Red Team

What Is Red Team?

The "Red Team" skill is a specialized capability designed for planning and executing authorized red team engagements, attack path analysis, and offensive security simulations. Unlike vulnerability scanning or incident response, red teaming simulates real-world adversaries to rigorously test an organization’s detection, response, and security controls through structured, goal-oriented campaigns. This skill draws from the MITRE ATT&CK framework, enabling security professionals to design, optimize, and evaluate attack scenarios across the full kill chain—from initial access to data exfiltration.

By providing a systematic approach to selecting attack techniques, evaluating operational security (OPSEC) risks, and identifying critical infrastructure (crown jewels), the Red Team skill facilitates comprehensive adversary emulation and control testing. It is particularly valuable for security teams, consultants, and organizations aiming to move beyond automated scanning and engage in realistic, high-value security assessments.

Why Use Red Team?

Red teaming delivers unique insights that traditional security assessments cannot. While penetration testing and vulnerability scanning identify surface-level weaknesses, red teaming challenges the entire security stack’s ability to detect, delay, and respond to advanced persistent threats (APTs) employing multi-stage attack paths.

Key benefits of using the Red Team skill include:

• Realistic Threat Simulation: Emulate adversaries using tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK.
• Holistic Security Validation: Test people, processes, and technology—not just technical controls.
• Attack Path Analysis: Identify and visualize all possible routes from initial compromise to valuable assets.
• Prioritized Remediation: Highlight critical choke points and high-impact detections for focused improvements.
• OPSEC Awareness: Ensure simulation activities do not trigger unintended detection or disrupt business operations.

Ultimately, the Red Team skill empowers organizations to proactively strengthen their security posture by simulating the most likely and most damaging attack scenarios.

How to Get Started

To leverage the Red Team skill, clone the repository and integrate the skill into your existing security workflow:

git clone https://github.com/alirezarezvani/claude-skills.git
cd claude-skills/engineering-team/red-team

The skill is designed to be modular and can be used as a standalone planning toolkit or integrated into broader security automation frameworks. The core workflow involves:

1. Define Engagement Scope: Identify the business objectives, rules of engagement, and target environments.
2. Select Target Crown Jewels: Pinpoint critical assets (data, systems, or processes) to focus the attack simulation.
3. Map Attack Paths: Use MITRE ATT&CK to identify relevant techniques and likely adversary behaviors.
4. Score Techniques: Assess each technique for required effort and detection risk.
5. Assemble Kill Chains: Organize selected techniques into logical attack sequences.
6. Conduct OPSEC Review: Evaluate operational security risks before execution.

A typical engagement plan can be generated with:

from red_team import EngagementPlanner

planner = EngagementPlanner(
    targets=['AD Domain Controller', 'Customer Database'],
    objectives=['Domain Admin', 'Data Exfiltration'],
    rules_of_engagement={'allowed_methods': ['phishing', 'lateral_movement']}
)
attack_plan = planner.generate_attack_paths()
print(attack_plan)

Key Features

The Red Team skill provides a suite of features tailored for comprehensive offensive security planning:

• MITRE ATT&CK Kill-Chain Planning: Aligns attack scenarios with recognized adversary tactics and techniques, ensuring relevance and completeness.
• Technique Scoring and Prioritization: Automates the risk and effort analysis of attack techniques, enabling data-driven selection.
• Choke Point Identification: Highlights critical control points where defenders can detect or block attacks, supporting focused defense improvement.
• OPSEC Risk Assessment: Integrates operational security considerations into every phase, reducing the risk of premature detection or collateral impact.
• Crown Jewel Targeting: Supports the deliberate selection of high-value assets and business processes as attack objectives.
• Attack Path Methodology: Maps multi-stage attack chains, helping visualize and communicate potential adversary routes.
• Workflow Templates: Provides structured templates for planning, execution, and reporting.

For example, choke point analysis can be performed programmatically:

from red_team.analysis import ChokePointAnalyzer

choke_points = ChokePointAnalyzer(attack_plan).identify()
print(f"Critical detection points: {choke_points}")

Best Practices

• Engage Stakeholders: Collaborate with business and technical stakeholders to define meaningful objectives and boundaries.
• Map to Real-World Threats: Use threat intelligence to select attacker TTPs that reflect likely and relevant adversaries.
• Iterative Planning: Continuously refine attack paths based on detection feedback and environmental changes.
• Document Everything: Maintain detailed records of plans, executed actions, and findings to support learning and improvement.
• Respect OPSEC: Treat operational security as a first-class concern to avoid unintended consequences.

Important Notes

• Authorization Required: Only use the Red Team skill in environments where you have explicit, written authorization. Unauthorized use is unethical and potentially illegal.
• Not for Vulnerability Scanning: This skill is not a substitute for traditional vulnerability scanning or penetration testing; it is intended for advanced adversary simulation.
• Continuous Updates Needed: The threat landscape evolves rapidly. Regularly update your MITRE ATT&CK mappings and engagement methodologies to stay current.
• Separation of Duties: Ensure clear separation between red team (offense) and blue team (defense) roles to preserve test integrity.
• Ethical Responsibility: Always prioritize safety, privacy, and minimal business impact in every engagement.