LazyHackers.in — Checklist
🎯 Red Team Operations Checklist
Adversary emulation, phase by phase: scenario · tooling · steps · ATT&CK · the control
☰ How to use this guide
A red team is not a vuln-by-vuln pentest — it's an objective-driven attack chain that emulates a real adversary while staying OPSEC-clean and in scope. The deliverable is the attack narrative + detection gaps, not a pile of findings. This guide turns every checklist line into how-to-run, organised by the engagement lifecycle and MITRE ATT&CK, with the AD chain (where most internal RT lands) detailed at the end. For non-AD service-level testing, pair with the Network checklist.
Each section maps to ATT&CK tactics and ends with a coverage table: the TTP, how to run it, and the defensive control / detection. The closing 'Report as' lines here are framed as the control gap a finding represents.
⚠ Authorised scope only, with a signed RoE and authorisation letter in hand. OPSEC every phase: test tooling for detection in a lab first, deconflict before anything that could trigger IR, and never take destructive action outside the RoE.
0 Pre-engagement & setup
Get the paperwork and guardrails right before touching anything. This is what keeps the engagement legal, safe and useful.
⚑ Report as: “Pre-engagement: objectives, RoE, authorisation and deconfliction agreed”
🛡 Fix: Defenders should expect: a defined scope, a deconfliction channel, and a detection-tolerance agreement — these let the engagement test response without real harm.
Pre-engagement & setup — full coverage
| Checklist item | How to run | Outcome |
|---|---|---|
| Objectives / crown jewels defined | workshop with client | Engagement objectives set |
| RoE signed (scope/exclusions/timing) | RoE document | Rules of engagement agreed |
| Engagement type fixed | choose external/internal/assumed-breach | Engagement type set |
| Authorisation letter in hand | get-out-of-jail letter | Authorisation obtained |
| Deconfliction + emergency contacts | agree channel | Deconfliction process set |
| Detection-tolerance / destructive limits | agree limits | Detection tolerance agreed |
| Data handling / cleanup plan | define plan | Data-handling plan set |
| Own-action logging for report | set up logging | Activity logging set up |
| TTP profile to emulate chosen | pick threat actor | Adversary profile selected |
1 Reconnaissance
Passive OSINT first (employees, email format, breach data, exposed assets), then careful active recon (low-and-slow).
# Employee + email format + breach correlation
# (LinkedIn org, then derive {first}.{last}@target.tld); check breach datasets
# Exposed assets via cert transparency + Shodan
subfinder -d target.tld -silent | httpx -silent
shodan search "org:Target"
# Careful active perimeter scan (low-and-slow)
nmap -sS -T2 --top-ports 100 -iL external.txt⚑ Report as: “Control gap: excessive public exposure (employees, assets, leaked creds) enables targeting”
🛡 Fix: Reduce OSINT footprint; monitor for leaked credentials; rate-limit/alert on external scanning; harden VPN/webmail/SSO gateways.
Reconnaissance — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Domain & subdomain enum | subfinder/amass | Attack surface mapped (T1590) |
| Employee enumeration | LinkedIn/OSINT | Personnel enumerated (T1589) |
| Email format + breach correlation | derive + breach data | Valid-account candidates |
| Credential leaks in dumps/paste | breach datasets | Leaked credentials found |
| Tech/cloud footprint fingerprint | whatweb/cloud enum | Tech stack mapped |
| Exposed assets via Shodan/CT | shodan / crt.sh | Exposed assets |
| Metadata harvesting from docs | exiftool on public docs | Metadata disclosure |
| Social/physical recon (if scoped) | site survey | Physical recon |
| External port/service scan (low-slow) | nmap -T2 | Perimeter services mapped |
| VPN/webmail/SSO/RDP gateway discovery | probe gateways | Auth gateways identified |
| Public app surface mapping | crawl apps | App surface mapped |
| Wireless/physical perimeter (if scoped) | site recon | Perimeter recon |
2 Resource development (infra)
Stand up attributable-free infra: redirectors fronting C2, aged/categorised domains, valid TLS, a tuned C2 profile, and phishing infra with aligned email auth.
⚑ Report as: “Control gap: phishing/C2 infra reaches users (weak mail auth, no egress/domain filtering)”
🛡 Fix: Enforce SPF/DKIM/DMARC; filter newly-registered/uncategorised domains; egress-filter and inspect C2-like traffic; alert on beaconing patterns.
Resource development (infra) — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Redirectors fronting C2 | HTTP/HTTPS/DNS redirectors | C2 infra (T1583) |
| Domain categorisation/aging | age & categorise domains | Phishing/C2 domains |
| Valid TLS on infra | Let’s Encrypt | TLS infra |
| C2 framework chosen & profiled | malleable/jitter/sleep tuning | C2 profile set |
| Domain fronting/CDN (if legal) | CDN fronting | Fronted channel |
| Phishing infra + SPF/DKIM/DMARC | mail server + GoPhish | Phishing infra |
| Payload dev & EDR-evasion (lab) | lab detonation tests | Tested payloads |
| Infra not attributable / per-engagement | isolated infra | Attribution hygiene |
| Tooling staged on disposable VPS | disposable cloud | Staging infra |
3 Initial access
Break in: spear-phishing, password spray on exposed auth, edge-service exploitation, or valid leaked accounts.
# Low-and-slow password spray on exposed auth (OWA/VPN/SSO)
# one password, many users, paced under lockout windows
# (e.g. MailSniper/o365spray for M365; ensure RoE allows)
# Edge-service exploitation: target known VPN/Citrix/edge CVEs in scope⚑ Report as: “Control gap: phishing-susceptible users / sprayable exposed auth / unpatched edge service”
🛡 Fix: MFA everywhere (phishing-resistant where possible); user awareness + reporting; lockout + spray detection; patch edge devices; restrict OAuth consent and device-code flows.
Initial access — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Spear-phishing (link/attachment/harvest) | GoPhish + payload | Phishing access (T1566) |
| Malicious doc/macro/container (ISO/LNK/HTA) | crafted container | Macro/container access |
| OAuth / device-code phishing | consent-grant phish | Illicit consent (T1528) |
| Password spray on exposed auth | low-and-slow spray | Valid accounts (T1110.003) |
| Credential stuffing from breach | replay combos | Stuffed access |
| Exposed service exploitation | edge CVE | Exploit access (T1190) |
| Valid accounts from leak | use leaked creds | Valid account (T1078) |
| MFA fatigue / push bombing (if scoped) | push spam | MFA fatigue |
| SIM-swap / vishing (if authorised) | social engineering | Vishing access |
| Drive-by / watering hole (scoped) | malicious site | Drive-by |
| Physical: rogue device/USB/tailgating | physical entry | Physical access |
| Supply-chain / third-party (if scoped) | partner path | Supply-chain access |
4 Execution
Get code running and a stable beacon, preferring LOLBins and in-memory/fileless execution.
⚑ Report as: “Control gap: unconstrained script/LOLBin execution (no AMSI/script-block logging or app control)”
🛡 Fix: Enable PowerShell script-block + module logging and AMSI; application control (WDAC/AppLocker); constrained language mode; alert on suspicious parent-child process chains.
Execution — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Payload execution (implant/beacon) | deliver + run | Execution (T1059) |
| LOLBins for execution | living-off-the-land | LOLBin execution |
| Scripting w/ logging-evasion | PowerShell/WMI/CScript | Scripted execution |
| Scheduled task/service execution | schtasks/sc | Scheduled execution |
| In-memory / fileless | reflective load | Fileless execution |
| Verify C2 callback + stable session | confirm beacon | Stable C2 |
5 Persistence
Survive reboots and cleanup with multiple independent, blend-in mechanisms.
⚑ Report as: “Control gap: persistence mechanisms not monitored (run keys, tasks, services, WMI subs)”
🛡 Fix: Monitor autoruns, scheduled tasks, services and WMI event subscriptions; baseline and alert on new persistence; protect krbtgt and DSRM; review OAuth app registrations and refresh tokens in cloud.
Persistence — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Registry run keys / startup | set run key | Persistence (T1547) |
| Scheduled tasks / cron | schtasks/cron | Scheduled-task persistence |
| Service creation/modification | new service | Service persistence |
| WMI event subscription | WMI sub | WMI persistence (T1546.003) |
| DLL/COM hijacking | hijack search order | Hijack persistence |
| Golden/Silver ticket (AD) | see §AD | Ticket persistence |
| Skeleton key / DSRM (AD) | see §AD | AD backdoor |
| Valid account / cloud token persistence | create account/token | Account persistence |
| SSH keys / authorized_keys (Linux) | add key | SSH persistence |
| OAuth refresh token / app registration | register app | Cloud persistence |
| Multiple independent mechanisms | layer persistence | Resilient persistence |
| Blends with legitimate artifacts | mimic legit | OPSEC persistence |
6 Privilege escalation
Escalate locally on Windows and Linux. Triage with WinPEAS/LinPEAS, then exploit the specific misconfig.
# Windows triage + common wins
winPEASany.exe
# unquoted service path, weak service perms, AlwaysInstallElevated, Potato (token impersonation)
# Linux triage + common wins
linpeas.sh
# SUID/GTFOBins, sudo NOPASSWD, writable cron/PATH, capabilities
sudo -l ; find / -perm -4000 -type f 2>/dev/null⚑ Report as: “Control gap: local privilege escalation via <service misconfig / SUID / sudo>”
🛡 Fix: Fix service path/permission misconfigs; remove AlwaysInstallElevated; patch; restrict SUID binaries and sudo NOPASSWD; least-privilege local accounts; EDR on token-manipulation behaviours.
Privilege escalation — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Win: unquoted service path / weak perms | winPEAS | Service-misconfig privesc |
| Win: AlwaysInstallElevated | check policy | AlwaysInstallElevated |
| Win: token impersonation (Potato) | Potato family | Token impersonation |
| Win: UAC bypass | UAC bypass technique | UAC bypass |
| Win: credential reuse / cached | harvest & reuse | Credential reuse |
| Win: DLL hijack in priv process | hijack | DLL-hijack privesc |
| Win: WinPEAS findings triaged | review output | Privesc candidates |
| Linux: SUID/SGID / GTFOBins | find SUID + GTFOBins | SUID privesc |
| Linux: sudo NOPASSWD/misconfig | sudo -l | Sudo misconfig |
| Linux: writable cron/PATH | check cron/PATH | Cron/PATH abuse |
| Linux: capabilities abuse | getcap | Capabilities privesc |
| Linux: kernel exploit (last resort) | targeted exploit | Kernel privesc |
| Linux: LinPEAS findings triaged | review output | Privesc candidates |
7 Defense evasion
OPSEC core: validate evasion in a lab, bypass AMSI/ETW, blend C2 traffic, and minimise footprint.
⚑ Report as: “Control gap: EDR/telemetry evadable (AMSI/ETW unhooking, injection undetected)”
🛡 Fix: Tamper-protect EDR; monitor for AMSI/ETW patching and unbacked memory execution; detect process injection and PPID spoofing; correlate beaconing despite jitter; protect and centralise logs against tampering.
Defense evasion — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| AV/EDR evasion validated (lab) | lab test | Evasion validated (T1562) |
| AMSI bypass | AMSI patch | AMSI bypass |
| ETW patching / unhooking | patch ETW | ETW evasion |
| PPID spoofing / process injection | inject | Process injection (T1055) |
| Indirect syscalls / unhooked NTDLL | syscall technique | Unhooking |
| Log tampering minimised/logged | avoid or log | Log-tamper control |
| Timestomping | modify timestamps | Timestomp (T1070.006) |
| Sleep/jitter tuned | C2 profile | Beacon evasion |
| Traffic blends with normal | malleable profile | Traffic blending |
| Minimal footprint (no mass scans) | targeted actions | Low footprint |
| Clear command history (where apt) | history hygiene | History clearing |
| Disable telemetry only if RoE allows | authorised only | Telemetry handling |
8 Credential access
Harvest credentials — LSASS, hives, DPAPI, AD roasting/DCSync, and creds lying in files/SYSVOL.
# OPSEC-safe LSASS handling, SAM/SYSTEM hives, DPAPI, SYSVOL GPP
# Impacket secretsdump (remote): SAM + LSA + (DCSync) NTDS
secretsdump.py 'DOMAIN/user:pass@host'
# GPP cpassword in SYSVOL (decryptable - known AES key)
findstr /S /I cpassword \\domain\sysvol\*.xml⚑ Report as: “Control gap: credentials harvestable (LSASS / SYSVOL GPP / cached / vaults)”
🛡 Fix: Enable Credential Guard / LSASS protection; remove GPP passwords from SYSVOL; restrict local-admin reuse (LAPS); protect DPAPI and credential vaults; monitor LSASS access and DCSync (replication) from non-DCs.
Credential access — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| LSASS dump (OPSEC-safe) | protected dump method | Credential dump (T1003.001) |
| SAM/SECURITY/SYSTEM hives | reg save / secretsdump | Hive extraction |
| DPAPI / browser / saved RDP | DPAPI decrypt | DPAPI secrets |
| Kerberoasting (AD) | see §AD | Kerberoast |
| AS-REP roasting (AD) | see §AD | AS-REP roast |
| DCSync (AD) | see §AD | DCSync (T1003.006) |
| Creds in files/scripts/SYSVOL (GPP) | findstr cpassword | GPP password |
| Cleartext creds in memory/config/env | grep memory/config | Cleartext credentials |
| Cloud token/key from metadata | metadata theft | Cloud credential theft |
| Keylogging / clipboard (if scoped) | keylogger | Input capture |
| Vault / KeePass / Secrets Manager loot | loot vaults | Vault credential theft |
9 Discovery (situational awareness)
Situational awareness: local host, domain, shares, ACLs/delegation, and high-value targets. BloodHound maps the path.
# BloodHound collection (OPSEC-aware), then find shortest path to DA
# SharpHound / bloodhound-python -> import to BloodHound -> "Shortest Path to Domain Admins"
bloodhound-python -d target.local -u user -p pass -c All -ns <dc-ip>
# Share hunting
nxc smb <range> -u user -p pass -M spider_plus⚑ Report as: “Control gap: excessive AD attack paths (ACLs/delegation) reachable from low-priv user”
🛡 Fix: Reduce AD attack paths (tier model, prune dangerous ACLs/delegation); restrict broad SMB share access; monitor BloodHound-style enumeration and large LDAP queries.
Discovery — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Local host enum | seatbelt/manual | Host discovery (T1082) |
| Domain enum (users/groups/computers/GPO) | PowerView/ldapsearch | Domain discovery |
| BloodHound collection | SharpHound | Attack paths mapped |
| Network share enumeration | nxc spider | Share discovery |
| ACL / delegation mapping | BloodHound | ACL/delegation map |
| High-value target identification | BloodHound markup | HVT identified |
| Cloud / hybrid identity enum | AADInternals/ROADtools | Hybrid identity discovery |
| Security tooling/SIEM/EDR footprint | enum AV/EDR | Defense footprint mapped |
| Segmentation/reachable subnets | subnet probe | Reachable subnets mapped |
10 Lateral movement
Move to new hosts with stolen material — PtH/PtT, PsExec/WMI/WinRM, relays and delegation abuse. Spread minimally, objective-driven.
# Pass-the-Hash / exec over SMB or WinRM (Impacket / NetExec)
nxc smb <host> -u user -H <NTLM> -x 'whoami'
psexec.py -hashes :<NTLM> 'DOMAIN/user@host'
# Pass-the-Ticket
export KRB5CCNAME=ticket.ccache ; psexec.py -k -no-pass DOMAIN/user@host⚑ Report as: “Control gap: unrestricted lateral movement (PtH/PtT, local-admin reuse, delegation abuse)”
🛡 Fix: LAPS to kill local-admin reuse; restrict SMB/WinRM/RDP source hosts (tiering, host firewall); fix unconstrained/RBCD delegation; enforce SMB/LDAP signing against relays; monitor remote-exec and Kerberos anomalies.
Lateral movement — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Pass-the-Hash | nxc -H | PtH (T1550.002) |
| Pass-the-Ticket / Overpass-the-Hash | PtT | PtT (T1550.003) |
| PsExec / SMB exec | psexec.py | SMB exec |
| WMI / WinRM / DCOM | wmiexec/winrm | Remote exec |
| RDP (with OPSEC) | rdp | RDP movement |
| SSH pivoting (Linux) | ssh tunnel | SSH pivot |
| Token impersonation across hosts | token theft | Token movement |
| Relay attacks (NTLM→SMB/LDAP/ADCS) | ntlmrelayx | NTLM relay |
| Delegation abuse (uncon/con/RBCD) | Rubeus/impacket | Delegation abuse |
| SOCKS/proxy pivoting | chisel/C2 socks | Pivot proxy |
| Spread minimal & objective-driven | targeted movement | OPSEC spread |
11–14 Collection, C2, exfiltration & impact
Locate crown-jewel data (collection), keep C2 resilient, prove exfil capability (usually a planted marker, not real PII), and complete the objective — demonstrating impact safely.
⚑ Report as: “Control gap: crown-jewel data reachable + exfil possible (DLP/egress gap) without detection”
🛡 Fix: DLP + egress controls on sensitive data; alert on staging/compression and large outbound transfers; segment crown jewels; the value to the client is proving the chain and the detection gaps, not pillaging real data.
Collection, C2, exfiltration & impact — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| Locate crown-jewel data | per objectives | Target data located (T1005) |
| Sensitive shares/DBs/mailboxes | enumerate | Sensitive data access |
| Screenshots / proof-of-access | capture | Evidence captured |
| Staging (compressed/encrypted) | stage data | Data staged (T1074) |
| Minimal copy (proof not estate) | collect proof only | Minimal collection |
| PII/regulated per RoE (prove, not exfil) | prove access | Compliant handling |
| Beacon stable through redirectors | verify C2 | Resilient C2 (T1071) |
| Sleep/jitter; long+short-haul | tune channels | C2 channels |
| Fallback C2 channel ready | set fallback | C2 redundancy |
| DNS/HTTPS/fronted backup | alt channel | Backup C2 |
| Traffic mimics legit (malleable) | profile | C2 blending |
| Egress path validated | test egress | Egress mapped |
| Exfil over C2 (encrypted) | exfil channel | Exfil capability (T1041) |
| Exfil over alt channel (test DLP) | DNS/cloud exfil | DLP test |
| Small canary exfil (purple) | planted marker | Detection validation |
| Respect RoE on real data | marker not PII | Compliant exfil |
| Track what left (DLP finding) | log exfil | DLP coverage finding |
| Objective achieved (DA/flag) | complete objective | Objective complete (T1486 if scoped) |
| Demonstrate impact safely | no real destruction | Impact demonstrated |
| Capture evidence chain | recon→objective | Attack chain evidenced |
| Ransomware/disruption only if authorised | authorised only | Scoped impact |
| Document blast radius & business risk | write up | Risk documented |
Active Directory attack chain
AD Active Directory attack chain
Where most internal red teams land. Enumerate the paths, harvest tickets/hashes, escalate to Domain/Enterprise Admin, then persist. ADCS (ESC1–ESC8) is now a primary route.
# Kerberoast + AS-REP roast (Impacket)
GetUserSPNs.py -request 'DOMAIN/user:pass' -dc-ip <dc> # -> crack with hashcat -m 13100
GetNPUsers.py 'DOMAIN/' -usersfile users.txt -no-pass -dc-ip <dc> # -> hashcat -m 18200
# DCSync (replication rights)
secretsdump.py -just-dc 'DOMAIN/user:pass@dc'
# ADCS abuse (Certipy) — find + exploit ESC1..ESC8
certipy find -u user@domain -p pass -dc-ip <dc> -vulnerable
certipy req -u user@domain -p pass -ca <CA> -template <vuln> -upn administrator@domain
# Golden ticket (krbtgt hash) — domain persistence
ticketer.py -nthash <krbtgt> -domain-sid <SID> -domain DOMAIN administrator⚑ Report as: “AD: path to Domain Admin via <Kerberoast / ACL abuse / ADCS ESC / DCSync>”
🛡 Fix: Strong service-account passwords + gMSA (kills Kerberoast); preauth on all accounts (kills AS-REP roast); prune dangerous ACLs and delegation; harden ADCS templates (ESC1–ESC8) and require manager approval; restrict DCSync rights; protect krbtgt (double-rotate); LAPS; tiered admin model.
Active Directory — full coverage
| Checklist item | How to run | Outcome / ATT&CK |
|---|---|---|
| BloodHound shortest path to DA | SharpHound + BloodHound | Attack path to DA |
| SPN / Kerberoastable accounts | GetUserSPNs.py | Kerberoastable account |
| AS-REP roastable (no preauth) | GetNPUsers.py | AS-REP roastable account |
| ACL abuse paths (GenericAll/WriteDACL) | BloodHound | Dangerous ACL |
| Delegation (uncon/con/RBCD) mapped | BloodHound/Rubeus | Abusable delegation |
| GPO abuse opportunities | review GPOs | GPO abuse |
| Trust relationships | enumerate trusts | Trust path |
| ADCS misconfig (ESC1-8) | certipy find -vulnerable | ADCS misconfiguration |
| Kerberoasting → crack | hashcat -m 13100 | Cracked service account |
| AS-REP roasting → crack | hashcat -m 18200 | Cracked AS-REP |
| DCSync → hashes | secretsdump -just-dc | DCSync |
| LSASS / SAM dumping | secretsdump | Credential dump |
| GPP cpassword in SYSVOL | findstr cpassword | GPP password |
| DPAPI / vault looting | DPAPI decrypt | Vault loot |
| ACL path abuse (WriteDACL→DCSync) | grant rights | ACL escalation |
| RBCD / delegation → impersonate | Rubeus/impacket | Delegation escalation |
| NTLM relay → LDAP/ADCS (ESC8) → DA | ntlmrelayx + certipy | Relay to DA |
| ADCS ESC1 → cert as privileged user | certipy req | ADCS ESC1 |
| Privileged group membership add | add to DA group | Group-membership escalation |
| DA → Enterprise Admin (forest) | forest escalation | Enterprise Admin |
| Cross-trust / cross-forest escalation | trust abuse | Cross-forest escalation |
| Golden Ticket (krbtgt) | ticketer.py | Golden Ticket |
| Silver Ticket (service account) | silver ticket | Silver Ticket |
| Diamond / Sapphire ticket | advanced ticket | Diamond/Sapphire ticket |
| DCShadow | DCShadow | DCShadow persistence |
| Skeleton Key | skeleton key | Skeleton Key |
| DSRM password abuse | DSRM | DSRM backdoor |
| AdminSDHolder / SDProp backdoor | AdminSDHolder | AdminSDHolder persistence |
| Certificate-based persistence | steal CA / forge | Certificate persistence |
OP OPSEC (all phases)
Runs across every phase — the discipline that separates a red team from a noisy pentest.
⚑ Report as: “OPSEC: tooling tested, footprint minimal, attribution clean, activity logged”
🛡 Fix: From the blue side, the goal is to make these expensive: tamper-proof telemetry, behavioural detection, and deception (honey tokens/accounts) that trip OPSEC mistakes.
OPSEC checklist — full coverage
| Checklist item | How to run | Outcome |
|---|---|---|
| Tooling tested for detection (lab) | lab detonation | Evasion validated |
| Beacon sleep/jitter; no aggressive scans | tune C2 | Low-noise C2 |
| LOLBins over dropped binaries | prefer LOLBins | Reduced footprint |
| In-memory > on-disk | fileless | Disk hygiene |
| Cleanup plan per artifact | track artifacts | Cleanup readiness |
| No destructive action outside RoE | respect RoE | Scope discipline |
| Deconflict before IR-triggering action | deconflict | IR deconfliction |
| Log own activity (timestamps) | activity log | Purple-ready log |
| Attribution hygiene | isolated infra/creds | Attribution clean |
✓ Reporting & engagement-type map
The actual deliverable. A red team report's value is the attack narrative and detection gaps — and closing the loop with blue (purple debrief).
| Reporting item | How to do it | Deliverable |
|---|---|---|
| Executive narrative (recon→objective) | write story | Attack narrative |
| Attack-path diagram / kill-chain timeline | diagram | Kill-chain timeline |
| Each TTP mapped to ATT&CK ID | map TTPs | ATT&CK mapping |
| Detection gaps (what blue missed) | list gaps | Detection gaps |
| What blue DID catch (give credit) | note detections | Detection wins |
| Root-cause findings | analyse | Root causes |
| Prioritised remediation + strategy | recommend | Remediation plan |
| Cleanup confirmation | verify removal | Cleanup confirmed |
Engagement-type variations: external breaks the perimeter (§1–3 heavy); internal/AD assumes access and lives in §6–10 + AD; assumed-breach starts at §6; cloud red team pivots to the Cloud checklist; purple team runs TTPs deliberately with detection validation each step.
Core principle: red team success = demonstrating realistic business risk through an objective-driven attack chain, OPSEC-clean and in-scope. The report's value is the narrative + detection gaps, not isolated findings — always close with a purple debrief, because that's where defense actually improves.