What Is Red Teaming? Red Team vs Pentest, TTPs and Examples

Red teaming is a full-spectrum adversary simulation: a small, skilled team of offensive security professionals mimics a real-world threat actor across people, processes and technology to test whether the organization can prevent, detect and respond to a sophisticated attack. This guide answers the core questions — what red teaming is, how it differs from a penetration test, the methodology, the TTPs, and when an organization is mature enough to benefit from it.

What is red teaming?

Red teaming is a goal-oriented, adversary-simulation exercise where a team of offensive security experts mimics the tactics, techniques and procedures (TTPs) of a specific real-world threat actor against an organization. Unlike a penetration test, the scope is the organization itself — people, processes, technology, physical access — not a single application or network range. The exercise is graded on whether the blue team detects and responds, not just on which vulnerabilities exist.

Red team vs penetration test

The two terms get confused constantly. The differences matter — picking the wrong one wastes budget.

• Scope. Pentest = a defined asset (web app, network range). Red team = the whole organization.
• Goal. Pentest = find vulnerabilities. Red team = achieve a defined objective (data exfiltration, domain dominance).
• Stealth. Pentest = visible and collaborative. Red team = covert, only a small white cell knows it is happening.
• Duration. Pentest = 1–3 weeks. Red team = 4–12 weeks.
• Maturity required. Pentest = any. Red team = mature blue team with working detection coverage.

Red team engagement phases

1. Threat modeling and adversary selection

Pick an actor whose targeting is realistic for your industry — a ransomware affiliate for a manufacturer, a state-sponsored APT for a defense supplier. Map their known TTPs from threat intelligence.

2. Reconnaissance

OSINT on employees, infrastructure, third parties, brand exposure. Identify the path of least resistance — the actor never picks the hard way.

3. Initial access

Phishing, exposed services, supply chain, physical intrusion or a combination. The first foothold is rarely the noisy part.

4. Foothold, persistence, privilege escalation

Stay under detection thresholds. Use living-off-the-land binaries. Move only when needed.

5. Lateral movement and objective

Reach the agreed objective — read a sensitive file, stage ransomware, dump domain credentials. Capture evidence at every step.

6. Reporting and replay

Reconstruct the full attack path. Replay every step with the blue team to identify exactly where detection should have fired and didn't.

TTPs and the MITRE ATT&CK framework

MITRE ATT&CK is the canonical taxonomy of adversary tactics (the why) and techniques (the how) — Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Modern red team reports map every action to an ATT&CK technique ID so the blue team can compare directly against their detection coverage.

Common red team scenarios

• Assumed breach — start from an already-compromised endpoint, focus on detection and response.
• Ransomware simulation — emulate a real ransomware operator from phishing through file staging.
• Insider threat — simulate a malicious employee with legitimate access.
• Physical + cyber — combine social engineering and physical intrusion with a cyber objective.
• Cloud-focused — target the IAM and data plane of the cloud provider, not the corporate AD.

When is your organization ready for red teaming?

Red teaming is wasted on an organization that hasn't done the basics. The honest checklist: working EDR on every endpoint, a SOC (internal or MSSP) that triages alerts, an incident response plan, current pentest results that have been remediated, and patch hygiene above 80%. Without those, a penetration test or an attack-surface assessment will produce more actionable value.

Red, blue and purple — the maturity ladder

Pentests find vulnerabilities. Red teams test whether you'd notice. Purple teaming closes the loop — red and blue work together on a defined technique, validate detection in real time, and fix the gap during the same session. The endgame is continuous purple: a steady cadence of small adversary emulations driving the detection backlog.