Simulating real attacks. Finding what automated tools miss. Any dev team can do this.
Red team vs pen test vs scan
| Activity | Goal | Duration |
|---|---|---|
| Vuln scan | Find known CVEs | Minutes |
| Pen test | Find and exploit vulns | Days |
| Red team | Achieve objective like real attacker | Weeks |
Objectives, not checklists
| Objective | Tests |
|---|---|
| Exfiltrate 1000 customer records | Data access controls |
| Gain shell on production | Infrastructure + detection |
| Deploy backdoored app | CI/CD security |
| Access prod DB from dev workstation | Lateral movement |
Planning
Get written authorisation. Define scope, rules, who knows.
Attack phases
1. Recon: DNS enumeration, tech fingerprinting, OSINT.
2. Initial access: Web vulns, phishing, exposed services, supply chain.
3. Post-exploitation:
aws sts get-caller-identity
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
env | grep -i secret
4. Objective: Document what you could access. Never actually exfiltrate real data.
5. Report: Attack path, timeline, detection gaps, recommendations.
Lightweight exercises
Threat model + attack: After threat modelling, try top 3 threats against staging.
Purple team: Attacker explains technique, defender checks detection, both review gaps.
Common findings
- Internal tools without auth
- Overly broad IAM
- Credentials in env vars
- No network segmentation
- No detection of lateral movement
The takeaway
Define objective. Get auth. Simulate realistic phases. Document attack paths and detection gaps. Purple team gives fast feedback. Goal: find and fix gaps before real attackers.