud and on-prem boundaries.

The output is not a vulnerability report. It is a narrative: 'on day 4 we phished employee X with a lookalike domain registered on day 1, escalated privileges via a misconfigured group-policy share, moved laterally to the engineering OU, and exfiltrated 12 GB of source code over DNS — which your SIEM logged but your SOC dismissed as a benign anomaly at 02:47.' Red Teaming measures detection latency, response coordination, and the quality of after-action learning.

Engagements typically run 30–90 days for the active phase, plus 2 weeks for the joint debrief with the defending team (the 'blue team') and the deliverable write-up. Modern engagements are increasingly 'purple team' collaborative: instead of pure stealth, the red team announces each technique and the blue team practices detection in near-real-time. This converts a one-off audit into a permanent capability uplift.

Key points

  • Objective-based, not asset-based — the goal is access to specific data or systems.
  • Uses the full MITRE ATT&CK matrix; not limited to network or web targets.
  • Measures detection latency and response quality, not just exploitability.
  • Includes social engineering, physical access, and supply-chain vectors when in scope.
  • Deliverable is a narrative + timeline, not a CVE list.

Frequently asked

Red Team vs Penetration Test — what's the difference?+
A pen-test is bounded by an asset list and finds vulnerabilities in those assets. A red team is bounded by an objective ('reach the payroll DB') and uses any technique — including social engineering, phishing, and physical access — to reach it. Red teams measure detection and response; pen-tests measure exposure.
How long does a red team engagement take?+
Active operations: 30–90 days. Pre-engagement reconnaissance and scoping: 1–2 weeks. Debrief and reporting: 2 weeks. End-to-end, plan for 2–4 months. Continuous red-team programmes run year-round with quarterly objectives.
Is red teaming legal?+
Yes — every engagement is preceded by a signed Letter of Authorization (LOA / 'get out of jail free card') and a Rules of Engagement (ROE) document that defines what's in scope (which assets, geographies, employees), what's off-limits (life-safety systems, customer data, regulator-blocked techniques), and emergency contacts. The LOA is carried by the red team during physical operations.
When should we engage a red team vs run more pen-tests?+
When you have a mature vulnerability-management programme and a working SOC, and you want to validate whether your detection-and-response can stop a determined attacker. If basic vulnerabilities still exist or you have no SOC, run pen-tests and build the SOC first — a red team will just sail through and tell you what you already know.

Related services

Red TeamingSOC as a ServicePhishing Simulations

Continue learning

VAPTEASMSOC as a ServiceDark Web MonitoringGRC ComplianceISO 27001SOC 2Zero TrustMITRE ATT&CK