Skill Guide

Red-team methodology: scoping, rules of engagement, threat modeling, and reporting

Red-team methodology is a structured adversarial assessment framework that systematically simulates real-world attacks against an organization's assets by defining the assessment's scope (what to test), rules of engagement (how to test), threat modeling (who might attack and how), and producing actionable reporting (what was found and how to fix it).

This skill is valued because it proactively identifies security weaknesses before malicious actors do, directly reducing breach risk and financial loss. It impacts business outcomes by strengthening security posture, ensuring regulatory compliance, and protecting brand reputation through evidence-based vulnerability mitigation.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn Red-team methodology: scoping, rules of engagement, threat modeling, and reporting

Focus on: 1) Understanding the four pillars (Scoping, ROE, Threat Modeling, Reporting) and their interdependence. 2) Learning fundamental frameworks like MITRE ATT&CK for threat modeling and PTES for methodology. 3) Practicing clear, concise technical writing for report deliverables.

Move to practice by conducting tabletop exercises for scoping and ROE drafting. Common mistakes to avoid: underscoping (missing critical assets), overly permissive ROE (causing disruption), and generic reports lacking root-cause analysis. Apply threat models like STRIDE to real applications.

Master the skill by architecting red-team programs aligned with business objectives (e.g., protecting crown jewel assets). Focus on integrating red-team findings into enterprise risk management frameworks, mentoring junior staff, and designing multi-vector campaigns that test detection and response capabilities, not just prevention.

Practice Projects

Beginner

Case Study/Exercise

Drafting a Scoping Document and ROE for a Web Application

Scenario

Your company's marketing team launches a new public-facing customer portal. You must define a red-team assessment for it.

How to Execute

1. List all assets: domain, API endpoints, authentication flows, third-party integrations. 2. Define clear boundaries: in-scope (e.g., login function) vs. out-of-scope (production database data). 3. Draft ROE clauses: authorized testing hours, communication channels, escalation procedures for critical findings, and explicit 'do-not-attack' lists.

Intermediate

Case Study/Exercise

Threat Modeling a Cloud-Native Microservice

Scenario

A financial service uses AWS with Kubernetes, serverless functions, and an API gateway. Model threats for a new payment processing microservice.

How to Execute

1. Diagram data flows: identify entry points (API calls), data stores (DynamoDB), and trust boundaries (VPCs). 2. Apply STRIDE to each element: e.g., for the API gateway, analyze spoofing (authentication bypass), tampering (request manipulation). 3. Prioritize threats using DREAD or a business-risk matrix. 4. Map potential attack paths to specific MITRE ATT&CK techniques (e.g., T1190 for initial access).

Advanced

Case Study/Exercise

Leading a Full-Scope Red Team Engagement Against a Hybrid Enterprise

Scenario

You are the lead for a red team targeting a multinational corporation with on-prem AD, cloud Azure AD, remote employees, and OT systems. The objective is to achieve access to the executive board's financial data.

How to Execute

1. Develop a campaign plan with phased objectives: initial access (phishing vs. physical), lateral movement, privilege escalation, data exfiltration. 2. Continuously refine ROE with the blue team lead for safety, using a dedicated C2 channel. 3. Manage a team with specialized roles (web, network, social engineering). 4. Produce a final report that maps every action to MITRE ATT&CK, provides systemic fixes (not just point patches), and delivers an executive presentation focused on business impact.

Tools & Frameworks

Mental Models & Methodologies

MITRE ATT&CKPTES (Penetration Testing Execution Standard)STRIDE Threat ModelDREAD Risk Assessment

MITRE ATT&CK provides a common language for adversary tactics and techniques. PTES offers a structured phase-based methodology. STRIDE and DREAD are used for systematic threat identification and risk prioritization during modeling.

Documentation & Collaboration Tools

Dradis FrameworkAttackForgeConfluence/Notion TemplatesLucidchart/Draw.io

Dradis and AttackForge are specialized platforms for collaborative red-team reporting and data aggregation. Confluence/Notion are used for scoping docs and ROE. Diagramming tools are essential for creating threat models and attack path visualizations.

Technical Testing Platforms

Cobalt Strike/SliverBurp Suite ProBloodHoundAxiom/CAE

Cobalt Strike/Sliver are for command and control (C2). Burp Suite is for web application testing. BloodHound maps Active Directory attack paths. Axiom/CAE help manage red-team infrastructure safely and ethically.

Interview Questions

Answer Strategy

Use a structured framework. Start by identifying critical assets (device firmware, cloud management platform, corporate network bridge). Define clear technical boundaries (e.g., only test devices in the lab VLAN, not production). Draft ROE covering authorization, safe exploitation limits (no bricking devices), communication protocols, and legal considerations for hardware. Sample answer: 'I'd begin by meeting with the engineering and security teams to map all assets: the device's firmware, its cloud API, and the network segments it connects to. The scope would exclude the production corporate network but include a lab replica. The ROE would specify that all tests are non-destructive, use our isolated lab environment, and that any exploit capable of bricking a device requires explicit written approval from the engineering lead before execution.'

Answer Strategy

This tests adaptability and communication. Focus on the decision-making process and stakeholder management. The trigger should be a finding that revealed a higher risk or changed the attack surface. Communication must be clear, timely, and documented. Sample answer: 'During an engagement, our phishing campaign unexpectedly yielded credentials for a cloud admin, a much higher privilege level than anticipated. The trigger was this critical finding. I immediately paused the campaign, documented the credential exposure, and convened a meeting with the blue team lead and the client's CISO. I presented the new attack path and proposed a revised scope to safely test cloud privilege escalation. We jointly updated the ROE to include specific cloud attack simulations and agreed on new containment procedures. This was documented in an addendum to the original ROE.'