What Is a Red Team Exercise?

Definition and why conducting it is important

solution What Is a Red Team Exercise?

Red Team refers to a team of professional hackers that attempts to access a system by simulating a cyberattack. During a Red Team exercise, each team member plays a specific role while the team, as a whole, uses offensive strategies, a variety of techniques, and tools in order to weaken a system.

Red Team (the concept)

In cybersecurity, a Red Team's knowledge, skills and abilities go beyond those of a pentester whose role is to search, find and report system vulnerabilities. A Red Team also simulates a real attack by assuming an adversarial role.

Divide and conquer

Red Team members possess different hacking skills in order to simulate a real attack. This attack may be structured and divided, with the attackers focusing on specific activities to achieve success. Therefore, in a Red Team, you will find team members with the following skills:

Possible roles in a Red Team via Medium.com.

Figure 1. Possible roles in a Red Team via medium.com.

Regarding the information above, we spoke with Andres Roldan. When we asked him about the Red Team exercise done by Fluid Attacks, he said:

  1. "First, the Red Team proposes hacking objectives. For example: escalate privileges, modify system files or install a backdoor to do it. We use the kill chain strategy."

Get started with Fluid Attacks' Red Teaming solution right now

Take a look at this video from Fox9 about a Red Team exercise.

What is Kill Chain?

Kill Chain is a military term to describe the steps in launching an attack. One of its models is the F2T2EA and includes the following phases:[1]

  1. Find: Identify a target using surveillance, reconnaissance data or intelligence gathering.

  2. Fix: Fix the target’s location. Obtain specific coordinates for the target either from existing data or by collecting additional data.

  3. Track: Monitor the target’s movement. Keep track of the target until either a decision is made not to engage the target or the target is successfully engaged.

  4. Target: Select an appropriate weapon or asset to use on the target to create desired effects. Apply command and control capabilities to assess the value of the target and the availability of appropriate weapons to engage it.

  5. Engage: Apply the weapon to the target.

  6. Assess: Evaluate the effects of the attack, including any intelligence gathered at the location.

F2T2EA - The Kill Chain

Figure 2. F2T2EA - The Kill Chain via Biz -n- Seen blog.

Cyber Kill Chain

This term was adopted by Lockheed Martin and its incident team to prevent cyberattacks. Cyber Kill Chain has the following phases:

  1. Reconnaissance: Learning about the target using a variety of different techniques.

  2. Weaponization: Combining your vector of attack with a malicious payload.

  3. Delivery: Transmitting the payload via a communications vector.

  4. Exploitation: Taking advantage of a software or human weakness in order to get your payload to run.

  5. Installation: The payload establishes the persistence of an individual host.

  6. Command & Control (C2): The malware calls home, providing attacker control.

  7. Actions on objectives: The bad actor steals or does whatever he was planning on doing.

Cyber Kill Chain Phases

Figure 3. Cyber Kill Chain Phases via Lockheed Martin.

Cyber Kill Chain 3.0

This is an update of the cyber kill chain for better defense by Corey Nachreiner, Watchguard Chief Technology Officer.

Cyber Kill Chain 3.0 has the following phases[2]:

  1. Recon

  2. Delivery

  3. Exploitation

  4. Infection

  5. Command & Control - Lateral Movement & Pivoting

  6. Objective/Exfiltration.

As you can see, version 3.0 has minor changes designed for better security defense, but those are not unique strategies. As mentioned in Help Net Security:

  1. "Security professionals have differing opinions on the effectiveness of the kill chain as a defense model. Some love it, pointing out how several successful infosec teams use it, while others think it’s lacking crucial details, and only covers a certain type of attacks. I think there is truth to both views, so I’d like to propose three simple steps to make the kill chain even better, let’s call it Kill Chain 3.0."

Therefore, Kill Chain is not the only option. You can also adapt your attack strategy.

Customer benefits

Then, what are the benefits on the client side? Simply put, Red Team's cyberattack simulations expose the weaknesses within a client's systems or applications so that a client can better protect its information from a real attack scenario.

The client can then fix, build, design, and maximize its cybersecurity[3]; this is why the Blue Team exists. Like Red Team, Blue Team also has its defensive strategies, but we will save that discussion for a future post.


According to Medium.com, a Red Team member must have an offensive mindset. For this reason, "CTFs, wargames, or pen testing labs are a great way to exercise offensive mindset"[4]. At Fluid Attacks, every new member trains in hacking and programming challenges to check and assess their level of offensive mindset.

Our current talents are in the Top 10 for Colombia, and, in fact, some of them are in the Top 100 Worldwide.



Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by JC Gellidon on Unsplash

Definition, implementation, importance and alternatives

Photo by Jason Krieger on Unsplash

Keep tabs on this proposal from the Biden-Harris Admin

Photo by Tamas Kolossa on Unsplash

Vulnerability scanning and pentesting for a safer web

Photo by Alexander Ant on Unsplash

Definitions, classifications and pros and cons

Photo by John Schnobrich on Unsplash

Is your security testing covering the right risks?

Photo by Marino Linic on Unsplash

How this process works and what benefits come with it

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.