What's in an Engagement and Report?


Sure, you write the report, you list the findings and their solutions, you wrap it up with a good executive summary, pictures of the engagement and a closing statement. But, is that it? Is your job done?


There are a few things you still need to communicate. This is the key of a good Red Teaming engagement. No, it's not "I breached everything, bypassed all and got your data". It's not "your security sucks and we are so cool, look how we pwn you!".


The 5th phase of a Red Team engagement is the report. But, there are few more things you need to do. These are the key pieces that will not only bring your customer, or you team, to the next level, but also keep them engaged and thinking the way you want them, effectively making them think like the adversary going forward.

There are, in my opinion, two things needed during and after the report:

  • A clear explanation of why they need to implement the security solutions you are recommending
  • A clear view of what their industry, and more importantly, their competitors and peers are doing to be more secure

Simple, right?

You would be surprised how often red teamers forget these.
Let's see those two points.


The more your customer, or the people you are red teaming understand why you are suggesting they do something, the what you are solving, and how this directly correlates to real world attackers, the more they will work with you, and buy your strategy and solutions. It is important they understand how attackers work, how they change and they need to change with them. Explain how you, the red teamer, need to adapt as well in order to effectively mimic and emulate the attackers that would come after this organization. Explain very simply and without technical buzzwords the gaps found in the assessments. Explain why we, the red teamers, do what we do.

It's a simple step, yet it is so hard to do. The benefits of this are enormous.


What are the competitors and peers doing with their security. Why. What are the standards out there today that they are not meeting. What security controls, and possibly the strategy, the competition saw fit to put in place to solve what problem, what attacker.
This is very important. Explain this very clearly. Explain what you did to understand the industry, gaining several points for really speaking their language. Explain the process an attacker would use to do the same, to understand the vulnerabilities and gaps in organizations within this industry, and how they would leap from there to the targeted reconnoissance of your customer. The more they understand the security needs of their industry, the more they will understand the need to Red Teaming. This is key to working the right way with an external Red Team.

Give them all the transparency you can. Work with them, make them understand the what.


The more you do this, the more you will begin to see a change on mindset in people that tend to be overly defensive when you break into their stuff. The moment they begin to understand what you do, how you do it and why, the more they will be inclined to work with you in the future.

I speak from experience.

When in doubt, red team it.

Books review

Since several people asked, here are some of the past books reviewed on the blog.

There are more. Search for "books"

Team of Teams

When I first thought Team of Teams by General Stanley McChrystal, I thought this was another one of those book where a high ranking officer recounts some of the stuff he did when he was in charge of certain missions in Iraq or Afghanistan. But given that he commanded the Joint Special Operations Command (JSOC), and he is regarded and one of the people that made JSOC one of the most formidable, fluid and adaptable special operation organizations, I figured I'd give it a try.

What a great book.

This book is not about war. This book is about how to apply small team tactics and its mindset to large organizations, with ever changing landscapes and the human factor. This book helps cope with chaos and shows a different approach to adaptability.

Highly recommended.

Left of Bang


Left of Bang: How the Marine Corps' Combat Hunter Program Can Save Your Life, by Patrick Van Horne.

I finished reading this book last week and I took some time to digest all the material. It is filled with invaluable lessons from the Marine Corps Combat Hunter Program, presenting several strategic ways or systems for making decisions under pressure and on less than permissive environments. Left of Bang will enhance the level of observation and awareness of your surroundings. It is an excellent text about decision making in any time-critical profession where safety and lives are on the line.

Learning how to read the environment and respond to it properly is sometimes the difference between coming out alive or not. The book does a great job about explaining baseline body language, atmospherics and what is normal or not, in other words, detection of anomalies. You begin to understand the importance of trying to think proactively, 2-3 steps ahead of a possible threat.

The material in the book is taken from the US Marine Corps Combat Hunter Program, which was implemented as a way to better prepare Marines for counterinsurgency environments just as those found in Iraq and Afghanistan. In these environments the enemy hides among the civilians and blends in, coming out to attack and returning to being a "civilian". THe book touches some of the best profiling methods, some used by Israel, a country with a history of situational awareness. These are methods that anyone can apply to their daily lives and ennhace personal security.

Highly recommended.

Human Intelligence Counterterrorism and National Leadership: a Practical Guide


This is a book about the current art of human intelligence and counterterrorism. Mr. Berntsen wrote this in an effort to make policy-makers more aware of the current efforts against terrorism worldwide. It is a simple, yet very informtative book about the topic and one, in my opinion, that not only must be read by the top brass, but by everyone. We are all part of this war.

On the Red Teaming side, this book has a wealth of information about the human condition, about working the angles, about social engineering and HUMINT. It is a great book to have in your bookshelf.

The Unfettered Mind


The Unfettered Mind: Writings from a Zen Master to a Master Swordsman. By Takuan Soho.

This is a Zen book, a philosophy work. While this is not a Red Teaming or technical book per se, I think if you are looking to really understand the mindset, the human nature and how to better yourself, this book has a lot of value. I'm a long time Aikido practitioner, where Zen elements are present in every aspect of the Martial Art. One of my early Sensei requested that we read this book before taking our Shodan (Black Belt exam) and that we write a small work about our minds.

Many years later, I found the book again and I read it. Now after having served in the military and working already as a Red Teamer. I understood the contents differently and I began applying those concepts during the anaylsis phase of the project. The results were surprising.

We must know that it is not enough just to see what the Mind is, we must put into practice all that makes it up in our daily life. We may talk about it glibly, we may write books to explain it, but that is far from being enough. However much we may talk about water and describe it quite intelligently, that does not make it real water. So with fire. Mere talking of it will not make the mouth burn. To know what they are means to experience them in actual concreteness. A book on cooking will not cure our hunger. To feel satisfied we must have actual food. So long as we do not go beyond mere talking, we are not true knowers.

It is a small book, but highly recommended.

Here's Takuan Soho on Red Teaming:

When you look at a tree, see it for its leafs, its branches, its trunk and the roots, then and only then will you see the tree.

Kill Decision


This book review is not about a technical book, it's about a modern science fiction novel: Kill Decision by Daniel Suarez.

Kill Decision is a mix of a cyberpunk, military and actual science stories that come together is a great and frightening view of what it's coming in the very, very near future. Daniel Suarez makes a compelling point about the automated drones. A team of Special Operations Forces (The Activity) join forces with a University professor to fight a new threat to the United States and the world. The story is fast paced and violent with hints of humoer as well.

In any case, it's a fantastic book if you want to get a story that mixes several types of literature and contains a lot of good Red Teams Mindset in it.

Open Source Intelligence Techniques


Open Source Intelligence Techniques - 3rd edition (2014) by Michael Bazzell.

This was a present from a friend. I was a little skeptical given than in the past the OSINT (Open Source Intelligence) books that I've read were very vague, however I was surprised with this one.

This is a nice introduction to OSINT. It provides beginners and seasoned researchers with a good review of current tools and techniques. The author does a good job of presenting the material in an easy-to-read format. Again, mostly tailored for beginners, however there are few tips and tricks that will surprise also the professionals.

The books presents techniques for searching information using plain search engines, deep web search engines, social networks, online maps and resources (photos and videos), people search engines, documents and public domain gov records and others. Full of tools you can use and with screenshots of those tools, it walks you to a simple, yet useful, way to search and collect OSINT.

More: https://redteams.net/blog/?category=Books

F3EAD: Ops/Intel Fusion “Feeds” The SOF Targeting Process | Small Wars Journal

Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD), pronounced “F-three-e-a-d” or “feed,” is a version of the targeting methodology utilized by the special operations forces (SOF) responsible for some of the most widely-publicized missions in support of overseas contingency operations. F3EAD is a system that allows SOF to anticipate and predict enemy operations, identify, locate, and target enemy forces, and to perform intelligence exploitation and analysis of captured enemy personnel and materiel. Central to the F3EAD process is the functional fusion of operations and intelligence functions throughout the SOF organization. In F3EAD, commanders establish targeting priorities, the intelligence system provides the direction to the target, and the operations system performs the decisive operations necessary to accomplish the SOF mission. This paper explains the F3EAD process, examines how it is used by SOF and general purpose forces, and provides recommendations for its further implementation and inclusion into formal doctrine.

Recommended reading.

Quote of the day

"In all affairs it’s a healthy thing now and then to hang a question mark on the things you have long taken for granted. Many people would sooner die than think. In fact, they do."

-- Bertrand Russell

Key Things to Have in Mind while Red Teaming

Red Teaming is the art of thinking like the adversary, finding what that adversary will do, and go do it before they have a chance. In doing so, red teamers help build resiliency and create an overall more secure organization.

There are a few things you should consider when you begin to engage a new project, or while deep into an assessment. These things can be applied to all domains of Red Teaming, from digital to physical to human.

Intelligence leads to pwn

Gathering intelligence is essential for understanding your target and to guiding actions and behaviors. Learn your target, its industry, its people, and its competitors, and have a means to understand their real-time digital/physical behavior. Then make a plan.

"Developing the situation" is the most important overlooked skill

Most plans and field actions might fail because of lack of visibility or understanding of what's happening on the field. The environment was not fully analyzed, the target's 3rd party providers were not taken into account, the new leadership approach was not understood... In short, the information and potential problems were not analyzed and developed.
During your planning, make sure you don't ignore what the environment if giving you, do you homework, perform a situation analysis, run that extra OSINT and get your facts right.

Data is key, collect it

Without data to inform you on your progress, success, and direction, you will not be able to understand if you are successful or not. Use ACTE:

  • Assess the situation
  • Create a simple plan
  • Take action
  • Evaluate your progress

Once you loop, address your problems based on the data, re-orient, and execute.

Detailed planning is a must

Before every project or assessment, or even training, you need to spend hours, if not days, on planning and preparing for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. It's ok, spending time on planning helps you react better and faster when unplanned situations materize. The more you plan, the more of a SOP (Standard Operating Procedure) you have, and the more you can fall back on what worked on similar situations in the past. Things repeat themselves.

Have a backup plan

Rule 4. You know plan A will more than likely fail, or the reality int he field will cause it to have to be re-arranged or droppped altogether. Having a plan B is a default in any red team assessment. Always plan this, understand the threats and risks, address them and make a plan B. Always have a PACE (Primary, Alternative, Contingency, Emergency).

Find the main vulnerability and attack it

Every system can be defeated by understanding its weak point and attacking it with full force. The same applies to people and physical targets. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. Scan your target as if you were sniper, from far to close, then close to far. Then left to right, and right to left. Create a grid and walk it, make sure you analyze and collect all information.
The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc. The most vulnerable areas, those most likely to exploited, are where two things connect. There is no such thing as seamless connection. Seek those areas and attack them.

Separate the signal from the noise

Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to phish, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the crital areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.

At the end of the day, it's all about execution

You might have the perfect plan. Your team is ready and you have found the right things to exploit. If you fail on the execution, then it's all worthless. Make a dry-run. Run your plan and contingencies. See what breaks and what can go wrong. Get ready to execute to the best of your capabilities.

Quote of the day

“The goal of training for alpine climbing can be summed up in one phrase: to make yourself as indestructible as possible. The harder you are to kill, the longer you will last in the mountains.”

— Mark Twight

Apply this mindset to security. Become resilient! By training to be harder to kill you are making your organization more prepared and more resilient to real-world attacks.

(via The Angry Red Teamer)