The Art Of Adversarial Simulation
Apr 2016 - Updated Apr 2021
01: THE PURPOSE OF A RED TEAM IS TO BECOME THE ADVERSARY. TO BE THE WORST-CASE SCENARIO.
A Red Team exists to deliver end-to-end, realistic attack scenarios based on real adversaries or a clearly defined threat actor. Whether digital, physical, social, or combined, the goal is to operate using the same tactics, techniques, and procedures an actual adversary would use. That often means adapting in real time and inventing new methods as conditions change. By planning for worst cases, leadership gains clarity on real risk, and organizations can meaningfully test detection, response, and decision-making under pressure. The outcome should feel real, uncomfortable, and operationally relevant.
02: IF YOU DO NOT UNDERSTAND WHAT YOU ARE RED TEAMING, THE RESULTS WILL BE POOR.
Learning is not optional. You must immerse yourself in the environment you are attacking. That includes the industry, the language, the culture, and the unspoken assumptions of the organization. Technical skill alone is insufficient. Many engagements succeed or fail on small contextual details. Remain flexible, absorb information continuously, and adapt. If you do not learn, you will miss what matters.
03: RED TEAMING IS MOSTLY ABOUT PAYING ATTENTION.
Red Teaming is not just about attacking controls. It is an adversarial analysis of plans, operations, decisions, and policies. Like a real adversary, it identifies patterns, contradictions, and seams that create vulnerability. This requires openness and discipline. Do not discard information prematurely. Observe patterns, blend in, collect data, connect the dots, and only then decide. Attention is the force multiplier.
04: SECURITY FAILS MORE OFTEN BECAUSE OF WHAT IS DONE WRONG THAN BECAUSE OF WHAT IS DONE RIGHT.
Adversaries attack deliberately, not randomly. Even opportunistic attacks succeed because of weak planning or poor execution on the defender's side. Focus on the seams, where systems, teams, or controls intersect. That is where failure emerges. Work inward from those points. Do not blindly follow predefined attack paths. Connect weaknesses across the full attack surface. If a weakness looks obvious, question why it exists and who is watching.
05: IF YOU ARE HAPPY WITH YOUR PLAN, YOU ARE NOT DOING IT RIGHT.
The real world is fluid. Conditions change unexpectedly and constantly. A plan is not fixed. It is a starting point. Build contingencies for everything. Use PACE: Primary, Alternate, Contingency, Emergency. Treat the original plan as best case, not expected outcome. If you are comfortable, you are underprepared.
06: WE ARE NEVER PREPARED FOR WHAT WE EXPECT.
Plans fail. Batteries die. Credentials change. Access disappears. When this happens, pause and reassess the system as a whole. Determine whether friction is real or deliberately induced by defenders. Act deliberately, not emotionally. Think several steps ahead. The solution is often embedded in the problem itself. When uncertain, develop the situation.
07: IF YOU ARE NOT FAILING IN TRAINING, YOU ARE NOT LEARNING.
Training must induce stress. Failure during training builds resilience and exposes weak assumptions before they matter. Fail often, fail deliberately, and extract lessons. Incremental failure strengthens mindset, methods, and tools, and forges cohesion within the team.
08: EVERY SYSTEM HAS COUNTLESS VULNERABILITIES, MOST OF WHICH WILL NEVER BE FOUND.
Complex systems are often vulnerable to simple attacks. The obvious is frequently ignored. View the system holistically, from outside and inside. Insider risk is routinely underestimated. Focus on pressure points and overlaps: network boundaries, shared responsibilities, layered controls. Apply stress and observe fractures. This is where access emerges.
09: MAKE IT ASYMMETRICAL. STACK ADVANTAGE.
Success is about timing, positioning, and leverage. Do not fight your target on its terms. Operate small, fast, and lean. Stack advantages deliberately, then execute. Be ready to pivot without hesitation. Predictability is weakness.
10: DECEPTION OPERATIONS.
Deception is central to effective Red Teaming. Every engagement requires strategic intent: what belief the defenders must hold, and why. Define a clear objective and a measurable success condition, whether misallocation of resources, delayed response, or misplaced confidence. Construct a credible story that defenders can accept and reinforce themselves. Use signals, noise, and false flags to shape perception and decision-making. Apply adversary-aligned TTPs to maintain plausibility. Deception succeeds when defenders act in ways that benefit the operation without realizing they are being guided.
11: DO NOT BECOME PREDICTABLE.
Create something from nothing, or conceal real activity behind something obvious. Shape perception so defenders believe meaningful action is occurring where it is not, or that nothing is happening where it is. Use slow, visible operations to mask fast, quiet ones. Additionally, reinforce deception operations by varying timing, tooling, and behavior to avoid recognizable patterns. Formulas, recipes, and checklists create signatures. Predictability is detectable, and detection is failure.
12: BE EFFICIENT.
If something is not necessary, remove it. Keep it simple. Stay small and light. Use the simplest tools that achieve the objective. Limit exposure and personnel. Maintain the ability to pivot instantly when opportunity appears. Efficiency preserves freedom of movement.
13: DO NOT PLAY BY THE RULES. ADAPT AND CREATE YOUR OWN.
If the target cannot be attacked directly, attack what enables it to operate. Dependencies such as suppliers, service providers, platforms, and partners are often softer, less monitored, and operationally critical. Pressure on these forces a reaction, even without touching the core target. The objective is to shape defender behavior by creating urgency, distraction, and divided attention. Use the response to pull resources, bypass controls, and induce mistakes. Once the organization is reacting on your terms, shift back to the primary objective. Adversaries ignore boundaries, contracts, and rules. Red Teams should do the same.
14: USE A PROXY. DO NOT ATTACK DIRECTLY.
Whenever possible, operate through third parties. Let someone else create the effect. This introduces uncertainty and complicates attribution and response. Insiders are especially powerful vectors, but assume risk and verify trust. Proxies expand reach while reducing exposure.
15: IT IS ALL ABOUT THE CORRECT TARGET.
Identify the asset that enables detection, response, or resistance. Understand what gives the organization strength. Once identified, apply misdirection, misinformation, and doubt. Use distraction to isolate the real objective. Then execute decisively.
16: THE TARGET DICTATES THE WEAPON, AND THE WEAPON DICTATES MOVEMENT.
Tools and techniques are interchangeable. The target is not. Adapt to the environment you are operating in. The objective defines the method, and the method dictates movement, timing, and exposure. Rigid plans and preferred tools create friction and blind spots. Assess what will work under current conditions, adjust continuously, and move in a way that serves the objective, not the toolkit.
17: DISRUPT.
Disrupt normal operations to destabilize assumptions. Interfere with routines, invert expectations, and challenge standard responses. Create doubt and confusion. Resistance weakens when certainty disappears.
18: RED TEAMERS FIRST PLACE THEMSELVES BEYOND DETECTION AND DEFEAT.
Reconnaissance is non-negotiable. Understand the target’s capabilities, limitations, and response thresholds before committing to action. Identify what triggers detection, escalation, and containment. Build redundancy into access, tooling, and movement, with multiple paths in and out. Assume every method can fail. Reliance on a single approach creates a single point of failure, and single points of failure end operations.
19: DO NOT UNDERESTIMATE HUMAN FAILURE.
People are helpful by default and inattentive when they believe responsibility lies elsewhere. This creates opportunity. Exploit assumptions, trust, and procedural shortcuts. The human factor is often the fastest path in.
20: BEGIN NOTHING WITHOUT KNOWING HOW IT ENDS.
Every operation requires a defined end state. Success or failure, know how you will finish. Do not drift, and do not abandon operations halfway. Intent must survive contact with reality.